Decrypting encryption

February 2018 Editor's Choice, Cyber Security, Integrated Solutions

Given all the news about data theft and hacking, security breaches and identi-ty theft, encryption is a topic that has moved from the realm of high security into everyday life. We are told we should encrypt sensitive data in transit and at rest – while it is being transferred to someone else as well as while it is sitting on a computer, server or mobile device.

The issue with encryption is that it requires users to take responsibility for their own security, firstly by encrypting and decrypting their data (which can be automated), and, secondly, by managing their own encryption keys.

When you rely on a company to encrypt your data, it may prevent third-parties from intercepting and reading your messages, but the key-holder still has access to those messages. So if your cloud provider has your key, they have full access to your data. The only way to keep your encryption secure is to keep and manage your keys yourself.

As part of our enquiry into this year’s cybersecurity trends, Hi-Tech Security Solutions asked a few IT experts for their insights into the state of encryption today. First off, we wanted to know if encrypting your data is now mainstream in that many companies are using it, as well as how far the market has come in simplifying encryption to make it simple for the business and solo user.

Made for the mass market?

Dragan Petkovic, security product leader ECEMEA at Oracle, explains that encryption is one of the easiest technical controls to implement and a number of organisations opt for it as a quick-win since it requires minimum human intervention. “It has been used for decades and it leaves me speechless that some organisations are still not using it to protect their confidential data. Oracle has made big efforts to make its encryption solutions transparent to implement with no or minimum overhead. Even on an individual level, there are a plethora of encryption solutions. We see trends such as moving key stores from files, to central-based solutions such as Oracle Key Vault, making it easier to manage, and ultimately safer.”

Kaspersky Lab Africa’s GM, Riaan Badenhorst agrees. “At Kaspersky Lab we understand that much of today’s data is worth a lot more than it was a few years back. Businesses view data as a lucrative pot of gold and consumers are also very sensitive about their data and what they share online. As such, if they are to protect their data, we can offer proven methods and solutions for both (consumer and business) that can cipher not just one document, but the entire archives and data storage media, both stationary and removable – making it easier and simpler for businesses and consumers.”

Gerhard Oosthuizen, CIO of Entersekt, expands on this, noting, “there are various organisations that are developing amazing cryptographic technology in the background, managing successfully to hide this complexity from the consumer. Unfortunately, there are a lot more companies that have no security backing and are offering a range of services that really should be better protected.”

For those interested in selecting the right solution, Oosthuizen adds that most of the industry standards and regulations are starting to converge around:

• Strong Consumer Authentication (SCA) – something you know, something you have, and something you are – is becoming the norm in terms of best security practices.

• Public key encryption is the way to go, ideally using digital certificates – the technology has stood the test of time, and consumer-friendly implementations are using them behind the scenes to fully secure solutions.

• Mobiles are recognised as providing a great ‘something you have’ element in terms of SCA, together with slick and user-friendly biometric capabilities to satisfy the ‘something you are’ element.

The bottom line is that there are quite a few key management systems on the market to choose from that can offer more advanced levels of encryption, says Mike Resseler, director of product management at Veeam. “The good news is that most leading software vendors have now made strong efforts (such as Veeam) to make the use of encryption as easy as possible for the end-user, but without losing the key characteristic of encryption – keeping your data safe.”

Trusting the cloud

Now that we’ve irreversibly entered the era of storing our data, and sometimes our applications on other people’s computers, also known as cloud computing, the question is if we can trust our cloud providers to take proper care of our data in terms of security. Even if data in the cloud is encrypted, who holds the keys?

While many cloud services offer data encryption as part of their service, highlighting this as a security value-add, with the EU’s GDPR and South Africa’s PoPI around the corner, is this a reliable method of data protection?

“It really depends on the individual offering and it’s something that most cloud providers do very well, but there are always exceptions,” notes Resseler. “When asked this question by customers, I always recommend a thorough assessment of each provider’s capabilities. Some will offer what you need, others not.

“As we move data around the cloud and store it in so many different places and services, control of this encryption is vital. Essentially, when you don’t control or own the keys, you’re putting your data and liability in the hands of someone else. If you don’t own the key, then what keeps the provider of that cloud service to read and/or modify/use your data without your knowledge (and without the knowledge of the person the data comes from)?”

He believes encryption is such an important business tool now that customers should take control of it themselves. And, as we head towards more multi-cloud strategies of storage, a customer should establish a way to store multiple encryption keys and be able to decrypt its data wherever the data ends up, regardless of which cloud it is in.

One of multiple components

When it comes to cloud service offerings, it’s a matter of how much you can trust a service provider when you allow them to manage your encryption keys and the most critical asset, your data, in the cloud,” says Badenhorst. “Your cloud model must precisely identify who (a cloud provider or a client) is responsible for what parts of cloud protection.

“But, there is a bigger question to ask here: is cloud native encryption enough to protect your data and cloud workloads? Is it enough, from a cybersecurity standpoint, to encrypt the virtual drive of a single virtual machine (VM), while it is still interacting with multiple others? Does cloud native encryption protect your cloud workloads from ransomware? Is securing it from the outside enough to block threats that arise from the inside? The answer is no.”

He says the reason is that if you need to comply with regulations or just run business workloads in the cloud, there is still a need for a cybersecurity solution that understands the context for each protected workload. “You still need to make sure that you run only trusted apps, make sure that data exchange between cloud workloads is safe and behaves normally. This is a right path to a successful cloud experience. Thus, encryption is good and does help, but additional cloud workload protection solutions significantly increase chances to detect and respond, and enhances cloud security.”

Oosthuizen agrees, noting that you have to create an ecosystem where the keys are controlled and managed, “but this does not require that the user manages this himself”.

No cloud service should be without data encryption, adds Petkovic. “Take Oracle Database Cloud Service, for instance. Most of the security options are offered free of charge, encryption included. It is up to customers to turn it on. With the announcement of Oracle 18c, also known as Autonomous Database, even that decision will be done on your behalf. data residency or simply give peace of mind.”

Encryption solutions available

With the need to encrypt information a given, what solutions are out there for businesses and consumers? Due to the nature of encryption, one can’t simply opt for a free or the cheapest solution and expect it will provide an adequate level of protection. As noted above, some vendors are better at creating hype than secure products. That’s not to say more expansive is necessarily better, there are good free consumer encryption applications out there, it all depends on what you require.

Security is a multibillion-dollar industry that sees thousands of companies competing in the same space, says Oosthuizen. There are many products that work perfectly well for some use cases, but that same product might be ineffective for others. “Unfortunately, one cannot pick a winning solution without looking at a specific scenario: employees vs consumers, banks vs social media, transactional vs login protection, the use case would determine the most optimal solution. As a vendor, Entersekt is, of course, also biased towards what we do and how we solve the authentication challenge in a highly complex and changeable industry.”

Resseler adds that the likes of HyTrust, Vormetric, CloudLink, or SafeNet are all relevant partners in this space for businesses, some with specific solutions to cater for data wherever it is located, not just those in the cloud.

As can be expected, Kaspersky offers a variety of solutions in the encryption space as well as other areas of endpoint security for both the business and consumer markets, including protection against cryptoviruses. Moreover, Badenhorst explains that the Data Encryption module in Kaspersky Total Security is designed for protecting confidential information against unauthorised access and data leakage. “We also have the No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.”

The IT security market has advanced to the stage where encryption is no longer something only for PhD candidates, but is available and usable by almost anyone. Petkovic says that virtually any layer of IT infrastructure offers some form of encryption.

“I can’t imagine a service without it,” says Petkovic, noting that “modern CPUs, such as Sparc M7, offload encryption from main CPU cycles, which results in negligible performance overheads and also offers memory protection also known as Silicon Secured Memory – which prevents illegal memory addressing.

“From a consumer perspective you are also spoiled for choice, all you have to do is start using it.”

Finding a solution

Harish Chib.
Harish Chib.

Harish Chib, VP Middle East and Africa for Sophos, highlights some key aspects to keep in mind while choosing the right encryption solution for your organisation.

Usability: An encryption solution needs to be simple yet comprehensive. Your encryption product should be easy to set up and deploy, with an intuitive management console.

Multi-platform: Find a solution that covers all types of encryption, including full-disk and file encryption on multiple operating systems like Windows, Mac, Android, and iOS.

Adaptability: You ideally want a solution that protects your data without interrupting your organisation’s workflow and affecting productivity. Your encryption solution should adapt to your workflow and not the other way around.

Independent endorsement: Make sure whatever company you choose for your encryption needs provides ample support and has strong third-party endorsements from industry analysts, reviewers, and customers.

Scalability: As you grow your business, you need an encryption solution that scales with your business. It should also allow for simple key management and enforcement of your data protection policy.

Proof of compliance: In the event that the worst happens, you need to be able to show that your data was protected. If you work in a vertical or location that has specific data protection laws or regulations, auditors will require proof that the data was encrypted.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Smart water management
Axis Communications SA CCTV, Surveillance & Remote Monitoring Integrated Solutions
South Africa is currently facing a water crisis, with scarcity and inefficient water management posing significant challenges to sustainable, consistent access to water. Smart technology and powerful partnerships may offer a proactive solution to SA's water crisis.

What South Africans need to know about smart devices
Technews Publishing Editor's Choice
We live in a world surrounded by smart devices, from our pockets to our driveways and living rooms.

A surge of cybersecurity for the energy sector
Government and Parastatal (Industry) Cyber Security
With a rapid transition towards renewable energy, the energy sector has an increased reliance on technology. This makes it particularly vulnerable with regards to cybersecurity, as it depends on interconnected systems and digital technologies.

Empowering Istanbul’s public transportation
Dahua Technology South Africa CCTV, Surveillance & Remote Monitoring Integrated Solutions
Dahua's intelligent transportation solution, using technologies like DSM and AI-based passenger flow counting, has facilitated an intelligent system upgrade for nearly 6 400 minibuses and electric buses in Istanbul.

Secure backup strategies imperative for business continuity
IT infrastructure Cyber Security
Cybercrime is on the rise, and businesses need to adjust how they manage their data to fend off attackers, or risk irreparable damage, writes Lisa Strydom, Senior Manager Channel and Alliance for Africa at Veeam Software.

CHI selects NEC XON as trusted cybersecurity partner
News Cyber Security Industrial (Industry)
CHI Limited, Nigeria's leading market player in fruit juices and dairy products, has engaged in a strategic cybersecurity partnership with NEC XON, a pan-African ICT systems integrator.

Collaboration delivers integrated and holistic security
Guardian Eye CCTV, Surveillance & Remote Monitoring News Integrated Solutions
Guardian Eye and Lytehouse have partnered to integrate their speciality solutions and provide a holistic security offering that overcomes the fragmentation of security systems and services.

From overwhelm to oversight
Editor's Choice Cyber Security Products
Security automation is vital in today’s world, and Microsoft Sentinel is a widely adopted, but complex answer. ContraForce is an easy-to-use add-on that automatically processes, verifies and warns of threats round-the-clock.

Kaspersky appoints new GM for Africa
News Cyber Security
Kaspersky has announced the appointment of Andrew Voges as the new General Manager for Africa to boost regional market positioning and enterprise protection.

Synology enhances functions for advanced surveillance integration
Technews Publishing CCTV, Surveillance & Remote Monitoring IT infrastructure Products
With the capability to function as both an API client and server, Surveillance Station offers a versatile platform for integration, whether it's embedding video streams into other platforms or overlaying external data onto recorded video.