Last year's slew of criminal data breaches made it clear that the perimeter has fallen and the privacy of our data is at risk – whether that be passwords and credit cards or celebrity pictures and corporate secrets, while government agencies from China, Russia and the west continue to demonstrate vast intelligence surveillance capabilities. One of the most effective responses for corporations, governments or individuals is to take a data- centric approach using encryption, potentially making data useless to intruders, or at least, raising the cost of access. Late last year SC Magazine UK editor in chief Tony Morbin interviewed Alan Kessler, president and CEO, Vormetric, to get an industry view on issues in the commercial encryption market.
Kessler told SC that the industry is experiencing significant growth on a global basis, with an increased appreciation of the importance of encryption as a technology, as a way to protect information in a much broader way than traditionally embraced in the past. Vormetric itself registered some 30 percent growth in 2014 over 2013 - approximately double the growth rate of the previous year.
While encryption technology has existed for quite some time, previously its use was largely driven by compliance and mandate, often for specific isolated environments within organisations – a database here, certain files there. Kessler explains that a major trend now is to encrypt as much as possible. He describes how organisations increasingly appreciate that the adversary seeking to steal your data, attack your brand and damage your organisation is now able to get inside your network – no matter how much money you spend or how hard you try. That has resulted in organisations taking a very data-centric security approach and major organisations are now using encryption not just for some of their data for compliance, but almost all of their data.
Another driver is seeking to harness the economic advantages of cloud computing, whereby major savings can be achieved through hosting applications and databases in someone else's cloud, with Kessler noting, “As organisations move information to the cloud they are concerned not just with trusting their own employees who might be managing the data, but also they now need to be concerned about the employees and the environment of the cloud service provider as well. So embracing and accepting cloud is also a driver for what we do and how we do it.”
In the wake of US government demands that Microsoft hand over data on its servers in Dublin, Kessler agreed that regulatory requirements could undermine cloud usage, saying: “It is a concern to some organisations who want to host data in the cloud and then fear that a government entity might be able to demand the cloud service provider turn over and share data. In fact the approach that we use for infrastructure as a service, data protection – to host your database or application in a public cloud or hybrid cloud – our approach allows the user to control the keys, and to keep anyone within the cloud service provider from actually seeing their data. So in that type of configuration you can host information in a cloud service provider like Rackspace using Vormetric, and Rackspace can never see the data, and if the government comes to Rackspace and says, turn over the data, Rackspace can turn over the information, but that information is cipher-text, its unreadable and undistinguishable, and the only way that that entity can see the data is to come to you, the customer, who is the rightful owner and controller of that data. And only you can decide whether to share the key.”
This still leaves potential concerns about backdoors being made available to government, an issue that Kessler was adamant did not apply to Vormetric. “The encryption algorithms that we use are based on industry standard algorithms, they're 256 AS256 128 and because they're based on a public algorithm, they're under a lot of scrutiny. There are a lot of hackers that will try and attack the algorithm and that of itself makes sure that its actually a stronger approach. So the basic encryption technology, the mathematics if you will – we are extremely confident in – because of the approach that we use. With regard to how we manage the keys and the control of that information, we subject our solution to incredible amounts of security and vulnerability testing, to make sure it's quite secure.
“There are certain government agencies around the world who have evaluated our technology to make sure it's extremely secure and often they will make suggestions to us to help enhance that.
“There is a level of trust with the customers – that we have no backdoors in our solution, and that's something we are committed to. And given the financial organisations, the government agencies around the world that use us, it's incredibly important to have that level of trust and confidence.”
In fact Vormetric has been a critic of encryption companies cooperating with governments in this way, with Kessler telling SC: “There was some controversy and we were extremely vocal in this regard. (There was)Discussion about the algorithm that RSA used, and it turns out that that's an algorithm and approach that we don't use and our default was to not use that, so none of our customers were exposed to that approach. We have never been approached by the (US) government and asked to provide any access or backdoors – we simply just wouldn't do it.
“The governments with their computing power, any state sponsorship might have the ability to break encryption, anyone's encryption. But if they want to invest in that approach with their super-computing capabilities, that something that they do on their own, certainly with no help from us.”
SC also raised the issue of attempts being made to break Tor, including by law enforcement agencies seeking to locate evidence of law-breaking, particularly in relation to child pornography, and asked, how do you react to critics who would condemn those who don't help governments locate criminals and terrorists and those who might harm us?
Kessler responded: “I would help the government by helping them protect their most sensitive information, so the adversary can't obtain access to that information and do damage to the government. So more of a defensive than offensive approach. There are different points of view – we serve international organisations. When I was at HP where I was responsible for a networking security business unit that did quite a bit of research on the kind of network security vulnerabilities that can be exploited. But as an international organisation it was inappropriate for us to share that information in any way with any government – and that's just a discipline that we needed to have. I am not going to help one friend who might use that information to harm another friend. I can't be a facilitator of that.”
Another issue raised was divergent international regulatory approaches to privacy, and whether the new European Data Protection Act and punitive fines would finally drive people to take security seriously, or was it an imposition too far for businesses?
Kessler agreed that to some degree it would help (his company's) business. But he added: “The way we view what we do, I like to say that there are three people you don't want to see in your office; one would be a regulator from government, second might be someone from Human Resources, and the third, someone trying to sell you security. People laugh, because what (our) industry does is provide a service and products that customers don't buy because they want to buy them, but because they have to buy them. Someone or something is motivating them. So our approach and our differentiation is to deliver products and services a way that is the most simple and cost-efficient so that an organisation can select our platform and solve the greatest number of use cases for the lowest cost. That's our approach and our strategy. As organisations feel more pressure through more privacy regulation, they have to stand back and look at the economics of how they are going to accomplish this given their budgetary requirements. Our approach is to make that as painless as we can.”
Spending wisely is clearly the key for any CIS0, but more spend does not come with any guarantees that there will be no further breach. So SC asked, how does a CISO justify additional security cost?
“I put myself in the role of a CEO of a major enterprise that has just been breached, and (a journalist) has just put a microphone in my face as I walk out of my office and asks a very direct question and I want to be in a position to have done the appropriate, responsible thing. And it doesn't mean that what I have done is perfect, and there are no guarantees, but what I want to do is to have done what is industry practice, commonly accepted and considered the appropriate measures. And for more and more of our customers this is simply encrypting as much information as they can, and reducing the attack surface to that information. Like being chased by the bear in the woods, you don't have to be faster than the bear, you need to be faster than the other guy.”
But is implementing industry best practice and meeting compliance requirements enough? Kessler responds: “As a CEO I'd never want to answer that I was implementing a strategy that was just meeting compliance requirements because we all know that compliance does not mean security. The adversary is moving so quickly, technology is moving so quickly, compliance requirements are always behind the times. So I would answer, that of course we've met the compliance requirements – and we've done more. We've encrypted all sensitive data, we're using advanced techniques to appreciate and understand intrusion on the network – and yet, as you see, around the globe, the number of breaches is increasing. So it's about having the appropriate balance and leaning forward enough without falling down, as you spend so much money and do so much creating an intrusive environment for your customers or your employees to be able to do business, or there are second order effects from the security that are damaging to the business and the brand.”
While there was agreement that security in general shouldn't get in the way of doing business, some would even ask whether the focus on technical fixes such as encryption missed the point, which is that the focus ought to be on defending against social/human approaches that sidestep encryption, as encryption is rarely at fault in breaches. It was acknowledged that an adversary will often enter the network through phishing and malware is installed on an end system, such as a PC, and that malware moves horizontally through the network and tries to gain privilege as a higher privileged user in the network, often as a Root user – someone who has complete control of the server. However Kessler notes: “Our approach actually limits the control of what that user can do, so we focus a lot on policy. For example, we allow a Root user to do their job, but never see the data. So in a situation where a Root user becomes compromised, and the information is protected by Vormetric, we've dramatically reduced the risk and the attack surface. So you're right, it's not just encryption, it's also understanding and controlling the attack surface in relation to privilege and identity of individuals entering the network. We see a significant interest in improved identify management for example. Are you who you say you are? Eg, using two-factor authentication and identification. And then our approach, once someone has been authenticated, is deciding what are they allowed to see and under what circumstances. That's where we use encryption as a control mechanism to limit what they can see under which circumstances – and we log a lot of information that is available to data analytics tools to help you understand what's happening to your data and what your privileged users are doing within your network.”
Providing extra security for a company's ‘Crown Jewels' or the setting of false trails to lead away from more valued assets are among other security option open to defenders, but Kessler says: “We're not involved in obfuscation in the sense of trying to trick – though our technology could be used by our customers to do that. But some would argue – and one of the reasons customers are increasingly trying to encrypt everything – is typically, when you only encrypt some things and the adversary finds that out, there's typically a reason why you encrypt it – it's a high value target – and the adversary finds that out and can focus their attack.”