The Office of Personnel Management and UCLA Health have both been under fire in the media this summer for failing at one of the most universal standards for data security: encryption.
The security industry is in dismay that these sophisticated government and healthcare organizations overlooked the importance of encrypting sensitive patient and employee information.
Why doesn’t everyone just encrypt everything? Wouldn't that stop all these breaches?
Well, no. And in both of these cases, the reason for the organizations’ failure to do so is far more complex than most acknowledge.
Don’t get me wrong. Encryption is a fantastic thing. If you encrypt a database or a file, you can’t decrypt it unless you have or guess the right keys, and guessing the right keys can take a long time. It’s a great preventive control mechanism, and it may be the only logical control that transcends physical possession: where if you’re in physical possession of the storage device that holds the data, you still can’t access the goods inside.
So why not encrypt everything? It’s not that simple. Let’s put aside the computational overhead that encrypting everything would require. That’s a very real, practical problem, but it’s not nearly as big as another problem – managing all those encryption keys.
It’s pretty simple when only one person needs to decrypt data – one person, one key. But that’s not why we built networks, file shares, and the web. We built these technologies to share data with co-workers, our business partners and our customers. Having a file you can’t share is like having a dollar you can’t spend. It’s a frozen asset.
In order to share and collaborate with a lot of people using encrypted data, you need to manage a lot of encryption keys, and decrypting files needs to be painless enough for the end users so they can access the files when they need them. Also, don’t forget that in order to have search or data classification, applications need to be able to decrypt files, too.
Managing encryption keys requires the same effort as managing other preventive controls in the digital world, like access control lists, for example. Someone needs to regularly review who has access to what data, and revoke access for those who no longer require it. Organizations have a very difficult time doing this with access control lists without automation to help – 71% of employees report they have access to data they don’t need according a recent study from the Ponemon Institute.
It’s certainly possible to correctly configure your access control lists and achieve and sustain a least privilege model, but that’s the hard part with preventive controls – getting them right. It doesn’t really matter which preventive control mechanism you’re using.
"Having a file you can’t share is like having a dollar you can’t spend. It’s a frozen asset"
As a practical example, I’m told that in some government agencies employees have a smart card that they plug into their computers that automatically decrypts the files appropriate to their security clearance. This works well because these encrypted files are never supposed to be shared with anyone outside the government (or who doesn’t have one of these card/computer combinations). Users don’t have to work very hard to decrypt, access and share the files they need, though the users and the organization still need to make sure the right files are encrypted (even in these agencies, not all files are encrypted because, with petabytes of information, it’s still not practical).
Finally – and this is probably the most important limitation to consider – even after your preventive controls are perfect, some trusted people will still need access to data. And organizations need to watch and analyze how they use it. User behavior analysis – and other types of detective controls – are the only way you can protect your organization from the inevitable failure of its preventive controls.
Trusted insiders will break bad, their accounts will be compromised and they’ll download malware. Encryption alone won’t help, but you can see these things if you’re watching.
About the Author
David Gibson is a vice president at Varonis, a company for data protection. David studied physics at Duke University and a BM in classical composition from the New England Conservatory of Music. He has more than 17 years of experience in IT as a systems and sales engineer, having worked for Time Inc. and Tripwire.