An upsurge in the number of reported cases of cyber-attacks and security breaches has been noted. Such reports are appearing in the news sections more often as companies suffer intrusions and data breaches. No single company or industry is entirely immune from cyber-attacks as malicious actors become bolder and use sophisticated strategies to target networks and sensitive data. Data breaches prove to be disastrous for businesses in the form of financial losses, regulatory fines and penalties, reputational damage, and loss of customer trust, among other consequences.
Regulations such as the General Data Protection Regulation (GDPR) have tempted businesses to encrypt all forms of personal data living in their environments. The temptation to encrypt data is waiving the requirement that a company must notify affected customers of a data breach within 72 hours. Attackers will have no immediate use for encrypted personally identifiable data that they manage to steal. Data breaches are proving to be costly affairs due to the significant fines imposed for personal information loss.
Security challenges will not disappear any time soon as older technology becomes obsolete and new technologies emerge. Legacy systems will no longer be patchable and will become easy targets for cybercriminals, whereas somebody will always figure out how to attack and exploit new technologies deployed by businesses. Companies should strive to protect their data at all costs, irrespective of where it is stored. No data is safe, whether it is stored in the cloud or on a server. The first step is to encrypt all data so that it is secure. However, it is good to appreciate that necessary encryption is not sufficient in keeping data safe.
Table of contents
Limitations of Disk-Layer Encryption
Disk-layer encryption serves to protect the storage medium as a whole from attacks or unauthorized use. The whole disk will be encrypted with a single encryption key stored within the same hardware or in disk-layer encryption schemes on the same drive as your encrypted data. The advantage of this arrangement is that developers can easily change the encryption key when the need arises. However, it makes it easy for hackers to access sensitive information.
Up to 75% of data breaches start with stealing the credentials of an account that carried privileges. Attackers will steal users’ credentials to access the encryption key and further access the information stored on the drive. Alternatively, attackers may choose to download the encryption key and the encryption data and decrypt the data in offline locations. Access to a privileged account’s credentials means that any apps linked to it can access unencrypted data once logged in. The attackers will have found a large attack surface to access sensitive data.
How is Encrypted Data not Safe.
It is disheartening to learn that sensitive data can be leaked or stolen even when it is encrypted. The situation arises since many businesses approach information security in a piecemeal way, which leaves gaps easily exploited by cybercriminals. Encryption should happen at all the different levels of the TCP/IP stack. Security teams must understand that when you encrypt a specific place in the stack, all other layers above that level will not be protected. For example, data within a disk can be encrypted but will be in a straightforward test during transport in the network layer. Security of networks and stored data should be at the forefront of all activities. Reactionary measures will not sufficiently protect sensitive data and often come when it is already too late.
Another challenge arises from getting to the market as fast as possible, whereby developers push out products as soon as they are completed. The high pace of pushing out apps and software before security teams test means that users are exposed. There are no quality controls and security testing, which sees some developers using broken algorithms, antiquated encryption strategies, and deploying apps with bugs. Customers or users realize that products that have already been deployed are susceptible to attacks too late.
The Case for Application Layer Encryption
The approach of building a ring around your network or hardware is not sufficient to prevent data breaches. All primary data breaches in both the private and public sectors have operated at the application layer. That includes all versions of data breaches, including advanced persistent threat (APT) attacks and malware. Data should be secured at the application layer to address these serious threats. That means that the application should encrypt data. Only the application will gain access to the encryption key when accessing the data. When FDE, TDE, and TLS encryption are used on a standalone basis, they are mainly insufficient in protecting sensitive data. Additional measures include stopping individual users and third-party applications from accessing encrypted data or encryption keys. It will help to reduce the attack surface for your organization. The only way an attacker gains access to encrypted data would be through functionality on the app. That way, IT teams can audit access control issues and authorizations.
Adopt a Security Culture
Data security at the application level demands that organizations get developers and security teams to secure data and applications. Security must be a fundamental part by embedding it in all of all software and app development work. Security teams can help guide developers in using tools and processes that show the building of secure applications.
Some of the available tools are an API that can help to encrypt data at the application level. Through a few code lines, developers can help encrypt and secure data without becoming encryption professionals. You will rest assured that customer data is secure and that you no longer worry about threats and data breaches.
By Alessandro Civati