I was looking at some statistics from WordPress who hosts this blog. Four of the top five most popular posts from this blog are about encryption in the Cloud; these are the posts you have read the most. Thank you.
I did these four as a series in early 2011: Encryption in the Cloud, Encryption in the Cloud: Data-in-Motion, Encryption in the Cloud: Data-at Rest, and Encryption in the Cloud: More Data-at Rest. Although these posts are two years old, they are still important. The most recent Data Breach Report by Verizon shows that attacks are still occurring, the attackers are getting smarter, and one-quarter of the attacks were targeted at specific companies and government agencies.
The reason to use encryption remains the same: encrypted data is almost always exempt from reporting requirements when you have a breach. That thumb drive with your customers account information that was stolen? No problem, assuming you didn’t write the encryption key for the data on the thumb drive. More importantly, a good encryption product will actually protect the data, making the cost to the hacker of accessing the data higher than the value potentially gained.
Encryption still carries costs. It may include product cost but always adds administration cost and time cost. In addition, encryption and decryption takes time, and may lead to additional processing costs to meet your response time goals.
Data-in-motion is your data as it moves from your facility through the Internet to your Cloud Service Provider (CSP), and moves around inside your CSP between servers or between servers and storage, or even out to other service providers. It includes data moving through Local Area Networks (LANs), Wide Area Networks (WANs), storage networks, and, of course, the Internet. The Cloud extends the distance of these networks and probably the number of such networks.
The most recent Verizon Data Breach Report looked at where data was when it was stolen, and reported that none was stolen from data-in-motion. However, data that was stolen from data-at-rest or data-in-process has to get to the hacker, and that will usually be by data-in-motion. If you normally use a simple data-in-motion encryption mechanism, like SSL, then that encryption mechanism can either easily be bypassed or used by a rogue external agent. Ideally you would use a data-in-motion encryption mechanism like the Unisys Stealth Solution which forces all communications through the encryption product and prohibits communication to unknown uses, whether inside or outside of your organization.
The U.S. Department of Defense is taking a new approach to protecting classified information within networks called Commercial Solutions for Classified Program (CSfC). This program will allow defense organizations to use commercial encryption products for highly classified information, instead of extremely expensive and hard to manage limited use products. CSfC uses a layered approach, using one encryption product within another to secure data.
Data-at-rest is your data as it is stored. It can be stored in a controlled environment like a SAN (Storage Area Network) or NAS (Network Attached Storage) or the hard disk drives in servers. It can also be stored in less controlled places like the disk drives in workstations, laptops, tablets, PDAs, and smart phones, and the totally unmanageable places like CDs, DVDs, thumb drives and smart cards. As with Data-in Motion, the Cloud extends the places your data is “resting” and who has access, without your knowledge.
Verizon reported that two-thirds of all successful attacks accessed data-at-rest, usually within databases. Most databases contain unencrypted data, primarily because of the cost in time to encrypt and decrypt the data. Many Cloud Service Providers (CSPs) offer encryption of data-at-rest as an extra cost option. Many CSPs insist that they control the encryption keys, and some encrypt by physical storage device. In a public cloud environment, that same storage device might hold data from several to hundreds of different CSP customers, all encrypted by the same key. If the CSP controls the encryption key, then your data is much more vulnerable. Normal operational and maintenance functions expose your data to risk. Hacker or government actions against any of those other customers also may expose your data to risk. If you control the encryption keys, then those risks are significantly diminished. You then must securely control those keys.
Data-in-process is your data while it is actually being processed inside a server or workstation. The data could be in memory, in cache, or in registers inside the CPU. Normally we don’t worry very much about that. This is data that is changing quickly, usually coming and going at microsecond time scales, and data that disappears when power goes away.
Verizon reported that one third of all successful attackers were against data-in-process, usually through malware like RAM scrappers, screen skimmers, or keyloggers. These programs arbitrarily copy what is in the computers memory, take “screen shot” pictures of what is on the screen, or record every keystroke you type. This information is then sent our through the Internet to the hacker.
This data cannot be encrypted today, and not likely in any near-term future. There are two defenses: do not let the malware get into your system or detect it as early as possible, and do not let the malware send the data out. The first is fairly easy: simply install and keep updated a good malware protection product on every workstation and server. The second is harder, but can be done with products that force encryption on all data-in-motion and restrict where data can be sent.
As always, security has to be reasonable. There is no value to spending more than you need to for encryption products that are more secure than appropriate for your business. There are a lot of decisions that need to be made as you move into or expand your encryption policy. Make them intelligently. Do not impose ridiculous requirements on your employees, customers and partners just because you can.
But the most important security issue remains people. Make sure yours are properly vetted and periodically trained on your security policy and practices, and understand the risk to your company if they are violated. Make sure you keep their roles updated and relate their access only to the data they have the right to access and the need to access.
The last word:
SmartMeter I have written about electric utility company’s smart meters. Smart meters allows the electric company, governments and almost any company with a few dollars to find out when you are home, when you turn on any unusual equipment at your company or operate at unusual hours, or when you are burning the midnight oil in the office because of a new project or major problem. Since these meters communicate wirelessly, and probably not very securely, it is available to pretty much anyone. The electrical industry wants to install these on every home and most businesses in the US. I suggest you go to RefuseSmartMeter.com and procure one of these stickers and put it by your meter. Take a date-stamped picture of the sign on your meter. It is not clear that the sticker will actually work, but it and the picture you took does provide some supporting evidence when you file a complaint with your state public utilities commission and your local government. RefuseSmartMeter.com sells the stickers in packs of 25 for $28.00, so get together with friends and neighbors.
Alternatively, you can expect the DEA to come visit when you have your grow lights on for spring vegetable seedlings in your basement. And the DEA does not knock, nor apologize.
Your electric company will provide this information to almost any government agency without telling you they have provided it, thanks to the Patriot Act. In addition, electric companies have a lousy record of data security. In a 2011 Ponemon Institute study, 76% of energy companies had suffered at least one data breach in the previous twelve months.
Keep your sense of humor.