Don't rely on checkbox compliance

Don’t rely on checkbox compliance

Nigel Thorpe, technical director, SecureAge Technology, explores the use of encryption for data protection and warns of GDPR tick box complacency  

A key principle of the GDPR is that personal data must be processed securely, using “appropriate technical and organisational measures” – the “security principle”. To meet this principle, organisations implement a variety of IT security technologies, all aimed at protecting information where it is stored and processed. Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.

The problem is that encryption comes in many different forms. Transparent Data Encryption (TDE) is used to secure data in databases and application security ensures that only the information required to fulfil business processes is exposed to legitimate users. To secure other reports, spreadsheets and documents that are exported from these security silos, full disk encryption is commonly implemented. This is fine if you lose your laptop or USB stick but as soon as a PC is powered on, data can be stolen from it – in the clear, not encrypted.

The language around Full Disk Encryption doesn’t help. Here’s what Microsoft says about turning on device encryption: ‘Encryption helps protect the data on your device so it can only be accessed by people who have authorisation’. Sounds like this will do the job. But the truth is that for encryption to be truly effective, it needs to protect data not only at rest but also in transit and in use. Data thieves will always look for ways to exfiltrate data from security silos because they know it will not be protected once outside.

For example, if you’re working at home, perhaps on reports or spreadsheets containing sensitive information, but your Wi-Fi network is compromised, the information on your laptop can easily be stolen. And what about the legitimate, but disgruntled employee? They’ve got access to data because it’s part of their job. They can export and copy information elsewhere, where it is no longer protected in a security silo.

Time to focus on the data

The problem is that the traditional approach to preventing a successful cyber attack is to try to stop malicious threat actors from getting at your data by using multiple layers of defence. But the steady stream of headlines tells us that it’s simply not possible to stop every determined and skilled hacker, all of the time. And the attacks are relentless. According to a survey commissioned by SecureAge, forty-eight percent of businesses said they experienced a cyber breach during the last 12 months.

So, it’s time to think differently. Rethink the traditional perimeter methods of protection and adopt a data-centric approach, where security is built into data itself. That means any data that falls into the wrong hands is always protected and useless to the cybercriminal. After all, they can’t demand a ransom for data that is already encrypted.

All data is sensitive

GDPR recognises that encryption is an effective information security technology. It’s just that it is seen as difficult to implement and use in real life. That’s why it is usually deployed to protect data in silos. The other barrier to deployment is deciding what data should be encrypted – what is sensitive and valuable data and what is not.

In reality, the idea that there is sensitive data and non-sensitive data is flawed. All data must be considered sensitive and worthy of strong protection. For example, we know how cyber criminals can patch together bits of stolen data – along with information readily available online – to launch clever phishing attacks or impersonate their victims. The other challenge to choosing to protect just sensitive data is knowing where it is. In a recent Ponemon report, 67% of respondents said that discovering where sensitive data resides in their organisation was the number one challenge in planning and executing a data protection strategy.

For most organisations, it is challenging—bordering on impossible—to identify sensitive data and where it is located. So, the obvious conclusion is to consider all data as sensitive and encrypt all of it, all of the time. This means, for example, that when a file on a running system is copied from one location to another, it remains encrypted. And if authentication is built into the encrypted file, it means that only authorised individuals – not the bad guys – can decrypt the data.

But if you are going to implement this level of 100% encryption, it also needs to be fast and transparent to balance effective security with ease of use and not be seen as a speed bump. Importantly, users need to be removed from making security decisions – such as what is sensitive data. But with this ubiquitous approach to encryption, all data will be protected no matter where it gets copied, because security is part of the file rather than a feature of its storage location.

Avoiding checkbox compliance

Organisations continue to perform risk analyses and implement security silos, with the result being that they can check all the boxes and show that they are ’checkbox compliant’ with GDPR. This approach is a major contributor to the fact that we still see so many successful data exposures. To become truly compliant, with security that persists even if data is stolen, organisations’ information security focus must change from protecting storage locations to securing the data itself –

A brief history of data encryption  

Data encryption goes back millennia. The Egyptians used Disordered Hieroglyphics, the Greeks Steganography, the Spartans Scytale and the Romans, the Caesar Shift Cypher, which all laid the foundations for modern cryptography. What has evolved are two fundamental approaches based on complicated mathematics: ‘symmetric’ and ‘asymmetric’ cryptography.

Symmetric cryptography replaces plain text with the ciphertext that appears to be gibberish. The sender of the message uses an algorithm and a ‘key’ to encrypt the message and the recipient then reverses the processes, using the same algorithm and key. But the person encrypting the message must be able to deliver the key to the recipient safely or the message can be compromised.

To overcome these problems, researchers came up with asymmetric, or ‘public key’ cryptography, which creates two tightly connected keys per person. One key is a public key and the other is a private key. If Bob encrypts a message using Alice’s public key, she can decrypt it using her private key. Alice can give everyone her public key, knowing that only she can decrypt messages for her because she keeps her private key secret.

The Romans, Greeks and Egyptians showed us the way, and had we thought more about protecting the data and less about simply trying to prevent access to it with firewalls, user controls and other ‘castle and moat’ techniques, modern information security may have taken a different route. But the fact is that we now have the knowledge, the technology and the processing power to deliver on the promise of using encryption to protect all of the data all of the time.