Home » The Art of Data Protection
Jennifer DeanAugust 19, 2015, 03:40 pm EDT
The use of mobile devices in the workplace is a trend driven by employees who want to choose and use their own technology, as well as executives seeking higher productivity, anytime/anywhere access and increased job satisfaction for an on-the-go workforce. The bring your own device (BYOD) trend is pervasive and not going to slow down. Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes, and employees like that idea. According to a global workforce study, employees value device freedom over a higher salary.
The rapid growth of the mobile movement has many IT teams scrambling to get enterprise mobile security in line with current corporate standards. The ubiquitous corporate badge, with certificate-based PKI authentication is still one of the most reliable methods to secure your employees and protect your data from unauthorized access. But mobile device security creates unique challenges because of a lack of embedded card readers or USB ports.
So how do organizations who use PKI extend the same level of security to its mobile workforce? For enterprises that already use a corporate smart card badge or token, implementing a wireless solution would allow employees to use their existing smart cards with any mobile device. Bluetooth is the only connectivity channel implemented across different endpoints, so it would be able to authenticate on any device. By providing a Bluetooth authentication solution, enterprise IT can expand the protection of PKI, while allowing employees the freedom of anywhere, anytime convenience of mobile. In addition to providing a second factor of authentication, PKI using Bluetooth enables employees to digitally sign sensitive documents and encrypt email while on the go.
For enterprises using traditional cards, a wearable badge holder equipped with Bluetooth Smart acts as the card reader. The user would simply pair the badge holder with their mobile device, much like the process to pair a mobile phone in a Bluetooth-enabled vehicle. Once the devices are paired, the smart card will be recognized and processed, just as when the smart card is inserted into an internal reader on a laptop. The same technology exists for enterprises using USB smart tokens, only in this case the chip is installed into a Bluetooth-enabled token that acts as the chip reader. Pairing with mobile devices is the same as a badge holder.
As enterprise mobility continues to increase, corporate IT must keep up with demand and provide employees with the anywhere, any device access, without disregarding corporate security compliance. Too often, security standards are relaxed or ignored for mobile users because solutions are limited for many devices. Bluetooth Smart is a viable technology that enterprise IT can easily implement into a current corporate badge ecosystem and addresses the need for balance between security and mobility.
Sharon GingaAugust 12, 2015, 04:45 pm EDT
With the rapid emergence and adoption of more technologies that enable workforce mobility, enterprises are faced with even greater security challenges, including how to unshare and protect their sensitive data. There are a variety of enterprise mobile security enabled solutions available to solve some of the problems, but no overarching silver bullet solution to encompass everything.
At Gemalto, we provide enterprises with the tools and solutions they need to deploy a defense in-depth strategy that protects data from the edge to the core. But what does that mean for the mobile workforce in a world where lines between home and work, and certainly the devices we use to connect to them, are blurred?
At the front-end, or edge, are solutions such as two factor authentication that ensure that only authorized users can access the data. And much of this blog series focuses on those aspects of enterprise mobile security. Certainly strong authentication is at the foundation, providing access to all the necessary information to the right people, while keeping the bad guys out.
But what happens behind the scenes, at the back-end or core?
The essential components to securing data at the core are encryption and key management. From the physical and virtual data center to the cloud, your organization’s sensitive data needs to remain protected, compliant, and under control, regardless of where it resides. Whether you are talking about BYOD or standard issue, your data connects back, or it certainly should, to your corporate databases, applications, storage systems, virtualized platforms, and cloud environments. If not, you’ll have other issues with backup and disaster recovery to deal with too.
So what can you do to protect your data at the core while enabling mobility?
Start by identifying your most sensitive data assets, whether it is the data that enables enterprise mobility or other data in your organization, and locate where it resides in your on premises data center and through to your extended data center (cloud and virtual environments). Search your storage and file servers, applications, databases and virtual machines. Examine the traffic flowing across your network and between data centers. Then encrypt the data, at rest wherever it resides and in motion as it moves across the network. And don’t forget the cryptographic keys. By managing and storing your keys centrally, yet separate from the data, you can maintain ownership and control and streamline your encryption infrastructure for auditing and control to enable secure enterprise mobility.
Key management is one of the areas in which encryption’s ongoing cost and effort is most pronounced. When encryption is employed, cryptographic keys must be safeguarded—if not, the entire encryption infrastructure can be compromised. Further, key administration entails such tasks as ongoing rotation, deletion, and creation—sensitive, potentially time-consuming tasks, and particularly challenging in a mobile BYOD environment. However, if not managed correctly, can also present security vulnerabilities and devastating business impact. For example, loss of keys is a primary concern: If keys are lost, so is the encrypted data.
Essential to successful security is an integrated approach. IT departments and security teams don’t need another silo to manage, as stated clearly in Gartner’s recently released Hype Cycle for Enterprise Mobile Security 2015. Starting with the basics, all solutions including secure enterprise mobility should integrate with LDAP to ensure consistency across the organization and its security policies. This prevents issues that result from delayed directory synchronization for example. At the higher end, consider an enterprise key management solution that protects the organization’s key materials, including:
- Identities – this includes end users, endpoints, and services.
- Information – this includes data, and the containers and media that contain or transport this data.
What is needed is a streamlined, repeatable model for centralized, enterprise-wide encryption. This means that encryption and key management for all deployments including enterprise mobility can be centralized but distributed. By enabling your IT group to act as a service provider of encryption as an IT service enables consistent security policies to be set across the organization’s varied encryption deployments, and updated as needed automatically, with ease while business owners are assured their data is kept separate and secure.
Since secure enterprise mobility is such a vital component of the way we live and do business today, security needs to be seamless and transparent to the user. Anything overly complicated is doomed to fail, even in an enterprise environment. IT departments need to be enablers, not naysayers to enterprise mobility.
By ensuring your core assets are under lock and key, utilizing encryption and key management only accessible to authorized users, complemented by strong authentication, your organization can effectively manage your enterprise mobility strategy, while ensuring it is aligned with your security strategy.
Mor AhuviaAugust 5, 2015, 04:03 pm EDT
Embraced for management efficiencies and improved security, virtualization has been adopted by 74% of IT professionals in NorAm and EMEA, according to a SpiceWorks survey. While full disk encryption can be used to protect laptops and desktops from theft, what happens to your desktop when it moves to the cloud and can be accessed by someone who isn’t even physically near you? Have your organizations’ VDI security issues been fully addressed?
An important enabler of enterprise mobility, Virtual Desktop Infrastructures (VDIs), can be consumed from the cloud with desktop-as-a-service solutions, or streamed from the datacenter. AWS Workspaces and Cisco Desktop-as-a-Service, for example, offer the former, while Citrix XenApp or XenDesktop and VMware Horizon offer the latter. Either way, they provide mobile employees with the freedom to work from any mobile endpoint, as the application software is never installed on the device, but is rather streamed on-demand from the cloud or data center.
In terms of management overheads, VDI translates into zero hardware-software compatibility issues, and makes it easy for IT admins to centrally configure and maintain employee desktops with all the applications they need. Virtualization can also mean improved security, as software updates and patches can be centrally issued and enforced on virtual desktops. Plus, a malware-infected machine can be easily restored to an earlier, clean version, while eliminating the need to reformat the underlying hard drive (for example, against malware rootkits). That said, many organizations neglect to fully address VDI security.
VDIs can be deployed inside the firewall. However, they are increasingly accessed over the Internet, with their security often hinging on a static password. This makes data residing in virtualized environments vulnerable to compromise through a multitude of threat vectors, such as phishing, bruteforce attacks, generic malware, and credential-database hacking. Plus, when your desktop resides in the cloud, someone can access it without even being physically near you.
To make sure your virtualized resources remain confidential and truly enable mobile enterprise security, apply Gemalto’s simple Secure the Breach Strategy to your virtual applications, whether in the cloud or data center, or both:
#1 Control User Access
- Instead of letting VDI security hinge on static passwords, ensure login to your virtualized application or desktop is secured with strong two-factor authentication, described as, “One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems,” as written in a recent US OMB blog. After all, “Two out of three breaches involve using stolen credentials,” according to a Verizon Data Breach Investigations Report.
- For convenient VDI security, seek strong authentication solutions that can be applied to any endpoint, be it a mobile device, desktop or thin client.
- Furthermore, to keep it simple for users and admins alike, extend enterprise identities to cloud-based applications, so that employees can use a single identity—a single credential set—protected with 2FA, to access all their on-prem and cloud resources (VPN, VDI, SaaS and Portals).
#2 Encrypt Your Data
After strengthening your access controls, ensure your virtual data is encrypted, at rest in virtual machine instances and virtual desktops, whether hosted in the data center or cloud, virtualized applications and any related storage and databases, and in motion when being transmitted across the network . This ensures that even if your cloud provider or data center are breached, your virtual desktop, data and applications will remain unreadable and useless to hackers.
#3 Manage your Keys
Lost or misplaced encryption keys render encrypted data unusable, so ensuring central management of those keys is paramount.
More on tactics #2 and #3 for supporting VDI security, and enterprise mobile security in general, in next week’s blog, so stay tuned.
To learn how simple and easy enterprise mobile security can be, check out our infographic or visit our A4 Authentication for Mobile Workforce Security microsite, and find out how you can secure access to Any Application, from Any Device, at Any Assurance Level, Anywhere.
Garrett BekkerAugust 4, 2015, 02:25 pm EDT
For security professionals, one of the primary challenges that arises with cloud computing is that they are faced with somehow protecting resources that, to varying degrees, they no longer have control over and for which traditional security controls like firewalls and IPS devices are ineffective. However, regardless of which cloud model you adopt – IaaS, PaaS, SaaS, hosted private cloud, etc. – one thing you can still have some control over is your data. But how to accomplish this when the data lives – at least part of the time – in someone else’s infrastructure?
As in other sectors of security, the emergence of cloud computing has breathed new life into certain long-existing security technologies, and in recent years, we’ve seen a ‘rebirth’ of encryption as a primary way to ensure that sensitive data remains protected even outside the corporate confines. Encryption is arguably one of the oldest security tools and has been around for a millennia, but its complexity has often meant encryption has been relegated to the background and reserved for only the most stringent use cases.
Cloud has changed that.
As in the pre-cloud world, encryption does come with some potential drawbacks. One of the main challenges is to implement encryption in a way that allows critical application features to still function normally, and also without impacting performance, uptime, and perhaps most importantly, the user experience.
The second major challenge, and arguably the more important one, is key management. How you handle encryption keys, share them securely with others, rotate them, etc. is critical, since whoever controls the keys literally owns the data – history has given us plenty of examples of how either weak crypto or bad key management can be worse than having no encryption in the first place.
With respect to cloud security – and SaaS applications specifically – the issue of key management has been somewhat contentious. A number of vendors have emerged in recent years that provide encryption for various SaaS applications using a gateway model that intercepts traffic en route to SaaS applications and encrypts sensitive data. Most importantly, these vendors are able to do so in a way that most of the functionality of the SaaS app is preserved, and customers retain control of the keys on their own premises to ensure that nobody at the SaaS provider can access critical data – either maliciously, or perhaps in the event of a legal order. The primary potential drawbacks to this approach are that it can be costly, both in terms of hardware and integration work, and application performance can be affected (particularly when applications are updated).
In addition to third-party encryption solutions, we’ve recently seen a move by both SaaS providers as well as big-data distributors to offer encryption and key management natively, so their customers can protect their data without the added cost and integration work that sometimes comes with third-party solutions. Examples include big-data distributors Cloudera and Hortonworks, each of which acquired encryption vendors last year that allow them to offer encryption to their customers as either a standard feature or as a premium service.
Among SaaS providers, Box also offers its own native encryption, and earlier this year introduced a premium version that allows customers to maintain control over their encryption keys by physically separating them from Box’s internal servers and admins. The most recent example is Salesforce’s launch of native encryption – called Platform Encryption – as part of its new Salesforce Shield premium security offering. Platform Encryption has a variety of interesting features and has been architected in a way that makes it extremely difficult to be misused by Salesforce employees. However, customers don’t have the option of keeping their encryption keys on their own premises, which may be OK with many customers, but not those facing strict compliance or data residency requirements.
The $64k question, then, is how many customers fall into each camp? Cloud security is still at an early stage of development, and the market’s acceptance of Box’s EKM and Salesforce’s Platform Encryption should provide interesting test cases for how the cloud data-protection industry will unfold over time. For the near-term, however, we think it’s likely that several models will co-exist, with both native and third-party offerings, as well as both provider-managed and customer-managed keys. Either way, as cloud infrastructure and applications become more tightly woven into the fabric of most modern enterprises, encryption will increasingly be expected as a standard feature of most cloud offerings. And as encryption assumes its rightful place in the cloud security toolkit, so too will the need for a key management system that supports a variety of cloud and encryption architectures and also scales to meet the demands of an elastic, on-demand infrastructure. After all, whoever controls the keys, controls the kingdom.
Regardless of which camp you may fall in, historically, ‘good enough security’ has been, well – good enough. Too many organizations have been content to check off compliance boxes and move on. However, we are seeing increasing evidence that this may be changing, and the seemingly endless parade of data breaches may be causing more companies to think about implementing security best practices rather than just doing the bare minimum. That said, our guess is that for the time being, the lack of an on-prem key management option is not a deal killer for the majority of customers.
For large SaaS, IaaS and big-data providers, we are likely to see more native encryption options come to market as they look to meet customer demands for data protection. But how will they handle key management? Will they follow Salesforce’s lead and keep the keys to themselves, or adopt Box’s model and let customers keep control?
As mentioned earlier, for customers with strict internal security policies or those facing data residency requirements, on-prem key management will remain a must, and for this group, third-party encryption vendors will still play a large role. Either way, we see third-party vendors evolving more towards key management and away from basic encryption, particularly as more customers adopt multiple cloud applications and may have a need for a centralized way of managing their keys.
For smaller SaaS providers, many may opt to integrate third-party encryption and key management offerings directly into their products rather than expending the time and resources that Salesforce and Box likely did to develop with their own native offerings.
Regardless of how things play out, key management will remain a central issue in the battle for cloud data security.
Larger SaaS, IaaS and big-data providers are likely to deliver more native encryption options as they look to meet customer demands for data protection, and many will opt to architect their offerings with an on-premise key management option. Smaller SaaS providers with less internal resources and expertise may opt to integrate third-party encryption and key management offerings directly into their products.
Most people know that if you want to keep your company data safe from not only hackers but also unauthorized prying eyes—such as customers and coworkers—you need to encrypt it. After all, an encrypted environment is far more secure than an unencrypted environment because encryption equals safety . . . or does it?
Encrypting Your Data Is Not Enough
At the most basic level, encryption jumbles the contents of data (whether in files, databases, or sitting in servers) and runs them through an algorithm that renders the file unreadable —only to be decrypted with a key. Sounds safe, right? After all, encryption algorithms are near impossible to crack without access to the encryption key. But the encryption itself is only one part of the story. The safety of your data in the cloud is ultimately dependent on the encryption scenario you’ve put into place. For business leaders and IT administrators, this means that understanding the encryption process as it relates to the ownership of and access to company data is crucial to securing it in the cloud.
To illustrate why ownership of and access to data plays such a critical role in data security, let’s examine encryption in a “what if” scenario that replaces your company’s encrypted data with your wallet.
Scene: The Gym
Let’s say you go to the gym and lock your wallet in a locker for safekeeping while you work out. How is the safety of your wallet affected if you drop the key on the floor or store it on the ledge above the locker? What if you give the key to a friend while you run on the treadmill or leave it with your towel at the edge of the pool while you swim laps? What if someone finds the key and gives it to the front desk? What if you use a gym-issued lock and the facility holds a master key or copy of your key? What if you see—or don’t see—evidence that someone has tampered with your lock? What if the lock manufacturer created duplicates of the very same lock and key that you are using?
In each of these scenarios, your wallet is locked in the locker, but how well is it really protected if you do not have full ownership and control over the lock mechanism and the key used to secure it?
Encryption Requires Levels of Protection
Protecting data, especially sensitive data, requires various levels of data encryption protection. And, it is the responsibility of each and every data owner to execute due diligence by researching every “what if” so that the appropriate level of protection can be applied to secure their data stored in the cloud. Making sure that data is safe from unauthorized access requires enterprises to consider not only the physical and logical security of the cloud service provider but also who is encrypting the data; when and where the data is being encrypted; and who is creating, managing, and accessing the encryption keys. Much like the “wallet-in-the-gym-locker” example, encryption is more than a code and a key.
Storing Data in the Cloud with Customer – Owned Encryption
Recognized universally by analysts and experts as a necessary way to control data stored in the cloud, customer-owned encryption is fundamental to demonstrating regulatory compliance. Experts often recommend encrypting sensitive data and deploying customer-owned key management to:
- isolate regulated and sensitive information and
- separate encryption control and ownership from the cloud provider.
By doing so, organizations can demonstrate compliance and pass audits and, most importantly, protect sensitive data from specific attacks.
Three Rules for Encrypting Data Stored in the Cloud
- Own your encryption so that you—not your cloud provider—can address any and all access requests for the surrender of your company’s cloud data.
- Own and manage the encryption key lifecycle to ensure that your cloud data is always secure.
- Define and control data access permissions for company personnel, partners, vendors, customers, etc. to prevent unauthorized access to your cloud data.
It’s the difference between thinking and knowing that your cloud data is secure.
I used a gym locker analogy not only because I liked how it compared to the various levels of cloud data security but also because it got me thinking about the difference between thinking and knowing that my cloud data is secure. Let’s face it; there are enough “what ifs” in business and in life. So whether you are moving data to the cloud for the first time or refining an existing cloud security scenario, knowing that your cloud data is secure with customer-owned encryption will not only give your data — and the data of your prospects, customers, clients, vendors, partners, and everyone you do business with —the protection required by business mandates, but will also give you peace of mind to attend to the business at hand (and that workout you’ve been putting off).
For more information on taking ownership of your encryption and encryption keys in the cloud, watch our on-demand webinar, Trusted Crypto in the Cloud: Best Practices for Key Ownership and Control.
Jennifer Dean August 19, 2015, 03:40 pm UTC
Sharon Ginga August 12, 2015, 04:45 pm UTC
Mor Ahuvia August 5, 2015, 04:03 pm UTC
Garrett Bekker August 4, 2015, 02:25 pm UTC
Cheryl Barto Shoults March 19, 2012, 10:05 am UTC
Cheryl Barto Shoults January 24, 2012, 08:30 am UTC
Andrew Young November 20, 2013, 11:41 am UTC