Spartak - Fotolia

'Keypocalypse' another barrier to encryption systems

Encryption deployment can reduce the impact of a security breach. But the complexity of key management prevents some companies from wider adoption.

This article can also be found in the Premium Editorial Download: Information Security magazine: Application security policy after Heartbleed:

In 2008, criminals stole part of the source code for Nokia's mobile operating system, Symbian, including an encryption key that the phones used to make sure any software update was legitimate before allowing it to install. Nokia reportedly paid several million euros to the criminals for promises to not release the key, at a time when the mobile operating system dominated the global mobile market and was used by multiple device manufacturers.

The blackmail case, which recently came to light in Finland, is still under investigation. The Windows Phone OS became Nokia's primary smartphone software in 2011, and in April of this year, Microsoft acquired the Nokia Devices and Services business.

While most enterprises do not depend on a single encryption key, many do rely on a single store of keys to ease the management of their encryption infrastructure. Attackers increasingly target these key stores and servers, according to experts. Yet many companies do not know how their keys are being managed.

"Proper key management is really important," said Bob West, chief trust officer for encryption service CipherCloud, and a former chief information security officer (CISO) in the financial industry. "I did a project at one former employer, and 40% of the SSH keys were exposed to the Internet."

I did a project at one former employer, and 40% of the SSH keys were exposed to the Internet.
Bob Westchief trust officer, CipherCloud

Employees who have unfettered access to valuable keys are another worry. Terry Childs, the San Francisco computer technician who locked the city out of its own payroll and law enforcement systems, had "the trump card," in the words of his boss, to access City Hall's systems and could have brought down the FiberWAN network. While Childs received a four-year sentence in 2010, the situation was as much the fault of the city of San Francisco's IT department, which failed to recognize the dangers of not separating key management -- in this case, passwords -- and access to the data. (See Figure 1, below.)

Key management deployment models
Key management deployment models

Deployment still lags

Despite the problems of lost keys, single points of failure and rogue insiders, the threat of having unencrypted data stolen is a much bigger risk, according to Pete Nicoletti, CISO of cloud infrastructure provider Virtustream. "You should be worried about getting encryption in place, and then make sure you have the ability to manage it securely."

Bob West Bob West

Yet while most of Virtustream's customers require the five-year-old cloud provider to encrypt their data, encryption technology to many clients is nothing more than checking off a compliance box. "Encryption should be considered a mandatory best practice, but a lot of customers are considering it a nice-to-have -- they prioritize a lot of other things before encryption," he said.

Companies should avoid viewing encryption as a cure-all, but many organizations could ratchet up their data protection by deploying these systems more widely. Virtustream has deployed encryption to isolate and protect clients' data, to restrict its own employees from accessing the data, and to make it much less likely that attackers can steal the information. "With encrypted data, if it is stolen, companies can focus on what they did wrong," Nicoletti said, rather than scramble to respond to a massive leak.

Pete NicolettiPete Nicoletti

The problem for companies looking to add more depth to their defenses is that encryption makes everything more complex. As such, few companies have widely deployed the data protection. Only 30% of the 4,802 business and IT managers surveyed by the Ponemon Institute in a 2013 Global Encryption Trends Study reported that their organizations "extensively used" encryption technologies.

That's despite the benefit of encryption technologies when data is exposed. According to a Q2 Breach Level Index, published in July by SafeNet, only 10 of the 237 reported breaches worldwide (based on public sources) had encrypted data. Of those reported incidents, which represented 175 million data records, only two -- less than 1% -- were considered "secure breaches" that protected compromised data with encryption, key management and authentication, making it extremely unlikely that thieves could have accessed the information, according to the data protection company's research.

"There is only a small percentage of companies that do this well," said Jon Oltsik, senior research analyst at Enterprise Strategy Group. "And the rest of them are doing it tactically, and only with a lot of kicking and screaming."

Communications encryption has become standard for most enterprises. Yet insecure communications still exist, especially with newer mobile devices. Of 2,100 mobile applications tested in October and November 2013 by HP Security Research from a sampling of 600 Global 2000 companies, 18% did not use secure HTTP for sensitive operations, such as logging in, and another 18% incorrectly implemented HTTPS or SSL.

And communications encryption is the easy part. Encrypting stored data -- commonly referred to as "data at rest" -- involves the complex tasks of distributing keys, classifying data and ensuring that the endpoints' applications can read the information. Usually, encrypting stored data focuses on four areas: laptops, smartphones and tablets, internally managed databases, and data storage in the cloud.

Data diaspora

Because laptops so often disappear, every mobile PC should have encryption as a matter of course, according to Erik Heidt, research director for Gartner for Technical Professionals, security and risk management strategies group. "It is not 1999 anymore," said Heidt. "There is no reason not to be encrypting laptops, or for that [matter], mobile devices." Organizations that fail to encrypt the hard drives of laptops are out there, according to Heidt, "but if you are not doing it, you are definitely a laggard."

Many companies apparently fail to take these basic precautions. Only 30% of stolen laptops had encrypted hard drives, according to a benchmark 2010 Ponemon report, "The Billion Dollar Lost Laptop Problem," based on survey data from 329 U.S. companies. (The research, sponsored by Intel Corp., exclusively studied the costs associated with missing laptops.) The surveyed companies during the previous 12 months had lost 263 laptops on average, each with an estimated value of $49,246 -- breached data represented 80% of that value. Devices with sensitive or confidential data were more likely to have encrypted hard drives, according to the findings, and most likely to be stolen.

Erik HeidtErik Heidt

Compared to laptops, encryption on mobile devices is more difficult, according to Heidt, requiring not only the encryption of the data storage, but data loss protection technologies and, potentially, containerization. "You have to support far more technology -- multiple devices, different operating systems on those devices," he said, "so it really blows up in terms of complexity."

Local databases are another common focus of encryption efforts, after encrypted backups and virtual private networks, according to Ponemon research. As data stores move into the cloud, it becomes even more complex. A number of companies, such as CipherCloud, offer technologies that encrypt data before it goes into the cloud and have created techniques for allowing the data to be searched and processed, even after encryption.

With companies collecting more data and more of the information dispersed among mobile users or in the cloud, businesses need to take a measured approach to deploying encryption in a data-rich environment.

"For an enterprise today, a lot of the disruption happening in the market is due to cloud, mobile and big data -- that's affecting their data-protection strategies," said Derek Tumulak, vice president of product management at encryption provider Vormetric. "The wrong approach can prevent you from realizing many of the benefits from those trends."

From policy to process

A common approach to protecting data in the enterprise is to take stock of the business's data, understand the threats to that data and create a policy. Companies also need to know what devices and applications can be trusted and how policy can be enforced among disparate mobile devices and in the cloud, said Kevin Bocek, vice president of security strategy for Venafi, a key-management provider.

"It all starts with knowing what you've got," Bocek said. "Most organizations we work with don't know how many keys they have, where they are using encryption, and what applications and devices are really trusted."

Companies should pay particular attention to key management, which is arguably the most important part of an encryption system, especially as organizations encrypt more data and the infrastructure rapidly becomes more complex. "You find yourselves needing to encrypt more," said Tsion Gonen, SafeNet's chief strategy officer, "[and] you are going to find yourselves with a gazillion keys running around and no central point of management." Some enterprises currently deal with encryption keys generated by as many as 15 systems. (See Figure 2, below.)

Key management strategy drivers
Key management strategy drivers

Vendors are trying to solve the key management problem, but interoperability between encryption systems is still lacking. The OASIS Key Management Interoperability Protocol (KMIP) for streamlining and standardizing communications between encryption products could solve that issue in the future. In February, 11 encryption and software vendors -- Dell, IBM, Oracle, SafeNet, Thales e-Security and Vormetric, among others -- demonstrated their products working together, but more support is necessary.

The need for the technology is undeniable, said Vormetric's Tumulak. "A lot of organizations don't want to have islands of encryption, where you have five different vendors and five different solutions out there," he said. "If you can reduce the number of vendors from 10 to two -- that can really help your process."

Bringing more standardization to the encryption products is necessary, but even with that major development, encryption will not be a panacea, experts caution. Even properly implemented encryption means little if an attacker gets onto someone's machine or an employee goes rogue. And in some cases, encryption can enable an attacker, especially if secure communications channels inhibit a business's visibility into what is happening on its network.

Encryption everywhere

The fall of the enterprise network perimeter has made the future of encryption more certain. With data moving out to the cloud and on mobile devices, encryption is not only good for security, but necessary for the future of business, said Gartner's Heidt.

Encryption will actually create more business opportunities for cloud providers, not only assuaging worries that some third party -- whether a foreign government or malicious hacker -- will get access to the data, but also gracefully handling sticky problems, such as how a cloud provider can prove that data has been deleted.

"Deleting a file on your hard drive, does not mean that it is not there -- from a forensics perspective -- and deleting a file in the cloud is even more of a problem, since you don't control the hardware," Heidt said.

If, instead, the company holds the key to that data, then it can delete its own key and the business is assured that the data is no longer accessible.

As data moves outside the company firewall, more businesses are looking to encrypt the data and continue to determine policy for the information. Yet it is not a standalone solution, and businesses need to create policies that incorporate encryption, not just rely on it, said Sandy Carielli, director of data protection at security firm RSA.

"Encryption is part of a strong defense-in-depth strategy," she said. "You can't just do encryption, you can't just do better coding practices -- you have to do a variety of tactics."

About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for nearly 17 years. He currently writes for several publications focused on information security issues. Follow him on Twitter @roblemos.

Send comments on this article to feedback@infosecuritymag.com.

This was last published in September 2014

Dig Deeper on Disk Encryption and File Encryption

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close