Encryption: The Solution to Corporate Breaches?
In the aftermath of recent breaches, the discussion has centered around encryption of data, more specifically, data at rest, when data resides in the database. In some cases, experts have stated that if databases, file archives, etc., had been encrypted, the information would not have leaked. Along the same theme, some laws force companies to encrypt personal information. In a previous blog post I asked if there was a need for more legislation, but is legislation really effective? Let’s examine what encryption can do.
If you compare data to valuables in a bank vault, encryption is the actual vault. The vault most certainly protects the valuables in the vault; there is no question about that. However, if you give the bad guys unchecked access to the locked vault for three, six, nine months, or even a year, the bad guys will find a way to the data, through the vault.
The same can be said for encryption and data. If you allow the bad guys to operate on your network for long periods of time, they will find a way to break the encryption. This can be done by pure brute force, stealing keys to the encryption, impersonation, or a combination of several different methods.
Laptop and mobile device encryption, however, is a different story. You can achieve a reasonably high expectation of privacy by encrypting the devices, and configuring the encryption software to wipe the storage after a small amount of failed authentication attempts.
Let’s go back to data at rest in databases. Encrypting file archives or other methods of storage, unfortunately, is not the end all be all solution to corporate breaches. However, encryption will buy you time, if properly implemented.
Encryption is not the silver bullet; you still need a network that actively works against the bad guys, a layered defense approach. The appropriate preventive controls should be put in place to block access to the data in the first place, the appropriate detective controls should be in place to identify unauthorized access, and then you need to have corrective controls in place to minimize the impact of a breach.
My previous blog posts on data discovery and network design offer a deeper dive into layered defense.