The false promise of blanket encryption
Why data needs to be inspected before its put under lock and key
With cyber-attacks on the rise and compliance with regulatory regimes like HIPAA and GDPR becoming more urgent, businesses have been turning to encryption as a catch-all tactic to ensure IP and personal data are protected.
Make files un-readable to outsiders, the thinking goes, and breaches can be severely minimized if not stopped entirely.
On the surface it makes sense, but dig a bit deeper and blanket encryption throws up a host of management issues – and vulnerabilities.
A solution with issues
Blanket encryption relies on encryption keys to give legitimate users access to files. But like passwords, keys have one serious drawback – they are all or nothing. If someone gets hold of the key, they get access to the files.
So the keys themselves become targets. Encryption just shifts the vulnerability from the vault to the key cupboard.
To overcome that weakness, systems have been developed that delete keys when the signs of attack are identified. But the layering on of new tools to address the weaknesses of what came before means added complexity, and potential interference with normal operations.
With blanket encryption IT managers must ensure that approved users have access to keys when they need them. Coordinating access and configuring devices for both on-premise and remote access consumes loads of time and resource.
Fitting encryption protocols to existing applications is another challenge. End users have to be trained to operate software using encrypted data, and collaboration within teams can be severely curtailed when everyone requires shared access to an encrypted file.
A gift to hackers
Cyber-criminals actually see encryption as an opportunity. Since most attacks start with a phishing scam that convinces an approved user to download an infected file or malicious code onto company systems, encryption provides a sort of mask for malware.
More often than not malicious code is already encrypted by the criminal before being deposited onto the network. IT teams have to go to significant lengths to identify the content of any given file. That allows malware to blend in with everything else on company systems protected by blanket encryption – and gives cyber-criminals time to move laterally around the network, quietly looking for data assets they can exfiltrate undetected.
If encryption doesn’t work, what should organizations do?
An effective alternative to blanket encryption is intelligent data in motion or content aware discovery for data at rest, which assesses and classifies data before it is encrypted. By limiting the amount of encrypted data on a system, content aware discovery can actually use encryption to root out malicious files.
Traffic moving through the network is inspected along with the files contained within. If the encryption of a file prevents inspection, that’s a sure sign its foreign to the system – and suspicious. DLP protocols then kick in to isolate or discard the file before it can release payload or exfiltrate data.
By implementing a targeted, as opposed to blanket, approach to file encryption, system managers are able to maintain clarity of system assets and more accurately identify attacks and breaches while they’re underway.