Nigel ThorpeTechnical Director
Losing the Human Touch to Protect Data
26 Jul, 2020
Human nature means that we tend to default to the easiest option when faced with difficult and serious issues, and this can be the case when it comes to securing our data and information systems.
In the early days of information security, we focused on preventing access to the data we valued. We installed firewalls to protect our perimeters and bought anti-virus software to identify and prevent malware that might sneak through. If we had taken a more data-centric approach from the start, maybe we would have avoided many of the breaches that have hit the headlines over the last 30 years.
Encryption has been around for centuries and used by the Greeks and Romans to protect information if it fell into the wrong hands. Protecting electronic data has proven to be a more complex problem and it is us humans again who have been the Achilles heel of most encryption solutions.
Humans were never meant to worry about data security or having to make decisions about what is important to encrypt and protect and what is not. What was needed at the very start was a philosophy that makes security an inherent property of data that is Invisible from those who generate and use it every day. Inherent and Invisible security allows users to act as normal without rules or technology to ‘get around’ that would introduce risk.
It’s not too late though: most encryption solutions rely on symmetric encryption which uses the same key to encrypt and decrypt. Public Key Infrastructure (PKI) enables Asymmetric Encryption which uses two keys: a public key to encrypt and a unique private key to decrypt. PKI encryption allows for simple and natural file sharing across user groups, networks and in the cloud.
This is a major advantage, but individuals will find other ways of achieving something if the ‘proper’ way is difficult, so PKI-based encryption has to be both inherent and invisible to avoid these risks. This can be achieved by making the encryption processes work at the file system level so that humans aren’t even aware that they’re going on.
In addition, tightly binding authentication with encryption of the data inside the files ensures that even if information falls into the wrong hands – whether by accident, through insider theft or by malware attack – it remains encrypted and useless to anyone.
Technically, PKI-based file encryption is a complicated process and is a slow and mathematical task which takes many processor cycles. However, modern CPUs include some dedicated instructions for encryption operations, eliminating performance problems and user frustrations.
The other important factor is that there must be no disruption to the way people and applications work. For example, data must remain encrypted at all times on disk, even when files are being edited. If an unauthorized individual attempts to open a file that is not encrypted for them, they will then find that the data is unreadable – even if they take a copy of the file outside the network.
So, how is it different?
There are plenty of encryption systems on the market, but full disk encryption systems like BitLocker, for example, only protect data when the system is switched off so anyone or anything can access any file on a running system.
File and folder encryption, as well as data classifications, rely on the user making a security choice. Users must actively choose to encrypt files and remember additionally to delete the originals. This method assumes the user or administrator will make the right classification choice. If everything is encrypted, however, the need to make user decisions is removed and individuals cannot also decide not to encrypt some data.
By building authentication into each file alongside encryption we can be sure that only authorized individuals can access the data. This approach defeats insider data theft because any stolen information remains encrypted and therefore useless once outside the control of the organization.
This individual security shield is maintained on every file, no matter how it is used, where it is stored and on which media it is copied. That means even if someone has the correct ID, password and token, and has the authority to open a file encrypted with their public key, the file still remains encrypted.
What about the admins?
In conventional encryption, privileged users such as IT administrators are still able to access information, which presents a risk. With authenticated encryption, admins can still do their job, but they will be unable to decrypt files they do not have the authority to open.
It is also irrelevant where files are copied because each one has its own inherent security. To have access to any of the data, the administrator needs the file, the user credentials, their private key and the decryption filter. As a result, it is not possible to decrypt a file outside of the organization, even if an individual is authorized to decrypt the file when at work.
Mind the gap
It’s time to take a fresh look at data security. Rather than trying to fill in the security gaps to protect the increasingly disparate perimeter defenses, we need to take a data-centric approach to security and protect it at the most basic level, which is the file at rest, in use or in motion. We need to step back from solutions that protect some of the data some of the time, focus on compliance rather than security, or add complexity that can introduce risk itself.
Most importantly, we need to remove the human element of data security entirely, rather than try to account for it or change it. Training and monitoring doesn’t work all the time and human nature has shown that if the solution is not instinctive or logical, we will create our own, insecure methods. How many people leave the front door key under the pot by the door?
People should be able to work just as they want to or need to, without additional considerations and obvious pressures and similarly, usability needn’t be sacrificed to strengthen our data security.