IT system downtime can be costly for any business, even when it's planned. But downtime needn't always be the result of a system outage; sometimes it can be due to implementing processes around data security such as encryption.
Compliance requirements and best practices are increasingly calling for organisations to encrypt and control access to sensitive data however and, as recent headlines remind us, an increasing number of external actors are using stolen or compromised credentials to access all types of valuable, personal or financial data.
Indeed, according to a recent report, compliance requirements were considered a top spending priority, with compliance believed to be effective at preventing data breaches. But while compliance regulations can provide a data security blueprint, and new threat detection and analysis tools and techniques can offer insight into anomalous behaviour and help prevent such attacks from being escalated, none of these will yet deter determined attackers from finding a way in. There isn't the same level of investment in data-at-rest approaches to defence, such as file and application encryption, however, despite being proven to be effective at protecting data once attackers have bypassed perimeter defences.
However, with encryption - as with most areas of security - there exists a trade-off: the greater the degree of protection offered, the greater the complexity. And the sheer volume of potential use cases that may require encryption, not to mention the variety of encryption techniques available, only add to this complexity.
In motion and at rest
The use of encryption can be broken down into two broad groups: the protection of data-in-motion and the protection of data-at-rest.
The first is used to protect data transmitted between networks, and includes virtual private networks (VPNs), Secure Shell (SSH), and the embedded web security protocol HTTPS. The latter group includes a wide variety of technologies and use cases, ranging from full disc encryption for protecting laptops and hard-drives from theft or loss, to file-level encryption and access controls used to address system-level attacks and insider privilege abuse. In addition, data-at-rest defences include the use of application-layer controls such as encryption, tokenisation, and data masking to protect against higher level attacks such as SQL injection and rogue database administrators.
What's more, many of the encryption products currently available are specifically designed for particular platforms or operating systems – which means organisations interested in adopting a comprehensive encryption strategy are required to deal with a growing assortment of individual products and vendors.
It's little wonder then, that current attempts at implementing an encryption strategy can lead to potentially costly downtime.
Change is here
Fortunately, companies need not stay stuck in the past. There's a growing awareness that traditional security tools are no longer sufficient in preventing multi-layer attacks from penetrating even the most hardened networks. In addition, greater use of public cloud resources will reveal the limitations of legacy tools in an environment in which organisations are effectively relinquishing control of the infrastructure that supports their data. As a result, data-at-rest encryption is only set to rise in prominence.
As organisations appreciate the limitations of traditional security approaches, and as data breaches become more widely accepted as a hazard of the modern corporate world, it's likely that data security will soon become a critical part of a comprehensive security strategy. And as part of this, encryption must be considered as more than simply box-ticking for compliance purposes, or for protecting laptops and USB drives from loss or theft.
Of course, as encryption grows in popularity, it will likely lead to a wealth of single-function products designed to address a widening range of different specific use cases. And this, in turn, will just add to the current levels of complexity.
To avoid this additional complexity, as well as the cost and drain on internal resources that will accompany it, organisations should consider vendors whose solutions can address a broad variety of use cases, and reduce complexity through automation and multiple deployment options. Indeed, it's perhaps unsurprising that there has been a recent emergence of service-based encryption offerings, and this is only set to increase in coming years.
Data is at risk like never before and, while organisations know they should be taking steps to protect it, they're being held back by cost and complexity; especially when implementing data security solutions can potentially bring their IT systems to a standstill. Only by breaking down these barriers, and embracing solutions which address a wide variety of use cases and incorporate elements of automation, can data be fully protected, whether at rest or on the move.
Contributed by Peter Galvin, VP of strategy, Thales e-Security