Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data

Data-Centric Security

2

CONTENTS

Data-Centric Security .............................................................................................................. 3

Data Leak Prevention .............................................................................................................. 5

Encryption ............................................................................................................................... 7 Strengths of encryption ........................................................................................................... 7 Weaknesses of encryption ...................................................................................................... 8 Approaches to encryption ...................................................................................................... 8

Homomorphic Encryption ........................................................................................................ 9 © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.

Using Information Protection and Control (IPC) Tools to Protect the Data

3

In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the third in a new series of reports designed to look more closely at four specific issues highlighted by that survey.

» Metrics and reporting

» Malware and data breaches

» Data-centric security

» Automation and orchestration

Data-Centric Security More than 100 CISOs indicated that they considered malware and breaches of sensitive data to be the primary security risks/threats, followed by the malicious outsider. See Figure 1 below specifically, and the Malware and Data Breaches report in general for more details. When subsequently asked to specify which of a series of infrastructure controls they would give top priority during the next 3 to 5 years (see Figure 2), there was a clear preference among the CISOs for what can be described as data-centric controls over physical device controls.


4

Figure 1. Survey Question: What are your top three security risks?

Source: Wisegate June 2014

Figure 2. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed).

Source: Wisegate, June 2014


5

The most popular response to this question was DLP-style controls followed by application firewalls followed by encryption. “When we asked folks about the various types of controls they could install to protect their companies from those top three risks,” explains Bill Burns, lead author of the Assessing IT Security Risks survey, “what we noticed was that given the choice people were strongly preferring things that protect the data itself rather than protecting the device or the network or the host.” There are numerous reasons for this.

Firstly, while traditional security products evolved to protect devices and the perimeters of trusted networks, the modern IT infrastructure can no longer be so easily defined. Most specifically, there is no longer a defensible perimeter. This is the effect of remote working on personal devices coupled with an increasing use of the cloud for both data storage and software as a service applications. Secondly, not only is there no specific perimeter to defend, there is also great difficulty in knowing where the data actually resides, or is currently residing. Copies of documents might simultaneously exist on multiple remote laptops or tablets; and the company may not know the geolocation of those devices. Thirdly, there is increasing acceptance that a persistent targeted attack will eventually breach the network. The combination of

• Zero-day vulnerabilities (unknown and unpatched) • New or reworked malware (unknown to the anti-virus engines) • Susceptibility of almost anyone to eventually fall for sophisticated spear-

phishing, combine to ensure that a determined and well-resourced attacker will inevitably get into the network.

Unable to guarantee the integrity of their devices and networks, CISOs are turning towards defending the data itself, using the new category of security controls known as information protection and control (IPC). Broadly speaking (although not exclusively), the protection is provided by encryption technologies while the control is provided by data leak prevention (DLP) technologies. Sometimes both are made available in a single IPC product.

Data Leak Prevention Data leak prevention (DLP) is possibly the best known and most popular sub-category of IPC products. “DLP in monitor mode,” explains Burns, “is where the control will detect and alert someone that I have just seen a file containing SSNs leave the protected server and


6

go out onto the internet—or I saw this sensitive data file containing credit card numbers leave someone's laptop.” The focus is no longer on locking down access to the device or application—there is an assumption that data will somehow get out. “The focus is now on where is the data, where is it going, and who is using it—rather than just locking the door and assuming that the lock will be sufficient to keep the bad guys outside and the data inside the house.” DLP was a hot topic a few years ago. “It got cold because it was too complicated,” suggested Burns, “and I think there was a lack of governance. Now I think it is getting hot again because there's more scrutiny from boards of directors, more scrutiny because risk managers are concerned about supply chain risk, and because people say, ‘Well, I may not have control over a server or the desktop—I can't lock it down because it's not mine, it's a third party or a personal device—but if I can get someone, or force someone, to install this DLP control on their device or funnel them on the network through my device, then I can get visibility into sensitive data moving around’.” One of the issues in using DLP is whether to use it in monitor mode or block mode. Monitor mode simply alerts the security team that something is wrong. Block mode prevents any further movement of the sensitive data. The problem with monitor-only mode is that by the time the security team has seen the alert and closed the door, the horse may have already bolted. Despite this, however, many companies keep DLP for reporting purposes only. Burns explains, “When you're monitoring, typically the alerts go to the security team; so they get extra work, but the user doesn't really see any change. When you put DLP into block mode, that's when you start affecting workflows, behaviors and business processes.” The usual sequence is for someone to say, ‘We need to install DLP, we need to track our sensitive data.’ “That gets you the budget,” says Burns, “but then people realize, wow, this is a lot of work to configure, and it’s really noisy. A team that doesn't have the wherewithal or the executive sponsorship may simply stop at reporting.” The original plan was probably to monitor for a while and get the configuration right, and only then when the tuning is good to turn on blocking mode. “But they get stuck in reporting mode. We're never going to get 100% accuracy, so at what point are we comfortable? You get into that never-ending quagmire of when do you leave the monitoring phase.” It takes, he added, “a huge amount of energy and focus and executive sponsorship to switch from monitor mode to block mode, because once you start blocking, then you start affecting the users' behaviors.” The Target breach is a case in point. Its IPC controls (probably not specifically DLP in this instance) provided the alerts, but the process of handling the alerts was not sufficiently


7

established. The simple reality is that monitor mode DLP on its own is not an adequate security control. “You would never want to deploy DLP as a sole defense,” says Burns. “You would like to add it to a mix of layered defense to increase the chances of detecting a problem. So for instance, if you had DLP in monitor mode and it says, ‘This credit card database or file is trying to leave your secure enclave and is heading out to another network where it shouldn't be,’ whether it is in monitor or block that should be a sufficient alarm that says, ‘Gosh, I'd better go look into this.’ You basically want to make the attack as noisy as possible. You don't want someone to be able to silently come in and steal your data—you want to put detectors or alerts or monitors in place at a number of checkpoints, including the data itself.”

Encryption The weakness of DLP in monitor mode—and indeed many other security controls—is that while they alert the security team to a potential problem, they do not in themselves secure the data. There is, however, one technology that does this with a very high degree of certainty: encryption. The problem is that encryption currently has limited application, and is very difficult to get right.

Strengths of encryption

» Secures the data. There are encryption algorithms readily available that are generally considered to be unbreakable. Although there are several caveats to this (some algorithms are known to have weaknesses, others have had weaknesses introduced, and the length of the encryption key is critical), a strong algorithm with an adequate key length well implemented will theoretically protect the data forever—wherever it is, and whoever has access to it (provided they don’t also have access to the encryption keys).

» Compliance. Data that has been encrypted is generally considered to guarantee regulatory compliance. In some cases, encryption is specifically mandated by the regulations (such as PCI DSS). In other cases it is not specified by the regulations, but endorsed by the regulators (for example, the UK’s data protection regulator has advised that personal data stored in the public cloud will be in compliance with the Data Protection Act provided that it is encrypted; but that it probably is not in compliance if the encryption keys are stored with the same cloud provider). This leads us to the first major weakness in the use of encryption: key management.


8

Weaknesses of encryption

» Key management. “The real problem with encryption is key management,” explains Burns: “managing all of the decryption keys and making sure that the right people and only the right people have keys, and that they are renewed when they expire... that’s really hard. It's much harder than managing the encryption.” Encryption works if the implementation is sound and all, but only, the right people have the keys. If the bad people have encrypted data but no keys, they don’t have the data. But if they do have the keys, they also have the data.

» Inability to search data. The biggest practical problem in the use of encryption is that it makes it very difficult to perform operations on that data. Even a simple search operation is difficult because the encrypted target bears no relation to the unencrypted search term. Fixed or permanent data that doesn’t need to be processed (such as archived material) can be encrypted and stored; dynamic application data cannot.

Approaches to encryption Economic realities are driving companies to the cloud. “The cost of running a server and storing data and operating an application is considerable,” explains Burns: “hence the movement to cloud SaaS applications. So companies are giving away control of their infrastructure; they're turning the capital expense into operating expense and making it consumption-based—which is all good.” But compliance is also driving companies towards encryption. “Now we're trying to figure out, how do I encrypt that data so that someone that I sort of trust, but not completely (the SaaS application administrators) can have access to the system without having access to my data?” The solution is to encrypt the data. “If it is extremely sensitive and valuable to the company, we will encrypt that data and make it completely unusable to the SaaS provider. We will make it hard for even ourselves to use that data because we understand that it is extremely valuable and sensitive. If it's not valuable at all, we won't encrypt it. That's the two ends of the spectrum.” So one of the main problems with encryption is finding the correctly balanced position based on the risk appetite for the data in question. Fundamental to this is keeping the keys and data separately located.

» Third party services. “Somewhere in the middle we may say, we will encrypt the data but we will encrypt it by way of an appliance or a third party application that sits between us and the cloud. Now there will be something in the middle that's


9

going to encrypt our data. We will trust this third party to manage the keys—think of a proxy server for instance that is sitting between us and the cloud storage. When we go through that proxy server it finds our sensitive data and encrypts it on the fly on its way to the cloud. In that case what we’ve done is we’ve moved the risk of key exposure away from the SaaS and on to the third party. If someone really wants to break in and have access to our data they'd have to break into the SaaS to steal the data and then break into the third party to steal the keys. So it raises the cost of the attack.”

» In-house key storage. “If we’re really paranoid,” suggests Burns, “we might entrust the third party to manage the encryption, but keep the key management in-house,” perhaps within a dedicated hardware security module (HSM). None of this completely eliminates the threat, but it makes it more expensive for the bad guys to be successful. “That,” adds Burns, “is the real goal of a lot of security controls— trying to degrade the attackers’ ability, or make the cost so high they go someplace else.”

Homomorphic Encryption Neither of these approaches solves the basic problem—we cannot manipulate encrypted data. “Let's say we store our encrypted data at Salesforce. Right now, if it's encrypted, Salesforce cannot search the data, they cannot manipulate the data, applications can't do anything with the data—because it's encrypted. To do so they would need the decryption key.” Here’s the dilemma. “If the goal is to not give Salesforce the decryption keys, then Salesforce is not really very useful. But if I do give Salesforce the keys, then I have weakened my ability to protect my data.” There is, however, an evolving technology that shows promise: homomorphic encryption. It offers the possibility of searching a database without having to decrypt it. It has been a theoretical possibility for many years, but the problems involved have not yet been fully solved. In 2011, MIT Technology Review1 noted,

With homomorphic encryption, a company could encrypt its entire database of e-mails and upload it to a cloud. Then it could use the cloud-stored data as desired—for example, to search the database to understand how its workers collaborate. The results would be downloaded and decrypted without ever exposing the details of a single e-mail.

1 Homomorphic Encryption, MIT Technology Review: http://www2.technologyreview.com/article/423683/homomorphic-encryption/


10

But in December 2013, Bob Gourley wrote for CTOvision2:

I have seen nothing in any of the research that makes me think a solution can be put in place that cannot be defeated by bad guys. And if that can’t be done then the solution will not solve any problems, it will just add processing overhead. So in the end I remain a skeptic regarding any claims of a working fully homomorphic solution.

“The problem,” says Burns, “is that it is extremely slow. But it does show promise.”

2 IBM Claims Advances In Fully Homomorphic Encryption (and I’m claiming advances in an anti-gravity device), CTOvision.com: https://ctovision.com/2013/12/ibm-claims-advances-fully-homomorphic-encryption-im-claiming-advances-anti-gravity-device/


11

PHONE 512.763.0555

EMAIL [email protected]

www.wisegate i t .com

Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data

Technology

Transcript of Data-centric Security: Using Information Protection and Control (IPC) Tools to Protect the Data