printer friendly version

Decrypting encryption

Given all the news about data theft and hacking, security breaches and identi-ty theft, encryption is a topic that has moved from the realm of high security into everyday life. We are told we should encrypt sensitive data in transit and at rest – while it is being transferred to someone else as well as while it is sitting on a computer, server or mobile device.

The issue with encryption is that it requires users to take responsibility for their own security, firstly by encrypting and decrypting their data (which can be automated), and, secondly, by managing their own encryption keys.

When you rely on a company to encrypt your data, it may prevent third-parties from intercepting and reading your messages, but the key-holder still has access to those messages. So if your cloud provider has your key, they have full access to your data. The only way to keep your encryption secure is to keep and manage your keys yourself.

As part of our enquiry into this year’s cybersecurity trends, Hi-Tech Security Solutions asked a few IT experts for their insights into the state of encryption today. First off, we wanted to know if encrypting your data is now mainstream in that many companies are using it, as well as how far the market has come in simplifying encryption to make it simple for the business and solo user.

Made for the mass market?

Dragan Petkovic, security product leader ECEMEA at Oracle, explains that encryption is one of the easiest technical controls to implement and a number of organisations opt for it as a quick-win since it requires minimum human intervention. “It has been used for decades and it leaves me speechless that some organisations are still not using it to protect their confidential data. Oracle has made big efforts to make its encryption solutions transparent to implement with no or minimum overhead. Even on an individual level, there are a plethora of encryption solutions. We see trends such as moving key stores from files, to central-based solutions such as Oracle Key Vault, making it easier to manage, and ultimately safer.”

Kaspersky Lab Africa’s GM, Riaan Badenhorst agrees. “At Kaspersky Lab we understand that much of today’s data is worth a lot more than it was a few years back. Businesses view data as a lucrative pot of gold and consumers are also very sensitive about their data and what they share online. As such, if they are to protect their data, we can offer proven methods and solutions for both (consumer and business) that can cipher not just one document, but the entire archives and data storage media, both stationary and removable – making it easier and simpler for businesses and consumers.”

Gerhard Oosthuizen, CIO of Entersekt, expands on this, noting, “there are various organisations that are developing amazing cryptographic technology in the background, managing successfully to hide this complexity from the consumer. Unfortunately, there are a lot more companies that have no security backing and are offering a range of services that really should be better protected.”

For those interested in selecting the right solution, Oosthuizen adds that most of the industry standards and regulations are starting to converge around:

• Strong Consumer Authentication (SCA) – something you know, something you have, and something you are – is becoming the norm in terms of best security practices.

• Public key encryption is the way to go, ideally using digital certificates – the technology has stood the test of time, and consumer-friendly implementations are using them behind the scenes to fully secure solutions.

• Mobiles are recognised as providing a great ‘something you have’ element in terms of SCA, together with slick and user-friendly biometric capabilities to satisfy the ‘something you are’ element.

The bottom line is that there are quite a few key management systems on the market to choose from that can offer more advanced levels of encryption, says Mike Resseler, director of product management at Veeam. “The good news is that most leading software vendors have now made strong efforts (such as Veeam) to make the use of encryption as easy as possible for the end-user, but without losing the key characteristic of encryption – keeping your data safe.”

Trusting the cloud

Now that we’ve irreversibly entered the era of storing our data, and sometimes our applications on other people’s computers, also known as cloud computing, the question is if we can trust our cloud providers to take proper care of our data in terms of security. Even if data in the cloud is encrypted, who holds the keys?

While many cloud services offer data encryption as part of their service, highlighting this as a security value-add, with the EU’s GDPR and South Africa’s PoPI around the corner, is this a reliable method of data protection?

“It really depends on the individual offering and it’s something that most cloud providers do very well, but there are always exceptions,” notes Resseler. “When asked this question by customers, I always recommend a thorough assessment of each provider’s capabilities. Some will offer what you need, others not.

“As we move data around the cloud and store it in so many different places and services, control of this encryption is vital. Essentially, when you don’t control or own the keys, you’re putting your data and liability in the hands of someone else. If you don’t own the key, then what keeps the provider of that cloud service to read and/or modify/use your data without your knowledge (and without the knowledge of the person the data comes from)?”

He believes encryption is such an important business tool now that customers should take control of it themselves. And, as we head towards more multi-cloud strategies of storage, a customer should establish a way to store multiple encryption keys and be able to decrypt its data wherever the data ends up, regardless of which cloud it is in.

One of multiple components

When it comes to cloud service offerings, it’s a matter of how much you can trust a service provider when you allow them to manage your encryption keys and the most critical asset, your data, in the cloud,” says Badenhorst. “Your cloud model must precisely identify who (a cloud provider or a client) is responsible for what parts of cloud protection.

“But, there is a bigger question to ask here: is cloud native encryption enough to protect your data and cloud workloads? Is it enough, from a cybersecurity standpoint, to encrypt the virtual drive of a single virtual machine (VM), while it is still interacting with multiple others? Does cloud native encryption protect your cloud workloads from ransomware? Is securing it from the outside enough to block threats that arise from the inside? The answer is no.”

He says the reason is that if you need to comply with regulations or just run business workloads in the cloud, there is still a need for a cybersecurity solution that understands the context for each protected workload. “You still need to make sure that you run only trusted apps, make sure that data exchange between cloud workloads is safe and behaves normally. This is a right path to a successful cloud experience. Thus, encryption is good and does help, but additional cloud workload protection solutions significantly increase chances to detect and respond, and enhances cloud security.”

Oosthuizen agrees, noting that you have to create an ecosystem where the keys are controlled and managed, “but this does not require that the user manages this himself”.

No cloud service should be without data encryption, adds Petkovic. “Take Oracle Database Cloud Service, for instance. Most of the security options are offered free of charge, encryption included. It is up to customers to turn it on. With the announcement of Oracle 18c, also known as Autonomous Database, even that decision will be done on your behalf. data residency or simply give peace of mind.”

Encryption solutions available

With the need to encrypt information a given, what solutions are out there for businesses and consumers? Due to the nature of encryption, one can’t simply opt for a free or the cheapest solution and expect it will provide an adequate level of protection. As noted above, some vendors are better at creating hype than secure products. That’s not to say more expansive is necessarily better, there are good free consumer encryption applications out there, it all depends on what you require.

Security is a multibillion-dollar industry that sees thousands of companies competing in the same space, says Oosthuizen. There are many products that work perfectly well for some use cases, but that same product might be ineffective for others. “Unfortunately, one cannot pick a winning solution without looking at a specific scenario: employees vs consumers, banks vs social media, transactional vs login protection, the use case would determine the most optimal solution. As a vendor, Entersekt is, of course, also biased towards what we do and how we solve the authentication challenge in a highly complex and changeable industry.”

Resseler adds that the likes of HyTrust, Vormetric, CloudLink, or SafeNet are all relevant partners in this space for businesses, some with specific solutions to cater for data wherever it is located, not just those in the cloud.

As can be expected, Kaspersky offers a variety of solutions in the encryption space as well as other areas of endpoint security for both the business and consumer markets, including protection against cryptoviruses. Moreover, Badenhorst explains that the Data Encryption module in Kaspersky Total Security is designed for protecting confidential information against unauthorised access and data leakage. “We also have the No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.”

The IT security market has advanced to the stage where encryption is no longer something only for PhD candidates, but is available and usable by almost anyone. Petkovic says that virtually any layer of IT infrastructure offers some form of encryption.

“I can’t imagine a service without it,” says Petkovic, noting that “modern CPUs, such as Sparc M7, offload encryption from main CPU cycles, which results in negligible performance overheads and also offers memory protection also known as Silicon Secured Memory – which prevents illegal memory addressing.

“From a consumer perspective you are also spoiled for choice, all you have to do is start using it.”

Finding a solution

Harish Chib.

Harish Chib, VP Middle East and Africa for Sophos, highlights some key aspects to keep in mind while choosing the right encryption solution for your organisation.

Usability: An encryption solution needs to be simple yet comprehensive. Your encryption product should be easy to set up and deploy, with an intuitive management console.

Multi-platform: Find a solution that covers all types of encryption, including full-disk and file encryption on multiple operating systems like Windows, Mac, Android, and iOS.

Adaptability: You ideally want a solution that protects your data without interrupting your organisation’s workflow and affecting productivity. Your encryption solution should adapt to your workflow and not the other way around.

Independent endorsement: Make sure whatever company you choose for your encryption needs provides ample support and has strong third-party endorsements from industry analysts, reviewers, and customers.

Scalability: As you grow your business, you need an encryption solution that scales with your business. It should also allow for simple key management and enforcement of your data protection policy.

Proof of compliance: In the event that the worst happens, you need to be able to show that your data was protected. If you work in a vertical or location that has specific data protection laws or regulations, auditors will require proof that the data was encrypted.

Share this article:

Further reading: