Protecting Data when it is Most Vulnerable

Jerald Ray Article

Most organizations understand need to protect data against cyber-attacks and data breaches by using encryption. Unfortunately, even the most well-informed and well-intentioned fail to encrypt their data when and where it is most vulnerable. Too often, they are not getting the protection they think they are when implementing full disk encryption or when told by email hosts, cloud storage and communication service providers that their data is encrypted and secure.

Encryption is not a single technology, tool, or solution. Many products are designed for certain tasks and data types, but an effective implementation of encryption needs to protect data when it is most vulnerable. The most well-known forms of encryption are those protecting volumes of files when they are stored and entirely dormant. But data is most vulnerable and valuable when it’s accessible, in transit, or in use. That’s precisely when volume-level encryption tools lose any and all effectiveness or utility.

Data at rest vs. data in transit vs. data in use

Data exists in three states: at rest, in transit and in use. Data at rest is stored in a digital form on a physical device, like a hard disk or USB drive. Data in transit is digitized information traversing a network, such as when sending an email, accessing data from remote servers, uploading or downloading files to and from the cloud, or communicating via SMS or chat. Data in use is information actively being accessed, processed or loaded into dynamic memory, such as active databases, or files being read, edited or discarded.

While there are various crossover points among the states, data must be protected in all three and during their transitions from one state to another. When a vendor or cloud service provider claims that data is encrypted on its servers, that doesn't mean it is protected in all three states.

Full disk encryption: seat belts in a car that doesn’t move

Full disk encryption would suggest that every file and activity on that disk is encrypted and secure. In reality, it’s simply physical hardware security that only protects data when the host computer is either not logged in or not turned on. Imagine seatbelts that only work when a car is parked – when passengers are at their least vulnerable.

Full disk encryption protects data when a computer or cell phone is stolen or lost and someone attempts to physically access the contents. But few, if any, well-known data breaches have come from physically stolen computers. End-user machines are attacked remotely when running and disks are mounted. Servers and network devices are prime targets and they are almost always running. So, using full disk encryption would be pointless.

But vast amounts of data are transmitted across networks and over the air when there are no hard disks to encrypt and beyond any full disk encryption. Third-party intercepts, or man-in-the-middle attacks, occur outside controlled environments, making data in transit highly vulnerable. For example, attackers can use sniffer tools to capture data as it traverses a wired or wireless network in real time. They can then read any data not encrypted, including passwords, credit card numbers, etc. When data is in transit, another type of encryption is necessary, the most well-known being SSL/TLS (secure sockets layer/transport layer security), which secures most Internet traffic in HTTPS format. Many other encryption variants protect Wi-Fi data streaming and cell phone traffic.

The various states of data, and the transitions amidst them, all require protection and encryption remains among the best options. But confusion and complexity can arise when each data state demands a different method of encryption, quickly leading to fear when the notions of losing keys or forgetting passwords come to mind.

The problem with password-based encryption

When people think of encryption, they think of keys. And to access those keys, passwords always seem to be involved. Full disk encryption requires a password that unlocks the key that decrypts files on the disk as they are accessed. However, user-defined passwords play no role in cell phone calls or online purchases using HTTPS, both of which rely heavily on encrypted data streams.

Passwords and the fear of forgetting them or making weak ones stop many organizations from using encryption for all data states. Worse still, that fear compels them to use encryption only on a limited subset of the most sensitive data, leaving everything deemed innocuous plain and vulnerable.

Password-based encryption typically relies on a single symmetric key to encrypt and decrypt data. Efficient, lightweight and relatively easy to manage, symmetric key encryption is useful for rapid transactions, such as card payments. The data being processed is encrypted and only that same secret symmetric key can decrypt it. Often, that secret symmetric key is protected or even generated by a password.

Yet passwords have become one of the weakest forms of security because users choose easy to recall or easy to type passwords. When forced to use complex or limited duration passwords, they write them down or use easily guessed words, phrases, or patterns. Even when passwords are complex, users can be coerced or socially engineered into disclosing them or providing access to password manager-type applications.

Additionally, sharing a password with another party to exchange symmetric key-encrypted data is challenging. Often, the password is sent via the same communication medium as the file. For example, an encrypted email attachment is followed by a second email containing the attachment’s password, making it more vulnerable, even if that password is meant to be used only once.

Password-based, or symmetric key encryption, doesn’t enable seamless and secure file sharing or transport; so is not a good fit for securing data in transit. While it may protect data at rest, it does nothing for data in use. This is where asymmetric key pairs make more sense.

How to protect data in all three states

Whereby symmetric key encryption uses a single secret key to encrypt and decrypt, public key or asymmetric key encryption employs a key pair comprising a secret private key and a public key. Mostly, the public key encrypts data while the private key decrypts. Since the public key is just that, it can be freely distributed to anyone, enabling seamless sharing. Without the private key, data encrypted with the public key cannot be decrypted, making it safe for data in transit and data at rest.

Cloud computing is becoming more ubiquitous, but security tools are lagging behind and aren’t suited to protecting new environments designed to handle data that is constantly in transit. That is evidenced by the staggering numbers of data breaches on cloud infrastructure. One solution is to deploy encryption solutions that use a public key infrastructure to seamlessly protect data. Public key encryption does not require passwords or other secrets to be shared. Private keys remain private and can seamlessly decrypt data encrypted with the corresponding public key.

As well as data in transit to and from the cloud or at rest on cloud servers, data is in use by active databases or cloud-based applications. Technologies such as hashing and tokenization can encrypt certain fields of an active database, while file-level encryption based on public key infrastructure can protect even large databases, even allowing them to be accessed by authenticated users.

Beyond protecting data in use, file-level encryption also ensures data is encrypted as soon as a file is created or transferred across the network. Furthermore, that encryption persists regardless of where the file goes—whether moved to another drive, archived on backup media, or stored in the cloud. Combining the benefits of public key encryption with file-level encryption covers all three states of data. And by encrypting the packets in transport to create secure connections, such as SSL/TLS, those data streams not in a file format can also be protected.

When is encryption truly effective?

There’s no point only protecting data when it is least vulnerable, as does full disk encryption, or adding burdensome or inconvenient security measures, like complex passwords and password policies. Data with any value is active, in transit, or accessible, making it highly vulnerable to user error or malicious attacks – precisely when encryption must work. And file level encryption based on public key infrastructure over secured connections accomplishes that, ensuring data is always protected at rest, in use, and in transit.

Encryption tools of various shapes and sizes can effectively prevent data loss or breaches, regardless of data state. But it's not enough to point to the existence of some form of encryption and claim data and systems are secure. Wherever data resides, is processed, or travels, the appropriate encryption solution must be there. Continuing the seatbelt metaphor, users—and data—must be ‘belted up’ throughout the entire journey, especially when the roads are rough, crowded and fast.