Encryption in Age of Advanced Persistent ThreatsStrong Tool Against Cyberattacks
"Whether that information is stolen, misplaced, lost or misused, it's protected as long as it's encrypted," Chris Fedde, CEO of SafeNet, a provider of encryption products and services, says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
In year's past, encryption was used to protect information in transit. Today, it's used whether the data is at rest or not. Yet some organizations remain unaware of the threats that exist, and recent breaches like the one that hit Sony don't trigger the message that the next target could very well be them.
And part of it has to do with regulations. Institutions will follow through with policies first, requiring them to encrypt certain information like credit card numbers. But they may not be under any type of rule to encrypt birth dates or e-mail addresses.
"Once they learn to encrypt because they don't have a choice, they ... start using encryption in more and more places and getting more and more protection," Fedde says.
In the interview, Fedde discusses:
- How encryption has evolved and is being used differently today than a few years ago.
- Why, despite the recent rash of publicity surrounding website hacks, many organizations don't know they've been breached.
- How encryption can keep the most sensitive data securely stored on a public cloud, including classified military secrets.
Evolution of EncryptionERIC CHABROW: How is encryption as a technology evolving? What's different today about encryption and how it's used since five or ten years ago? And how will encryption evolve in the coming years?
CHRIS FEDDE: Encryption is evolving in terms of how it's being used against current, imminent threats. Everybody is learning just how insidious the threats are today. The advanced persistent threats are here. They're very sophisticated. They can do tremendous damage, and I think people are learning that encryption is one of the very strong tools that can be used against those advanced persistent threats. And the reason is, once you've encrypted information, whether that information is stolen, misplaced, lost or misused, it's protected as long as it's encrypted. It reduces the proper control of that information to one of how you control the keys, not how you control the information.
Controlling the information itself, protecting it and hiding it, all of those things can be very difficult. That's exactly what sophisticated threats do; they find the information. They get around the walls. They get through the walls. When encryption is used to protect the information, what you have to manage are the keys to the encryption which reduces the field of sophistication needed. And that's how people are using it more and more today, to change the nature of how you protect the information.
CHABROW: Now is that what encryption was doing 10 years ago?
FEDDE: Ten years ago it was used in limited cases. It was used to move information from point A to point B, and that was against the unsophisticated threat, so that you could put information out on public transport mechanisms like the Internet, for example. It was used in a much more limited scope.
CHABROW:It's now geared more toward data at rest. Is that something different than it was 10 years ago?
FEDDE: Yes, it's different. It's now used so that it's independent of whether data is at rest or not. Whether data is at rest or in movement is irrelevant to the encryption itself. That's why it makes it more of a ubiquitous solution to a very sophisticated threat in that manner. It shines a light on the other very relevant aspect, especially in today's environment, which is identification and authorization. Who has access to what information? That is something you read about every time you pick up a newspaper, especially now because there's been some breaches. There have been vulnerabilities due to the way identities are managed, and identity management, authorization and encryption all go hand-in-hand to form today's current methodology of protection against threats.
Recent BreachesCHABROW: As you just alluded to, encryption has gotten a lot of attention recently, mostly because of files pilfered by hackers that had not been encrypted. For example, I think with the Sony case and the PlayStation breach, it encrypted customer credit card information but not their personal identifiable information. What do you hear from customers and others for reasons why organizations don't fully use encryption?
FEDDE: I would say there are a couple of different answers to that. One is people can be unaware of the threat. It really is surprising. People see other hacks. There have been high-level breaches ever since T.J.Maxx, WikiLeaks and Sony, and people still don't recognize that it applies to them too. Part of that also is these advanced threats are very quiet. Their whole goal is to steal information silently so that the person losing information is unaware of it. People just don't recognize that the threat is real and the target could very well be them. They don't have an appreciation for how imminent, how insidious and how right in their own backyard this problem really could be.
Part of it is if people can find a way to meet regulatory requirements through policy, that's usually their first approach, because that's more comfortable, right? Any organization is used to dealing with policies and used to dealing with government regulations through how they address the rules, regulations and audits. They kind of take that approach first because it's a familiar approach to them; but as we all know, that's not going to protect against the theft of information.
CHABROW: So in other words, they may be under certain requirements to encrypt financial information such as credit card numbers, but they may not be under the same kind of rules to encrypt birth dates, addresses or email addresses.
FEDDE: You bring up a great point there, because right now the PCI requirements require you to actually encrypt certain information, like credit card information. Once you've been forced to encrypt, once the regulations say encrypt this piece of data, that's actually the best learning tool because then people start to use encryption because they have to realize that not only do I have credit card information to protect, I have intellectual property to protect, personal information on my employees to protect. Once they learn to encrypt because they don't have a choice, they are the people that start using encryption in more and more places and getting more and more protection by using encryption technology. It's that first step. How do you encrypt, how do you implement it and what's the benefits of it? That's the first hurdle that people have to get over. They have to understand that's a solution, more than simple policy management.
What to EncryptCHABROW: In determining what to encrypt, aren't there situations where if you encrypt a lot of data it makes it harder to perhaps share that information with people who might need it at some point?
FEDDE: Yes. So it's very important to encrypt the sensitive information because if you encrypt things that don't need to be encrypted, you run into a lot of issues. It's harder to share information, or can be anyway. It can slow down your processes. I would say that security in general and encryption in particular should enhance your business processes. You should be able to use encryption. You should be able to use security to make your business processes more efficient, specifically meeting government regulations and things like that. But if you use it wrong and you try to apply it where it shouldn't be applied, then you get in the way of business processes. You get in the way of smooth operational efficiencies. So yes, you need to understand what information should be protected through encryption technologies and then do it very well.
CHABROW: Deciding what information should be encrypted, who in an organization should be making that decision?
FEDDE: As one member of senior management, I think it has to be an executive decision because it ranges from intellectual property to personal information, things like that. Really, you need to be in an executive level within an organization to make a broad determination on what needs to be protected and what really doesn't need to be protected. Obviously, you get inputs from your compliance officer. You get inputs from your IT and your CISO. In my way of thinking, it's an executive decision on the breadth of security requirements within a company.
CHABROW: Is the cost to encrypt becoming prohibitive or less prohibitive these days?
FEDDE: The cost is almost never prohibitive. I think we have found that if you try to meet government regulations through policy and try to meet it through encryption, the costs are comparable and it's sometimes favorable. So it's not a cost issue, in my experience.
CHABROW: What do you say to clients who may want to use your products but have to show sort of an ROI, return on investment, from it? How do you show that you're safeguarding something that could cost you if it were not safeguarded?
FEDDE: You come at it two ways. One is here's the cost of safeguarding information using encryption technologies. Here's the cost of safeguarding information with other technologies. And in the event you have to protect the information, it does boil down to that. There are different ways to do it. What are the costs associated with the various ways?
The second consideration is what's the cost of a breach? Everyone, no matter what business you're in, has to say what the cost of a breach is. Now in the U.S., it's a patchwork of answers. There's not a federal answer to who has to report breaches, or what has to be disclosed. There's not a uniform answer. But a company has to consider, if I have lost information, personal information, intellectual property, what are the consequences? What are the costs of that? And that will always factor into a return on investment also. As anybody who reads the paper knows, the costs of breaches are just going irreversibly skyward. It's a very expensive proposition. We have the threat of losing that kind of information.
CHABROW: Surveys show that most organizations have been breached in some respect. Is encryption an end-all? If you encrypt things, are you safe, or is that a little too simplistic way to approach it?
FEDDE: I'll have to preface it with if it's implemented well. Encryption moves the vulnerability to how do you manage the keys. And I will say that if you've got a professionally designed encryption system, an enterprise that's architected to accommodate encryption systems and is well designed, then the answer is yes. You have, in fact, solved the problem.
Cloud ComputingCHABROW: Interesting. So does this sort of make cloud computing safe?
FEDDE: It can, yes. It'll be prefaced with the same thing. It has to be implemented well. It has to be designed. It can't be screwed in at the end like a light bulb is. It has to be architected in. Encryption is exactly the kind of technology that can make cloud operations safe because it means the security goes with the information. It doesn't have to go through any kind of mechanisms. The security goes with the information. If the information is in the enterprise, it's protected. Encryption protects it. If it's moving outside the enterprise because it's being remotely accessed, stolen or sent to the cloud, the protection goes with it. That's the nature of encryption. And who gets access to it, what keeps that encryption at the proper protective mechanism? It's back to where we were a minute ago. It's who has access to it and how do you know that the person that's accessing it has the rights to access it. You need to have identity and authorization that extend into the cloud so that the key management can extend into the cloud. And if both of those are properly implemented, that information in the cloud can be held there securely.
CHABROW: And does this go for the public cloud, or any type of cloud model?
FEDDE: Yes, it does.
CHABROW: So should the Defense Department feel secure in maintaining very sensitive, classified information on a public cloud if it's properly executed?
FEDDE: Well, you used the word storage, and I would give you an unqualified answer on that. Yes, there are ways that you could store classified information in the cloud. The reason I can say that's an unqualified answer is you're never using that information that's in the cloud. You're simply storing it out there. It's not vulnerable while it's out there. It's only vulnerable or can be rendered vulnerable when you're doing something with it, which in a cloud storage scenario, it's not being acted upon in the cloud. I would say, to answer your question specifically, if you're going to make a blanket statement about the government using clouds with classified information, the answer is no because you really want to run applications in the cloud, cloud computing in the cloud. And there are other layers and other complexities to protecting the information when you're running applications. Doing those in the cloud, at least with the technologies today, that would not be appropriate for classified information.