Is Your Production Data Secure? That’s a Hard NO.
Published 09/23/2024
Originally published by Paperclip.
Written by Mike Bridges.
The culture of cybersecurity and data protection is broken. Let’s look at it from a unique point of view. You’ve got an employee who is terrible at their job, consistently makes mistakes, and puts the company in harm’s way. Even worse, when you confront them about it, they make excuses, blame it on someone else, and really don’t care.
Sound familiar? Unfortunately, this represents the posture of our cybersecurity community and our performance protecting data.
Who really needs privacy in this digital age where we share every minute detail of our lives on social media anyway?
While we’re walking down sarcastic lane, let’s look at encryption. Who needs it? Just implement better access controls and authentication, or better yet just plug in a better DLP product. Why would anyone bother encrypting their most valuable data—data in use? It's not like there are hordes of cybercriminals just waiting to get their hands on personal information, right?
Think of the inconvenience! Why go through the hassle of setting up encryption in use when you can just leave your data out in the open for everyone to see? It’s not like personal data, financial details, or sensitive information need any special protection. Besides, those complicated passwords and encryption keys are just way too hard to remember.
What could go wrong? Companies and governments have proven time and again that they’re perfectly capable of protecting private, or sensitive data without any help from encryption in use. Data breaches and identity theft are just myths, right? And even if they weren’t, it’s just a minor inconvenience. Nothing a good old-fashioned “sorry” email from the company can’t fix.
So, why encrypt data in use? It’s fundamental. Everyone knows that the best way, actually the only true way to secure data is to encrypt it. The first thing a threat actor does when they steal your data is to encrypt it. Why? So YOU can’t get YOUR data back!
So, let’s just keep things easy and trust in the goodwill of the internet. Encryption in use is totally overrated. It’s obviously better for everyone to keep things simple so we’re all comfortable and happy. Nothing brings more joy than realizing that every U.S. citizen’s Social Security number can and will be used against you.
We say this in jest because it’s painfully obvious that data protection and privacy should be critically important for all organizations. Here’s the simple truth: all the data at the end of your keyboard is in plaintext.
Fact #1: Encryption at rest does not encrypt production data, it is applied to off-line content such as archives and backups. Encryption at rest data must be decrypted—and therefore exposed to risk—before it can be used.
Fact #2: Encryption in transit also does not encrypt production data; it is applied only to content communications. Encryption in transit only protects data sent across the wire (i.e., between servers, users, the Internet).
The fact remains, right now, production data is unencrypted, in plaintext, and at risk of data theft, data ransom, and data manipulation. Without encryption in use, the data is fully exposed to support the applications that run your operation. Even if you outsource your core operations to a cloud application, without encryption in use, that vendor is exposing private and sensitive data right now so you can run your operations.
Risks on the Rise
FBI Internet Crime Complaint Center (IC3) enables us to collect data, advance investigations, and identify changes in the threat landscape. In 2023, IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received, and it repesents a 22% increase in losses suffered, compared to 2022. Below IC3 graph (Fig 1) summarizes the growth of cybercrime over the last five years.
In the presence of this evidence, I think we can dispel the myth that your current cybersecurity posture is effective and that we’ve done all we can do.
The New Encryption
History has demonstrated that to protect data we need encryption—which has typically meant encryption at rest and in transit. Now the primary challenge is production data, or data in use. There are new technologies such as homomorphic encryption, format preserving encryption, and searchable symmetrical encryption that are designed to do computations on encrypted data while the data remains encrypted.
The C-Suite has a responsibility to address their organization’s ignorance of encryption in use technologies, encourage experimentation, stay abreast of industry encryption technologies, and adopt these new technologies. To ignore these new encryption technologies and not experiment with them is apathetic.
The Data-Centric Approach
There are three distinct cybersecurity strategies: Network-centric, Human-centric, and Data-centric. We can agree that while all are important, the foundation of all cybersecurity strategies is data. Afterall, data is what the threat actor is after. If they control the data, they ultimately control your operations, finances, and future solvency.
Data-centric security is gaining industry mindshare, indicating a positive shift toward encryption of data in use. The future of searchable encryption will involve isolated silos. In the cloud, these will manifest as microservices with API connections. On-premises, they will consist of highly segmented groups of VMs or hardware with API connections. These solutions and services will adhere to NIST standards to ensure data is always encrypted.
The solutions will also provide surveillance and monitoring capabilities to detect adversaries, utilizing machine learning and SIEM telemetry. Privacy will be ensured by multiple key holders protecting the data owner. Data-centric security is a critical piece of secure by design and secure by default.
For the development community, data-centric security and encryption in use will play a major role in securing data. Data-centric security has multiple initiatives designed to influence the way we develop code, and the minimum feature sets our application code should support. One initiative led by CISA is “Secure by Design”, where they state, “Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature”. CISA has also adopted encryption of data in use as a key tenant of their Zero Trust Maturity Model.
Another stakeholder is the Cloud Security Alliance (CSA) and their programs around DevSecOps development. CSA’s states that “DevSecOps applies DevOps concepts to enhance the efficiency and effectiveness of information security processes”. Legacy application code bases are about to go through modifications to adopt new security principles and to isolate critical production data through encryption in use.
Regulations on the Horizon
While some IT and data security professionals may think that database vendors (i.e., MS SQL, Oracle, Mongo DB, PostgreSQL) will deliver ”encryption in use” database solutions, that’s not likely. That’s because SQL’s efficiencies are exactly what increases the risk of sensitive data being exposed that enables adversaries (i.e., plaintext data, encryption keys, credentials).
What makes SQL so efficient is its combination of indexing (less I/O), and caching (better timed I/O). One example of SQL encryption is “column encryption”, a method of encrypting an entire column within a SQL table; this effectively removes all database operations via “column encryption at rest”. That means that adequately securing SQL databases would, in effect, destroy SQL databases.
Compliance organizations will soon adopt encryption-in-use controls as evidence in conducting their audits. Federal agency regulations (i.e., HIPAA, SEC, DOD, FedRAMP) will soon require encryption in use for critical data. Software vendors whose applications process or store critical data will feel the pressure to satisfy customers’ compliance needs as those customers move to a secure by demand third-party vendor approach.
In anticipation of these changes, software developers need to start working with searchable encryption providers and develop plans to make the necessary code changes. The writing is on the wall. We all must do better.
Maturing effective security posture to include data-centric security with always encrypted data is the next best step to truly combat cybercrime and protect our personal information, our infrastructure and our privacy. The writing is on the wall. We all must do better. There’s no one to blame, no excuse to save us, and it’s time to care.
About the Author
Since 1995, Mike has held roles at Paperclip including Vice President of Marketing and Sales, Director of Corporate Servidces, and Consultant. In his current role as President and COO, he is responsible for strategic direction, operations, and corporate communications. Prior to joining Paperclip, Mike was the Executive Vice President and co-founder of CMF Design System. Mike has received a Bachelor of Science from Rowan University and served as a Captain in the United States Marine Corps.
Related Articles:
CSA Community Spotlight: Guiding Industry Research with CEO Jason Garbis
Published: 10/09/2024
AI and Data Protection: Strategies for LLM Compliance and Risk Mitigation
Published: 10/09/2024
Cybersecurity Risk Mitigation Recommendations for 2024-2025
Published: 10/08/2024
Reflections on NIST Symposium in September 2024, Part 1
Published: 10/04/2024