Encryption-is it enough?

Past concerns of implementing encryption to internal data transit included increased overhead on servers, network devices and end user workstations. This overhead could cause systems delays, loss of connectivity and loss or corruption of data. Many of today’s server and network technologies have data encryption capabilities built in to allow for easier configuration and implementation and minimize the impact on utilizations. Implementing encryption of data in transit from endpoint to endpoint, both remotely and internally is mandatory in today’s cyber risk environment.

“The highest level of data protection currently exists in the data transmission phase with the ‘at rest’ and ‘in use’ phases close behind”

Another phase of data encryption is the encryption of data at rest. Implementing encryption of data at rest is the easiest of all phases and, in fact, is built in on many devices such as smartphones, tablets and PCs. There are really no reasons not to encrypt all data on smartphones, tablets, PCs; however, there are some major limitations of encrypting data at rest. Users and applications must be able read data in order to use it, consequently, when a user or application logs into the system the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to, becomes readable. So, if a user’s device or application is infected with a virus, malware, etc. and they log in all data on their system or systems they can access becomes available to the hacker.

The last phase of data encryption is encryption of data in use, this is the weakest link. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use; but, current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users, limiting their access to the principles of least privilege and performing on the fly decryption of data upon access, companies are providing a minimal level of encryption of data in use.

Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.

Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices that can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device and it can also be bypassed by un-authorized users who illegally obtain valid user ids and password which have rights to view the data. The encryption of data in use with existing technologies uses the same but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.

Encryption is designed to provide an additional layer of data protection but complex authorization policies and strict access controls providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data. If hackers get into a network but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining un-authorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.