It’s hard to imagine an organization of any kind having to deal with the level of backlash the NSA has had to since the spring of 2013.
Between revelations about backdoor links into Internet giants like Google and Yahoo to the mass data collection program known as PRISM, and, more recently, spying via gaming platforms such as Second Life and World of Warcraft, it’s understandable that a majority of the public—68% according to recent polls—believe the NSA violates the privacy of some Americans with its intelligence-gathering techniques.
The public outcry may be warranted, as Bruce Schneier has well documented, and many concerns related to these egregious (and likely unconstitutional) privacy and security violations certainly need to be addressed.
But the truth is that for enterprise security folks, the threat to our privacy and data is not the NSA. It’s the hacktivists, criminal organizations and rogue insiders who are using increasingly sophisticated techniques to gain access to our corporate intellectual property.
If there is a silver lining to the NSA story, it’s that it brings visibility to the issue of data security. SaaS applications—where software and data is centrally hosted in the cloud—and physical devices like servers, notebooks and cell phones can collect and store data at an unprecedented scale. This data comes in all shapes and sizes, so it’s important to understand what technologies exist to secure the data and how policies are defined and enforced to protect it.
A Mandate For Encryption
It’s time to stop talking about the NSA and shift the conversation to how we can all be better stewards of our customers’ sensitive business data—from collection and analysis to storage and beyond.
There are a number of security measures organizations can take to protect material information. Foremost among them is data encryption, a time-tested method that, when deployed properly, can ensure inappropriately accessed data cannot be used against you.
Simply put, data encryption takes perfectly readable information and scrambles it in a manner that no person or program can read or make sense of without proper permission. A variety of choice open source and commercial encryption utilities exist on the market today. If you're in the market for at-rest encryption, make sure to use a NIST-approved standard with a strong key length, like AES-256.
Encryption itself is relatively simple to implement. Managing the encryption keys, however, can be much trickier. Encrypting data is similar to locking your door or keeping an ATM card in your wallet. It provides some level of security, but its effectiveness is tied directly to the user’s access to and control over the keys. Hackers know this, so rather than attempt to "unscramble" the encrypted data, which is virtually impossible with today's compute power, they instead target the keys.
If anyone obtains your encryption keys without authorization—whether it be a hacker, rogue insider or even an unwitting system admin who works for your cloud provider—they will have carte-blanche access to your data. It’s no different than writing your PIN on the front of your ATM card or buying an industrial-strength lock and leaving the key in the door.
Subpoenas Drive New Security Concerns
Beyond hackers, a growing concern for companies is the risk of data exposure resulting from subpoena.
Too often in cloud environments, the data owner will store the key in the cloud, alongside the encrypted data for easy access. This practice creates a sizable security risk because if a cloud or SaaS vendor is subpoenaed, they’ll be compelled to hand over your data. It also falls short of the security requirements needed to comply with HIPAA, PCI and most other data security regulations.
One way an organization can keep data private and maintain control over their keys is by encrypting data locally before it goes into the application or cloud. The problem with this technique is you can’t fully utilize the applications you’ve invested in, because others in your organization aren't easily able to read and act upon the encrypted data.
Instead, make sure the SaaS providers you work with offer data at-rest encryption and allow you to manage and even revoke the keys as necessary. It’s the best way to ensure data in the cloud remains actionable, while giving you ultimate control over who and what can access it.
Traditional key management utilities, such as hardware security modules (HSMs) that manage digital keys in a physical strongbox, have been around for a decade or more, and so weren’t designed to work in and across cloud environments. Instead, HSMs were built for enterprise data centers where a single organization owned and operated all the computing assets. The rapid ascent of public and hybrid cloud computing has rendered these traditional utilities obsolete.
Today, the reality is that companies are managing their keys and certificates in disparate, often insecure “buckets.” This practice creates operational inefficiencies, unnecessary expense and security risks.
So how do you safely store data at-rest in the cloud, and prevent unauthorized access to your encryption keys? Here are a few best practices for managing and safeguarding encryption keys:
- Do not store encryption keys on the same server as the encrypted data. Instead, use a key management service that separates the keys from the data.
- Establish and enforce key access policies. If cloud providers, system admins, or even root users don't need access to the encrypted data in order to do their job, ensure that management policies restrict their access to the keys.
- Set key rotation policies. A good way to ensure a lost or misplaced key doesn't result in data exposure is to frequently change the key properties.
The bottom line is, whomever controls the key controls the data. If you don’t want your SaaS provider looking at your data, don’t let them manage your keys.
Three Groups That Need To Get Security Right Now
Everyone plays a role in data security but the following groups must make it a priority:
- Cloud and SaaS providers. Make encryption a best practice for data at-rest and in-motion and allow clients to control their own keys.
- IT professionals. Stop storing unencrypted data in the cloud. If the data is valuable to your business, it’s probably valuable to someone with ulterior motives as well.
- C-level. Demand accountability. You will be the one calling your customers if their data gets exposed. It’s a lot easier to ask questions of your security team now than to answer to customers and shareholders after a breach.
Focus On The Fundamentals
If the NSA has taught us anything, it’s that the risk to most corporate data isn’t government spying. It’s insiders like Snowden and Private Matthews or a physician who loses his iPad containing unencrypted patient records.
These “people” risks aren’t going to disappear, but we can reduce their potential damage by making better use of the security tools we have at our disposal, such as enforcing strong passwords, maintaining up-to-date patches, applying granular access controls, separating encryption keys from the data they’re meant to secure, and so on.
The PRISM story isn’t going away, but my hope is that the narrative begins to evolve from what the NSA did to how we can better secure our information-age assets.
Lead image courtesy of Shutterstock