Throwaway security terms and the danger to businesses
As the headlines continue to be filled with stories of sophisticated cyber-attacks and high-profile data breaches, businesses are beginning to realise that they could easily be the next victim says Brent Kozjak.
Brent Kozjak, Senior Solutions Architect, Covata
As the headlines continue to be filled with stories of sophisticated cyber-attacks and high-profile data breaches, businesses are beginning to realise that they could easily be the next victim
This is leading to increased investment in cyber-security – Gartner predicts spending will reach US$ 108 billion (£76 billion) by 2019 – with firms hoping that taking these measures will mitigate the impact such an event can have on their reputation and bottom line. The problem is that as such news becomes more frequent, the industry is beginning to fall into the common trap of using throwaway security terms. When terms are used incorrectly or with little thought for their actual meaning or scope, businesses can be lulled into a false sense of security regarding the cyber-security measures they have in place – putting them and their data at risk.
‘End-to-end encryption' is one such term. While the discussion around encryption has intensified with the US and UK authorities' ongoing campaign for the creation of encryption back-doors and the many security experts who have responded with objections, the true scope of what end-to-end encryption can be referring to is quite vast. For example, almost every vendor will implement basic HTTPS. It's easy and encrypts data in transit, but messages aren't encrypted on either the sender's device or the recipient's. That means if either device is lost or stolen, the message remains readable, a big problem if you're sending sensitive information.
At the other end of the spectrum, there's data-centric encryption. This encrypts data prior to it leaving the original device and being sent to the server, and the recipient must prove their identity every time that they wish to access the information. Both examples have been known to fit under the umbrella of end-to-end encryption but there's a huge difference between them. If the industry is using such a broad term to refer to the entire spectrum, companies will believe that the services that they are using to share vital data and sensitive documents are providing more security than they really are.
The term ‘full audit trail' is another that deserves further scrutiny. Lots of vendors say that they offer excellent audit-ability and, in the face of ever-evolving data laws such as the upcoming EU General Data Protection Regulation, it's a welcome claim. In many respects, however, when a security solution is taken offline it loses those audit capabilities. If documents are synced to a device which is then taken off network, the business has no idea who that document is being shown or forwarded on to; meaning a ‘full' audit trail doesn't exist at all.
Undoubtedly, there will always be times when documents need to be taken offline, but there are also cases when they absolutely shouldn't, for instance, government data that requires a high clearance level to view. At the very least, organisations need the ability to restrict sensitive data – if appropriate – from being synced or downloaded.
The challenge of employees taking images of sensitive data is also one that needs to be addressed. It's incredibly difficult to stop someone taking a photo of a screen other than through physical methods, but organisations do have access to technology that can watermark documents. This distorts the quality of the image and provides a visual way to trace leaks should one take place.
‘Data sovereignty' is also frequently mentioned and, again, it deserves to be pushed further under the spotlight. If businesses trust their data to a third party cloud provider, which many do, how their data is bounced around between data centres isn't really known. Without complete visibility of where data is going, businesses have no clue as to what data regulations are currently governing it. While this may have less of an impact if data is kept within the EU, businesses should worry when it goes further afield. For example, the EU-US Privacy Shield has given US firms a legal pathway to transfer data across the Atlantic. With the US' different data regulations and Snowden's revelations, the data of EU businesses may have been viewed by entities it wasn't intended for.
Another challenge of not being able to control data sovereignty is that businesses may not know the level of security of a data centre, potentially increasing the likelihood of a cyber-attack.
Businesses can use encryption to mitigate some of the risk of information falling into the wrong hands. While simple encryption now barely represents a challenge for sophisticated hacking tools, more advanced alternatives that integrate geolocation and key fragmentation are a much more effective way of preventing snooping by the bad guys or even security forces. Geolocation enables businesses to see exactly where their data is, empowering them to deny access if they believe it to be in a particular country where accessing it could pose a risk. Key Fragmentation means business can choose to split a key into four, with all custodians needing to be in agreement before the key can be issued.
Ultimately, it's the duty of the industry to scrutinise terms to the level that they deserve and use them responsibly. Companies too can no longer take a laissez-faire and tick box approach and assume that they are receiving the most advanced security. Businesses must analyse how security terms are applied and how they protect the business in the event of a security attack; discovering exactly to what extent they are protected.
Contributed by Brent Kozjak, senior solutions architect, Covata