SlideShare a Scribd company logo

Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data

Chris Ross
Chris Ross

Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. It was instantly clear that the job has changed: With BYOD and cloud adoption causing CISOs to hand off infrastructure control, the name of the game is now using IPC tools to defend the data. Learn about CISOs’ current focus on data leak prevention and encryption in this Wisegate Drill-Down report.

Technology
1 of 11
Download to read offline
22
Data-Centric Security 2 CONTENTS Data-Centric Security .............................................................................................................. 3   Data Leak Prevention.............................................................................................................. 5   Encryption ............................................................................................................................... 7   Strengths of encryption........................................................................................................... 7   Weaknesses of encryption...................................................................................................... 8   Approaches to encryption ...................................................................................................... 8   Homomorphic Encryption........................................................................................................ 9   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
Using Information Protection and Control (IPC) Tools to Protect the Data 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the third in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Data-Centric Security More than 100 CISOs indicated that they considered malware and breaches of sensitive data to be the primary security risks/threats, followed by the malicious outsider. See Figure 1 below specifically, and the Malware and Data Breaches report in general for more details. When subsequently asked to specify which of a series of infrastructure controls they would give top priority during the next 3 to 5 years (see Figure 2), there was a clear preference among the CISOs for what can be described as data-centric controls over physical device controls.
Data-Centric Security 4 Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 Figure 2. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
Using Information Protection and Control (IPC) Tools to Protect the Data 5 The most popular response to this question was DLP-style controls followed by application firewalls followed by encryption. “When we asked folks about the various types of controls they could install to protect their companies from those top three risks,” explains Bill Burns, lead author of the Assessing IT Security Risks survey, “what we noticed was that given the choice people were strongly preferring things that protect the data itself rather than protecting the device or the network or the host.” There are numerous reasons for this. Firstly, while traditional security products evolved to protect devices and the perimeters of trusted networks, the modern IT infrastructure can no longer be so easily defined. Most specifically, there is no longer a defensible perimeter. This is the effect of remote working on personal devices coupled with an increasing use of the cloud for both data storage and software as a service applications. Secondly, not only is there no specific perimeter to defend, there is also great difficulty in knowing where the data actually resides, or is currently residing. Copies of documents might simultaneously exist on multiple remote laptops or tablets; and the company may not know the geolocation of those devices. Thirdly, there is increasing acceptance that a persistent targeted attack will eventually breach the network. The combination of • Zero-day vulnerabilities (unknown and unpatched) • New or reworked malware (unknown to the anti-virus engines) • Susceptibility of almost anyone to eventually fall for sophisticated spear- phishing, combine to ensure that a determined and well-resourced attacker will inevitably get into the network. Unable to guarantee the integrity of their devices and networks, CISOs are turning towards defending the data itself, using the new category of security controls known as information protection and control (IPC). Broadly speaking (although not exclusively), the protection is provided by encryption technologies while the control is provided by data leak prevention (DLP) technologies. Sometimes both are made available in a single IPC product. Data Leak Prevention Data leak prevention (DLP) is possibly the best known and most popular sub-category of IPC products. “DLP in monitor mode,” explains Burns, “is where the control will detect and alert someone that I have just seen a file containing SSNs leave the protected server and
Data-Centric Security 6 go out onto the internet—or I saw this sensitive data file containing credit card numbers leave someone's laptop.” The focus is no longer on locking down access to the device or application—there is an assumption that data will somehow get out. “The focus is now on where is the data, where is it going, and who is using it—rather than just locking the door and assuming that the lock will be sufficient to keep the bad guys outside and the data inside the house.” DLP was a hot topic a few years ago. “It got cold because it was too complicated,” suggested Burns, “and I think there was a lack of governance. Now I think it is getting hot again because there's more scrutiny from boards of directors, more scrutiny because risk managers are concerned about supply chain risk, and because people say, ‘Well, I may not have control over a server or the desktop—I can't lock it down because it's not mine, it's a third party or a personal device—but if I can get someone, or force someone, to install this DLP control on their device or funnel them on the network through my device, then I can get visibility into sensitive data moving around’.” One of the issues in using DLP is whether to use it in monitor mode or block mode. Monitor mode simply alerts the security team that something is wrong. Block mode prevents any further movement of the sensitive data. The problem with monitor-only mode is that by the time the security team has seen the alert and closed the door, the horse may have already bolted. Despite this, however, many companies keep DLP for reporting purposes only. Burns explains, “When you're monitoring, typically the alerts go to the security team; so they get extra work, but the user doesn't really see any change. When you put DLP into block mode, that's when you start affecting workflows, behaviors and business processes.” The usual sequence is for someone to say, ‘We need to install DLP, we need to track our sensitive data.’ “That gets you the budget,” says Burns, “but then people realize, wow, this is a lot of work to configure, and it’s really noisy. A team that doesn't have the wherewithal or the executive sponsorship may simply stop at reporting.” The original plan was probably to monitor for a while and get the configuration right, and only then when the tuning is good to turn on blocking mode. “But they get stuck in reporting mode. We're never going to get 100% accuracy, so at what point are we comfortable? You get into that never-ending quagmire of when do you leave the monitoring phase.” It takes, he added, “a huge amount of energy and focus and executive sponsorship to switch from monitor mode to block mode, because once you start blocking, then you start affecting the users' behaviors.” The Target breach is a case in point. Its IPC controls (probably not specifically DLP in this instance) provided the alerts, but the process of handling the alerts was not sufficiently
Using Information Protection and Control (IPC) Tools to Protect the Data 7 established. The simple reality is that monitor mode DLP on its own is not an adequate security control. “You would never want to deploy DLP as a sole defense,” says Burns. “You would like to add it to a mix of layered defense to increase the chances of detecting a problem. So for instance, if you had DLP in monitor mode and it says, ‘This credit card database or file is trying to leave your secure enclave and is heading out to another network where it shouldn't be,’ whether it is in monitor or block that should be a sufficient alarm that says, ‘Gosh, I'd better go look into this.’ You basically want to make the attack as noisy as possible. You don't want someone to be able to silently come in and steal your data—you want to put detectors or alerts or monitors in place at a number of checkpoints, including the data itself.” Encryption The weakness of DLP in monitor mode—and indeed many other security controls—is that while they alert the security team to a potential problem, they do not in themselves secure the data. There is, however, one technology that does this with a very high degree of certainty: encryption. The problem is that encryption currently has limited application, and is very difficult to get right. Strengths of encryption » Secures the data. There are encryption algorithms readily available that are generally considered to be unbreakable. Although there are several caveats to this (some algorithms are known to have weaknesses, others have had weaknesses introduced, and the length of the encryption key is critical), a strong algorithm with an adequate key length well implemented will theoretically protect the data forever—wherever it is, and whoever has access to it (provided they don’t also have access to the encryption keys). » Compliance. Data that has been encrypted is generally considered to guarantee regulatory compliance. In some cases, encryption is specifically mandated by the regulations (such as PCI DSS). In other cases it is not specified by the regulations, but endorsed by the regulators (for example, the UK’s data protection regulator has advised that personal data stored in the public cloud will be in compliance with the Data Protection Act provided that it is encrypted; but that it probably is not in compliance if the encryption keys are stored with the same cloud provider). This leads us to the first major weakness in the use of encryption: key management.
Data-Centric Security 8 Weaknesses of encryption » Key management. “The real problem with encryption is key management,” explains Burns: “managing all of the decryption keys and making sure that the right people and only the right people have keys, and that they are renewed when they expire... that’s really hard. It's much harder than managing the encryption.” Encryption works if the implementation is sound and all, but only, the right people have the keys. If the bad people have encrypted data but no keys, they don’t have the data. But if they do have the keys, they also have the data. » Inability to search data. The biggest practical problem in the use of encryption is that it makes it very difficult to perform operations on that data. Even a simple search operation is difficult because the encrypted target bears no relation to the unencrypted search term. Fixed or permanent data that doesn’t need to be processed (such as archived material) can be encrypted and stored; dynamic application data cannot. Approaches to encryption Economic realities are driving companies to the cloud. “The cost of running a server and storing data and operating an application is considerable,” explains Burns: “hence the movement to cloud SaaS applications. So companies are giving away control of their infrastructure; they're turning the capital expense into operating expense and making it consumption-based—which is all good.” But compliance is also driving companies towards encryption. “Now we're trying to figure out, how do I encrypt that data so that someone that I sort of trust, but not completely (the SaaS application administrators) can have access to the system without having access to my data?” The solution is to encrypt the data. “If it is extremely sensitive and valuable to the company, we will encrypt that data and make it completely unusable to the SaaS provider. We will make it hard for even ourselves to use that data because we understand that it is extremely valuable and sensitive. If it's not valuable at all, we won't encrypt it. That's the two ends of the spectrum.” So one of the main problems with encryption is finding the correctly balanced position based on the risk appetite for the data in question. Fundamental to this is keeping the keys and data separately located. » Third party services. “Somewhere in the middle we may say, we will encrypt the data but we will encrypt it by way of an appliance or a third party application that sits between us and the cloud. Now there will be something in the middle that's
Using Information Protection and Control (IPC) Tools to Protect the Data 9 going to encrypt our data. We will trust this third party to manage the keys—think of a proxy server for instance that is sitting between us and the cloud storage. When we go through that proxy server it finds our sensitive data and encrypts it on the fly on its way to the cloud. In that case what we’ve done is we’ve moved the risk of key exposure away from the SaaS and on to the third party. If someone really wants to break in and have access to our data they'd have to break into the SaaS to steal the data and then break into the third party to steal the keys. So it raises the cost of the attack.” » In-house key storage. “If we’re really paranoid,” suggests Burns, “we might entrust the third party to manage the encryption, but keep the key management in- house,” perhaps within a dedicated hardware security module (HSM). None of this completely eliminates the threat, but it makes it more expensive for the bad guys to be successful. “That,” adds Burns, “is the real goal of a lot of security controls— trying to degrade the attackers’ ability, or make the cost so high they go someplace else.” Homomorphic Encryption Neither of these approaches solves the basic problem—we cannot manipulate encrypted data. “Let's say we store our encrypted data at Salesforce. Right now, if it's encrypted, Salesforce cannot search the data, they cannot manipulate the data, applications can't do anything with the data—because it's encrypted. To do so they would need the decryption key.” Here’s the dilemma. “If the goal is to not give Salesforce the decryption keys, then Salesforce is not really very useful. But if I do give Salesforce the keys, then I have weakened my ability to protect my data.” There is, however, an evolving technology that shows promise: homomorphic encryption. It offers the possibility of searching a database without having to decrypt it. It has been a theoretical possibility for many years, but the problems involved have not yet been fully solved. In 2011, MIT Technology Review1 noted, With homomorphic encryption, a company could encrypt its entire database of e- mails and upload it to a cloud. Then it could use the cloud-stored data as desired— for example, to search the database to understand how its workers collaborate. The results would be downloaded and decrypted without ever exposing the details of a single e-mail. 1 Homomorphic Encryption, MIT Technology Review: http://www2.technologyreview.com/article/423683/homomorphic-encryption/
Data-Centric Security 10 But in December 2013, Bob Gourley wrote for CTOvision2 : I have seen nothing in any of the research that makes me think a solution can be put in place that cannot be defeated by bad guys. And if that can’t be done then the solution will not solve any problems, it will just add processing overhead. So in the end I remain a skeptic regarding any claims of a working fully homomorphic solution. “The problem,” says Burns, “is that it is extremely slow. But it does show promise.” 2 IBM Claims Advances In Fully Homomorphic Encryption (and I’m claiming advances in an anti- gravity device), CTOvision.com: https://ctovision.com/2013/12/ibm-claims-advances-fully- homomorphic-encryption-im-claiming-advances-anti-gravity-device/
Using Information Protection and Control (IPC) Tools to Protect the Data 11 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommended

Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14
Symantec
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena Overview
Austin Eppstein
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 

Recommended

Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14
Symantec
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena Overview
Austin Eppstein
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research Summary
Intel IT Center
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9
Ariel Martin Beliera
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
Jim Kramer
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
Raleigh ISSA
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
George Delikouras
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
Mitesh Katira
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
sahil lalwani
 
Dlp notes
Dlp notesDlp notes
Dlp notes
anuepcet
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headaches
Kristin Helgeson
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
Gary Bahadur
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
Symantec
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
Perimeter Security is Failing
Perimeter Security is FailingPerimeter Security is Failing
Perimeter Security is Failing
UL Transaction Security
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
Intel - API Security & Tokenization
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
Jerry Paul Acosta
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Arunvignesh Venkatesh
 
Multi tool test automation platform
Multi tool test automation platformMulti tool test automation platform
Multi tool test automation platform
opkey
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 

More Related Content

What's hot

With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
Jim Kramer
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
George Delikouras
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headaches
Kristin Helgeson
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 

What's hot (20)

Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research Summary
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headaches
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Perimeter Security is Failing
Perimeter Security is FailingPerimeter Security is Failing
Perimeter Security is Failing
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 

Viewers also liked

Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 

Viewers also liked (9)

Multi tool test automation platform
Multi tool test automation platformMulti tool test automation platform
Multi tool test automation platform
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
 
Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Choosing the Best Open Source Test Automation Tool for You
Choosing the Best Open Source Test Automation Tool for YouChoosing the Best Open Source Test Automation Tool for You
Choosing the Best Open Source Test Automation Tool for You
 
Manual Testing
Manual TestingManual Testing
Manual Testing
 

Similar to Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data

The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
NTEN
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
ijtsrd
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
Rodrigo Piovesana
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
mistryritesh
 

Similar to Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data (20)

System and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration TestingSystem and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration Testing
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
 
Data leakage prevention EN Final
Data leakage prevention EN FinalData leakage prevention EN Final
Data leakage prevention EN Final
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
Data Encryption Is Hard To Do Fiberlink
Data Encryption Is Hard To Do FiberlinkData Encryption Is Hard To Do Fiberlink
Data Encryption Is Hard To Do Fiberlink
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Cloud & Sécurité
Cloud & SécuritéCloud & Sécurité
Cloud & Sécurité
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 

More from Chris Ross

Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 

More from Chris Ross (7)

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data

  • 1. 22
  • 2. Data-Centric Security 2 CONTENTS Data-Centric Security .............................................................................................................. 3   Data Leak Prevention.............................................................................................................. 5   Encryption ............................................................................................................................... 7   Strengths of encryption........................................................................................................... 7   Weaknesses of encryption...................................................................................................... 8   Approaches to encryption ...................................................................................................... 8   Homomorphic Encryption........................................................................................................ 9   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. Using Information Protection and Control (IPC) Tools to Protect the Data 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the third in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Data-Centric Security More than 100 CISOs indicated that they considered malware and breaches of sensitive data to be the primary security risks/threats, followed by the malicious outsider. See Figure 1 below specifically, and the Malware and Data Breaches report in general for more details. When subsequently asked to specify which of a series of infrastructure controls they would give top priority during the next 3 to 5 years (see Figure 2), there was a clear preference among the CISOs for what can be described as data-centric controls over physical device controls.
  • 4. Data-Centric Security 4 Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 Figure 2. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
  • 5. Using Information Protection and Control (IPC) Tools to Protect the Data 5 The most popular response to this question was DLP-style controls followed by application firewalls followed by encryption. “When we asked folks about the various types of controls they could install to protect their companies from those top three risks,” explains Bill Burns, lead author of the Assessing IT Security Risks survey, “what we noticed was that given the choice people were strongly preferring things that protect the data itself rather than protecting the device or the network or the host.” There are numerous reasons for this. Firstly, while traditional security products evolved to protect devices and the perimeters of trusted networks, the modern IT infrastructure can no longer be so easily defined. Most specifically, there is no longer a defensible perimeter. This is the effect of remote working on personal devices coupled with an increasing use of the cloud for both data storage and software as a service applications. Secondly, not only is there no specific perimeter to defend, there is also great difficulty in knowing where the data actually resides, or is currently residing. Copies of documents might simultaneously exist on multiple remote laptops or tablets; and the company may not know the geolocation of those devices. Thirdly, there is increasing acceptance that a persistent targeted attack will eventually breach the network. The combination of • Zero-day vulnerabilities (unknown and unpatched) • New or reworked malware (unknown to the anti-virus engines) • Susceptibility of almost anyone to eventually fall for sophisticated spear- phishing, combine to ensure that a determined and well-resourced attacker will inevitably get into the network. Unable to guarantee the integrity of their devices and networks, CISOs are turning towards defending the data itself, using the new category of security controls known as information protection and control (IPC). Broadly speaking (although not exclusively), the protection is provided by encryption technologies while the control is provided by data leak prevention (DLP) technologies. Sometimes both are made available in a single IPC product. Data Leak Prevention Data leak prevention (DLP) is possibly the best known and most popular sub-category of IPC products. “DLP in monitor mode,” explains Burns, “is where the control will detect and alert someone that I have just seen a file containing SSNs leave the protected server and
  • 6. Data-Centric Security 6 go out onto the internet—or I saw this sensitive data file containing credit card numbers leave someone's laptop.” The focus is no longer on locking down access to the device or application—there is an assumption that data will somehow get out. “The focus is now on where is the data, where is it going, and who is using it—rather than just locking the door and assuming that the lock will be sufficient to keep the bad guys outside and the data inside the house.” DLP was a hot topic a few years ago. “It got cold because it was too complicated,” suggested Burns, “and I think there was a lack of governance. Now I think it is getting hot again because there's more scrutiny from boards of directors, more scrutiny because risk managers are concerned about supply chain risk, and because people say, ‘Well, I may not have control over a server or the desktop—I can't lock it down because it's not mine, it's a third party or a personal device—but if I can get someone, or force someone, to install this DLP control on their device or funnel them on the network through my device, then I can get visibility into sensitive data moving around’.” One of the issues in using DLP is whether to use it in monitor mode or block mode. Monitor mode simply alerts the security team that something is wrong. Block mode prevents any further movement of the sensitive data. The problem with monitor-only mode is that by the time the security team has seen the alert and closed the door, the horse may have already bolted. Despite this, however, many companies keep DLP for reporting purposes only. Burns explains, “When you're monitoring, typically the alerts go to the security team; so they get extra work, but the user doesn't really see any change. When you put DLP into block mode, that's when you start affecting workflows, behaviors and business processes.” The usual sequence is for someone to say, ‘We need to install DLP, we need to track our sensitive data.’ “That gets you the budget,” says Burns, “but then people realize, wow, this is a lot of work to configure, and it’s really noisy. A team that doesn't have the wherewithal or the executive sponsorship may simply stop at reporting.” The original plan was probably to monitor for a while and get the configuration right, and only then when the tuning is good to turn on blocking mode. “But they get stuck in reporting mode. We're never going to get 100% accuracy, so at what point are we comfortable? You get into that never-ending quagmire of when do you leave the monitoring phase.” It takes, he added, “a huge amount of energy and focus and executive sponsorship to switch from monitor mode to block mode, because once you start blocking, then you start affecting the users' behaviors.” The Target breach is a case in point. Its IPC controls (probably not specifically DLP in this instance) provided the alerts, but the process of handling the alerts was not sufficiently
  • 7. Using Information Protection and Control (IPC) Tools to Protect the Data 7 established. The simple reality is that monitor mode DLP on its own is not an adequate security control. “You would never want to deploy DLP as a sole defense,” says Burns. “You would like to add it to a mix of layered defense to increase the chances of detecting a problem. So for instance, if you had DLP in monitor mode and it says, ‘This credit card database or file is trying to leave your secure enclave and is heading out to another network where it shouldn't be,’ whether it is in monitor or block that should be a sufficient alarm that says, ‘Gosh, I'd better go look into this.’ You basically want to make the attack as noisy as possible. You don't want someone to be able to silently come in and steal your data—you want to put detectors or alerts or monitors in place at a number of checkpoints, including the data itself.” Encryption The weakness of DLP in monitor mode—and indeed many other security controls—is that while they alert the security team to a potential problem, they do not in themselves secure the data. There is, however, one technology that does this with a very high degree of certainty: encryption. The problem is that encryption currently has limited application, and is very difficult to get right. Strengths of encryption » Secures the data. There are encryption algorithms readily available that are generally considered to be unbreakable. Although there are several caveats to this (some algorithms are known to have weaknesses, others have had weaknesses introduced, and the length of the encryption key is critical), a strong algorithm with an adequate key length well implemented will theoretically protect the data forever—wherever it is, and whoever has access to it (provided they don’t also have access to the encryption keys). » Compliance. Data that has been encrypted is generally considered to guarantee regulatory compliance. In some cases, encryption is specifically mandated by the regulations (such as PCI DSS). In other cases it is not specified by the regulations, but endorsed by the regulators (for example, the UK’s data protection regulator has advised that personal data stored in the public cloud will be in compliance with the Data Protection Act provided that it is encrypted; but that it probably is not in compliance if the encryption keys are stored with the same cloud provider). This leads us to the first major weakness in the use of encryption: key management.
  • 8. Data-Centric Security 8 Weaknesses of encryption » Key management. “The real problem with encryption is key management,” explains Burns: “managing all of the decryption keys and making sure that the right people and only the right people have keys, and that they are renewed when they expire... that’s really hard. It's much harder than managing the encryption.” Encryption works if the implementation is sound and all, but only, the right people have the keys. If the bad people have encrypted data but no keys, they don’t have the data. But if they do have the keys, they also have the data. » Inability to search data. The biggest practical problem in the use of encryption is that it makes it very difficult to perform operations on that data. Even a simple search operation is difficult because the encrypted target bears no relation to the unencrypted search term. Fixed or permanent data that doesn’t need to be processed (such as archived material) can be encrypted and stored; dynamic application data cannot. Approaches to encryption Economic realities are driving companies to the cloud. “The cost of running a server and storing data and operating an application is considerable,” explains Burns: “hence the movement to cloud SaaS applications. So companies are giving away control of their infrastructure; they're turning the capital expense into operating expense and making it consumption-based—which is all good.” But compliance is also driving companies towards encryption. “Now we're trying to figure out, how do I encrypt that data so that someone that I sort of trust, but not completely (the SaaS application administrators) can have access to the system without having access to my data?” The solution is to encrypt the data. “If it is extremely sensitive and valuable to the company, we will encrypt that data and make it completely unusable to the SaaS provider. We will make it hard for even ourselves to use that data because we understand that it is extremely valuable and sensitive. If it's not valuable at all, we won't encrypt it. That's the two ends of the spectrum.” So one of the main problems with encryption is finding the correctly balanced position based on the risk appetite for the data in question. Fundamental to this is keeping the keys and data separately located. » Third party services. “Somewhere in the middle we may say, we will encrypt the data but we will encrypt it by way of an appliance or a third party application that sits between us and the cloud. Now there will be something in the middle that's
  • 9. Using Information Protection and Control (IPC) Tools to Protect the Data 9 going to encrypt our data. We will trust this third party to manage the keys—think of a proxy server for instance that is sitting between us and the cloud storage. When we go through that proxy server it finds our sensitive data and encrypts it on the fly on its way to the cloud. In that case what we’ve done is we’ve moved the risk of key exposure away from the SaaS and on to the third party. If someone really wants to break in and have access to our data they'd have to break into the SaaS to steal the data and then break into the third party to steal the keys. So it raises the cost of the attack.” » In-house key storage. “If we’re really paranoid,” suggests Burns, “we might entrust the third party to manage the encryption, but keep the key management in- house,” perhaps within a dedicated hardware security module (HSM). None of this completely eliminates the threat, but it makes it more expensive for the bad guys to be successful. “That,” adds Burns, “is the real goal of a lot of security controls— trying to degrade the attackers’ ability, or make the cost so high they go someplace else.” Homomorphic Encryption Neither of these approaches solves the basic problem—we cannot manipulate encrypted data. “Let's say we store our encrypted data at Salesforce. Right now, if it's encrypted, Salesforce cannot search the data, they cannot manipulate the data, applications can't do anything with the data—because it's encrypted. To do so they would need the decryption key.” Here’s the dilemma. “If the goal is to not give Salesforce the decryption keys, then Salesforce is not really very useful. But if I do give Salesforce the keys, then I have weakened my ability to protect my data.” There is, however, an evolving technology that shows promise: homomorphic encryption. It offers the possibility of searching a database without having to decrypt it. It has been a theoretical possibility for many years, but the problems involved have not yet been fully solved. In 2011, MIT Technology Review1 noted, With homomorphic encryption, a company could encrypt its entire database of e- mails and upload it to a cloud. Then it could use the cloud-stored data as desired— for example, to search the database to understand how its workers collaborate. The results would be downloaded and decrypted without ever exposing the details of a single e-mail. 1 Homomorphic Encryption, MIT Technology Review: http://www2.technologyreview.com/article/423683/homomorphic-encryption/
  • 10. Data-Centric Security 10 But in December 2013, Bob Gourley wrote for CTOvision2 : I have seen nothing in any of the research that makes me think a solution can be put in place that cannot be defeated by bad guys. And if that can’t be done then the solution will not solve any problems, it will just add processing overhead. So in the end I remain a skeptic regarding any claims of a working fully homomorphic solution. “The problem,” says Burns, “is that it is extremely slow. But it does show promise.” 2 IBM Claims Advances In Fully Homomorphic Encryption (and I’m claiming advances in an anti- gravity device), CTOvision.com: https://ctovision.com/2013/12/ibm-claims-advances-fully- homomorphic-encryption-im-claiming-advances-anti-gravity-device/
  • 11. Using Information Protection and Control (IPC) Tools to Protect the Data 11 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.