Question: Aside from eliminating sensitive data from your business process, what are two things you can do to eliminate much of the risk of a data breach?
Answer: Application-Level Encryption and Strong Authentication.
While we all recognize that encrypting sensitive data can protect you, most people—even in the security business—don't realize that not all encryption is equal. Even if using NIST-approved algorithms with the largest key sizes available, data can still get breached. How is that possible?
When encrypting data, all else being equal from a cryptographic point of view, two design decisions matter:
-
Where is data being cryptographically processed
-
How are cryptographic keys managed?
If data is encrypted/decrypted in any part of the system—the hard disk drive, operating system, database, etc.—other than the business application using that data, significant residual risks remain despite the encryption. An attacker need only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data. Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data as it affords the attacker the smallest target. This also ensures that, once data leaves the application layer, it is protected no matter where it goes (and conversely, must come back to the application layer to be decrypted).
The second design decision of encryption is how you protect cryptographic keys. If you use a general purpose file, keystore, database, or device to store your keys, this would be the equivalent of leaving company cash in a general purpose desk or drawer. Much as you need a safe to store cash in a company, you need a purpose-built "key management" solution designed with hardened security requirements to protect cryptographic keys. These solutions have controls to ensure that, even if someone gains physical access to the device, gaining access to the keys will be very hard to nearly impossible. If the key management system cannot present sufficiently high barriers, even billion-dollar companies can fail to protect sensitive data—a lesson that is certainly being played out somewhere even as I write this!
While cryptography tends to get complex and the details might seem burdensome, it is important to recognize that an encryption solution provides the last bastion of defense against determined attackers; it is well worth a company's time to give it the proper attention and not attempt to invent it themselves.
Conversely, the first line of defense should be strong authentication. Strong authentication is the ability to use different cryptographic keys combined with secure hardware (in the possession of the user) to confirm that the user is who they claim to be. While digital certificates on smart cards provided such capability for over two decades, they are expensive, and not easy to use and support even in highly technical environments. A standards group (fidoalliance.org) is attempting to simplify this problem; many solutions have already made it to market with successful deployments already under way.
Between application-level encryption on the back end and strong authentication on the front end, even if an attacker manages to slip past network defenses—as they always seem to do—they will have little wiggle room to compromise sensitive data. While no security technology is absolutely foolproof, implemented correctly, ALESA raises the bar high enough to "encourage" the vast majority of attackers to move onto easier targets.
