Many experts are touting encryption technology as the solution – offering robust protection against the rising cybercrime threat, giving only authenticated users access to enterprise data, and securing data to satisfy compliance requirements.
IT professionals have long since realised that traditional perimeter-based security controls are no longer adequate. What is required now is more effective, multi-layered encryption of data, both in motion and at rest.
This is particularly important where enterprise data is being held in multi-tenant cloud computing environments, serving multiple businesses and users, with data being partitioned accordingly.
John Kindervag, principal analyst at Forrester Research, says business and IT leaders alike are eager to adopt cloud computing to lower their IT costs, provide scale, and enable more flexibility. But cloud computing leads to unique data segregation issues, as providers adopt virtualisation technology to share their IT infrastructure across multiple user organisations.
“However, many security professionals are uncomfortable with multi-tenancy — and for good reason. In a multi-tenant environment, data encryption holds the best hope of properly protecting commingled data,” says Kindervag.
As well as protecting information in shared datacentre environments, encryption can also protect businesses that have a growing number of remote and mobile workers. “The advent of the extended enterprise and the ease of accessing corporate information anytime, anywhere, and on any device will create new pressures on security teams to encrypt data,” says Kindervag. Mobile devices are easy to lose or steal, he adds, but enterprise-level encryption is the best hope for securing data on these devices.
The sorts of encryption technologies that are starting to grow in popularity amongst security-conscious enterprises include endpoint encryption, full-disk and file-level encryption, database and storage encryption, and mobile device authentication.
Whilst these technologies are not new, they are becoming more obviously useful as an increasing number of organisations move their IT operations into the cloud, whilst facing a growing hacker threat and more stringent compliance requirements.
Reasonable levels of encryption already exist in today’s enterprises, with common technologies including email encryption, as well as endpoint encryption using firewalls, Transport Layer Security (TLS) or Secure Sockets Layer (SSL) VPNs. Many enterprises also use intrusion detection systems that have behaviour-blocking components, as these can monitor the way devices are being used to access the network, for example to detect rootkits (stealthy malware code).
One example of a business that uses several types of encryption, on a daily basis, is Ashfords Solicitors. The law firm hosts cloud services for its clients, using its own datacentre hardware. Examples of these services include contract storage and management, deal room document management, and procurement tendering, all of which clients can access via their web browsers.
Garry Mackay, head of commercial services at the practice, who also heads the IT team, says Ashfords has its own secure server at a third party datacentre provider (Telehouse in London), and its cloud uses SSL encryption and is HTTPS-accredited.
HTTPS encrypts and decrypts web sessions, and user authentication is carried using digital certificates and alphanumeric passwords. This combination protects against eavesdropping and man-in-the-middle hacker attacks.
Mackay adds, “All users have alphanumeric passwords which are changed every three months, documents are encrypted, and access to individual documents and folders is limited to authorised users only.”
“Security is the biggest fear factor when it comes to the cloud,” says Mackay. His advice is to use secure access to cloud-based data, but also to encrypt individual documents, and Ashfords does this using a random number generator. However, he admits that the firm’s private cloud system complements its separate, internal IT system, which is far less open to the outside world. Only data that the clients need to access goes into the cloud, he says.
Another big user of encryption is the University of Leeds, whose researchers use a file sharing service called Teamdrive, to share data and documents between different group members. The file sharing system encrypts all the relevant data on the endpoint computer before uploading it to a private cloud.
Unlike Dropbox, which holds its customers’ data on servers in the public cloud (using Amazon’s cloud service), Teamdrive allows users to host the data on their own servers, says University of Leeds research fellow Dr. Anthony Beck. “The ability to use our own servers for shared cloud storage is fantastic. Essentially we have an unlimited storage capacity which we can easily share with colleagues throughout the world at any institution,” he says.
Encryption on the rise
Data encryption is fast growing in popularity, according to Forrester’s John Kindervag. “In the future, you will encrypt data — both in motion and at rest — by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. By encrypting, and thereby devaluing, your sensitive data, you can make cybercriminals bypass your networks and look for less robustly-protected targets.”
He adds that security professionals have deployed a wide variety of cryptographic solutions in most modern networks, including the widespread encryption of hard drives on desktops and laptops, the encryption of emails containing sensitive information, and database encryption.
Compliance requirements and privacy laws have given companies incentives to deploy more and more encryption, with database and network storage encryption on the rise “as sensitive data very often resides in enterprise databases”, Kindervag notes. In Forrester’s most recent security survey, around a third of respondents said they had adopted network storage encryption and/or database encryption.
Full disk encryption (FDE) and file encryption are also popular choices. FDE encrypts the entire hard drive, whereas file-level encryption only encrypts the portion of the drive where sensitive information is stored. The adoption rates of these technologies are nearly equal; 38% of companies have chosen to implement FDE or desktop encryption, while 34% have implemented file-level encryption, says Kindervag.
Hardware-based disk encryption generally has a lower performance impact on the backup server than software-based encryption, because the encryption activity is invisible to the operating system and the host computer’s CPU. It can also perform encryption after data is compressed and stored on disk or tape. “Encryption is one of the least costly risk mitigation tools available, and if aggressively deployed, will greatly reduce the number of data breaches due to lost or stolen equipment,” says Cal Braunstein, executive director of research at analyst firm Robert Frances Group.
The latest innovation in full disk encryption is the self-encrypting drive (SED). This brand new hard disk technology performs the encryption in the hardware itself, securing all the data automatically, a process which is transparent to the user. “While there is still a need for encryption management software, self-encrypting drives promise improved cryptographic performance, thus eliminating one of the final barriers to adopting client encryption,” says Kindervag.
According to Gartner, SEDs are ideal where significant volumes of sensitive data need to be held, because the hardware-based encryption method has little impact on the performance of the drive. In terms of security, erasing the encryption key makes all data on the disk inaccessible. But businesses choosing to use SEDs for encryption should also use third-party key management systems to ensure data can always be recovered, analysts warn.
In terms of developing an encryption strategy, Gartner security specialist Eric Ouellet advises businesses to “try to standardise on a single approach to encryption for the whole business, to enable consistency across the different systems in the business, which will help keep complexity to a minimum and reduce the cost of deployment and support.”
But you don’t have to be a cryptographer to implement encryption. “A noteworthy inhibitor of encryption is an unfounded — and unhealthy — fear of cryptographic technologies. Too many security pros focus on the technology behind encryption, such as the encryption algorithms themselves,” says Kindervag. “There is a misconception that you need to be a mathematician or a cryptographer to properly deploy cryptographic solutions. In reality, good encryption is all about abstraction (defining groups of users, or data assets) and management.”
Encryption has found its way into large parts of our technology systems and can be used by the non-technical. For example, e-mail encryption is an option for all enterprise grade e-mail systems; and today’s operating systems even come with endpoint encryption applications that will enable remote access to the client desktop or laptop. “The widespread use of SSL/TLS is a good example,” says Kindervag. “This cryptographic solution undergirds the Internet and our e-commerce systems, but the technical details are transparent to the individuals who deploy it.”
“Other cryptographic solutions will evolve in a similar manner; sometime in the near future we will find that we encrypt almost all of our data and will be surprised when we find unencrypted data in our organisations,” he adds.
Ultimately, good security is all about reducing the attack surface that is available to hackers and malicious users as they attempt to infiltrate the business. Encryption options such as FDE and file and database encryption can go a long way towards making the cloud more secure for doing business, and less attractive to cybercriminals.