What are the issues to securing data in today’s environment?
In today’s hyper-connected world, there is an ever increasing amount of data which is being processed in much more complex ways in order to create additional economic and social value. Consequently, the potential attack surface has increased along with the perceived rewards of cyber-crime or espionage through cyber security breaches. This is illustrated by the cyber-attacks against a number of large financial firms in the US, including JP Morgan, which recently resulted in charges against three men.
The challenge is to properly protect the data end to end and ensure it is only available to authorised parties where:
- Business processes may involve multiple systems;
- Not all of these systems could be under the control of one organisation;
- Many of these systems were built on legacy technologies using legacy techniques.
A potential way of solving this problem is to bundle the security related information with the data and to protect the actual data from unauthorised parties. This concept is referred to as data centric security.
There are a number of different technologies which can form part of a data centric security approach which are continuing to evolve and mature.
Format Preserving Encryption
One of the biggest challenges when encrypting data is that the result is not the same format as the original data and often considerably larger. A new technique has been developed by Terence Spies, which used the existing encryption algorithms but ensures that the resulting encrypted data is in the same format as the original unencrypted data.
This approach has the clear advantage of being data agnostic and preserves referential integrity. Therefore, implementing Format Preserving Encryption will not need changes to the database schema but will require some changes to the applications using that data.
Secure Stateless Tokenization
This is a new approach to tokenization which removes the need to maintain a token database by using a token lookup tables of pre-generated random numbers coupled with encryption techniques. The algorithms ensure that the tokenization is deterministic which means that the same original data will always generate the same unique token. So, there is no need to maintain a database of tokens and it can be implemented in high performance environments.
Stateless Key Management
Key management is a complex and costly operation which has restricted the adoption and use of security certificates and generally relied on specialise service providers such as Verisign.
The idea of Stateless Key Management is that there is no need to maintain and secure a database of keys because each key is generated on-demand and can also be re-generated whenever required. Consequently, this service can be provided using an appliance which is scalable and requires significantly less management than a traditional PKI solution.
Identity Based Encryption
The biggest challenge with encrypting data is the secure distribution of the keys and this is further complicated if the data is to be shared by a group of individuals each with their own identity. Traditionally, PKI solutions have been used to enable such data encryption but the complexity and cost of running PKI solutions has prohibited their wide scale adoption.
The idea of Identity Based Encryption is to provide key servers which can generate and securely distribute the necessary encryption keys to all authorised parties leveraging existing identity systems. By generating encryption keys on demand based on the authorised parties’ identities using Stateless Key Management, the key servers can be managed by multiple parties without an enrolment process prior to the data being encrypted. Additionally, there is no need to maintain a database of encryption keys.
Data Loss Prevention
Data Loss Prevention (DLP) solutions are designed to detect and prevent sensitive data leaking outside an organisation. There are many ways to achieve this objective and some of the DLP solutions have similarity to data centric security techniques. However, they are generally focused on email and document based information being exchanged with other parties and have been complex to implement effectively.
Finally, it is worth mentioning micro-segmentation as it is being put forward as a mechanism for securing data particularly in hybrid cloud environments. It essentially provides an orchestration infrastructure to manage and monitor security of the various resources within the cloud environment. Whilst this is a very useful and valid way of better managing security, it is not really data centric security as the security attributes are not directly bound to the data.
Some examples of these technologies
The following table shows a number of example products which cover these technologies to illustrate where they fit in in terms of both structured and unstructured data or just at an infrastructure level and whether they require a database of keys or tokens or are stateless.
|Oracle Advanced Security Transparent Data Encryption
|Symantec Managed PKI Service
|HP SecureData EnterpriseHP SecureData Payments
|HP SecureFileHP SecureMail
|vARMOUR Distributed Security System
The challenges for Data Centric Security
It seems clear that Data Centric Security technologies offer a significant advance on the more traditional data encryption and access controls approach. However, it is not clear how quickly and widely they will be adopted.
Whilst selecting and using the most appropriate technologies, it is still important to tackle the challenge by putting People and Process first instead of Technology to solve business problems.
There needs to be a standard approach to data centric security if its full potential is to be realised and leveraged across multiple organisations. This is a significant ask but it has been achieved in the past – for example, the Internet and TCP/IP.
Finally, there appears to be a significant conflict in government edicts and the opinions of politicians relating to cyber security. When there is a data breach, there are outcries that corporations must do more to protect their customers’ data including encrypting it so no one else can use it. However, in the face of increasing terrorism, governments are looking to increase their surveillance powers and capabilities. Given that many large corporations operate globally and across national boundaries, this creates an uneasy tension which needs to be resolved.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.