Does Encryption Help Prevent Data Breaches?
The media headlines demonstrate every week that fine companies with well-funded cyber security operations are now regularly losing valuable sensitive information. “Encrypting” data has often been heralded as the panacea for protecting against these data loss scenarios. But is this really your greatest asset in the war against cyber crime?
When you lose something in the physical world, like your smartphone, you incur the cost and inconvenience of replacing it. However, if an attacker takes your data, nothing goes physically missing. Somehow, if you could only render the stolen data useless, then the problem goes away.
How Does Encryption Work?
For hundreds of years, mankind has been able to make data secure by applying cryptographic codes only known to those with the “Key” to read the contents. In the computer age, this has been the territory of geeks – technically challenging, expensive, and requiring special know-how. Few companies have found an affordable and easy-to-use way of encrypting data end-to-end. Effective encryption appears to be an elusive proposition.
There are several types of encryption, but they all share the application of a secret mathematical algorithm “key” to the data. Encryption is analogous to locking data in a secure safe. With modern encryption methods, decrypting data without the key (breaking into the safe) is very unlikely. It would take thousands of computer-years to brute force the encryption algorithms (pick the lock).
Encryption is not free. There is a cost to encrypt and decrypt the data. There is the cost of securing and managing the keys. There is the inevitable cost of replacing lost or compromised keys. Managing keys and access to information by authorized users is also very labor intensive. Encrypting data makes everything about working with the data more difficult, for both the bad guys and the good guys!
The implications for recent data breaches
Sony and others might have avoided the damage from leaked emails, spreadsheets, credit cards, and medical information that had the data been encrypted. Encryption does not stop access to the information. The attackers would still have the stolen data files, but encryption would have rendered that stolen data unusable without the “key” to decrypt it.
Encryption is necessary but not sufficient
Encryption is an important tool in protecting information assets. However, encryption by itself does not go far enough. Encryption reduces the risk of data breaches by outsiders, but it does not deal with other important risks including insider threat, supply chain/data sharing, mobile/remote cloud computing, coordination with existing infrastructure, or appropriate data retention and security policies.
The Solution -- Digital Rights Management (DRM)
DRM has its origins in the era of illegal file-sharing (e.g. Napster) of music and movies. The media industry worked with IT companies like Microsoft to protect the copyright of their digital intellectual property, by using encryption and an associated ecosystem of key management, metadata and watermarking. Numerous proprietary solutions emerged, and of course, they didn’t interoperate.
For businesses today, the common factor is Microsoft Active Directory – in the Enterprise or in the Cloud. Microsoft’s Rights Management Service (RMS) is bundled with Active Directory. This allows businesses to interoperate in a secure environment, and when an attacker steals your data, it is rendered unreadable for all practical purposes. Products like Watchful Software’s RightsWATCH works with AD RMS augmenting its effectiveness and making it easier to both to use and administrate. A key concept is the addition of automatic classification of data whenever it is saved by an end-user so that only the sensitive data incurs the additional overhead of encryption.
So what’s the bottom line?
Encryption would have certainly saved Sony, Anthem, Target, Home Depot etc. a lot of embarrassment and negative publicity. But they didn’t routinely encrypt their data because traditional tools are difficult to implement, costly to administer and compromise the features of some of their other digital security controls. A new breed of Digital Rights Management tool is now available to overcome these disadvantages. As these gradually get adopted by businesses, we should see a progressive reduction in this sort of compromise by the bad guys.
Integrated Cyber can help you with an independent view from years of experience, and not based on the software in our stack. Contact us today to discuss your options.