Encryption - There is No Silver Bullet for Information Security


Encryption - There is No Silver Bullet for Information Security

In the information security arena, a commonly heard phrase is “silver bullet” – the all-encompassing data security tool, firewall, or an entire application platform that will stop a data breach in its tracks and keep all sensitive customer data secure. Guess what? There is no one singular solution that will achieve “silver bullet” status. Information security can be made stronger with a layered security model where the complexity of making a successful breach is increased by the multiple levels of controls enabled and correctly configured. What is the role of encryption in a layered security model? Does it secure data in transit? Does encryption properly secure data stored in your environment. How does encryption fall short in securing data? Should encryption be universal?

Adding Encryption into a Layered Security Model

Encryption addresses two layers of security – data in transit or Transport Layer Security (TLS) and data at rest on disk or Advanced Encryption Standard (AES). Unfortunately, we’ve seen breach after breach where organizations are using encryption, but encryption alone was not a deterrent and sensitive data was exposed. Why doesn’t encryption alone provide enough protection? Because hackers understand that when encryption is used to secure sensitive data sets on-premise, the keys to decrypt the data have to be stored in the environment as well. And they know where to look for the keys. For example, organizations that process encrypted data on a regular basis code the encryption keys in database stored procedures, along with the encrypted data. So there needs to be additional controls in place to protect the stored procedures that are using the encryption keys. If not, you effectively hand the keys to the information kingdom to the hackers.

Encryption Weaknesses

There is no doubt that encryption can be very powerful security tool in specific use cases. Unfortunately, like any other technology, encryption has its own set of weaknesses. For example, the Secure Socket Layer (SSL) encryption, has been compromised to the point where it is unusable. Or, count the number of the encryption algorithms that have been breached over the course of time due to weak key strength. As computing power grows, so do the challenges of providing encryption algorithms that will stand the test of time and hacker computer power.

Most of the weaknesses associated with encryption are in its implementation. Try to brute force decrypt the cipher text output from the AES 256 algorithm. Chances are we’ll never see in our lifetime the original plain text that was processed with the AES 256 algorithm. However, hackers take the backdoor, skipping brute force decryption of the cipher text, and going right for the key used to encrypt the data – that’s where a primary weakness to encryption implementation resides. Are you protecting the “keys” used with every encryption capability?

European Union Sets the Tone for Data Privacy Laws

Encryption for the sake of data privacy, while it may not please everyone, should be universal. In the EU, for example, data privacy laws are very stringent, so as a result they do not have the same challenges as citizens in the United States have with identity theft and loss of personally identifiable information (PII). As with any technology, there must be balance. But how many times do we really have to struggle with extreme cases like the current Apple vs. FBI tussle? Doing a cursory Google search, I can only find probably a dozen cases where there have been privacy and security battles like this. Because we are human and we are logical, it stands to reason that we should be able to identify certain cases, where it is appropriate to break from normal privacy practices in order to protect the greater good. Where you draw that line, I’m not too sure. But I am of the mindset that we as a society can find a common ground. Not as extreme as Big Brother – but no one likes their identity stolen either.

Implementation Is Everything

At the end of the day, as with any technology, the strength of encryption resides completely in its implementation. If it is not implemented correctly, or if the components used to ensure strong encryption are not secured correctly, then encrypted sensitive data will be at risk. To properly secure sensitive data it should be encrypted, tokenized, and stored in secure cloud data vaults. With only tokens being used in on-premise business systems, sensitive data is out the reach of hackers. The TokenExCloud Tokenization platform offers encryption and tokenization solutions that enable you to properly secure your data environment.

 Visit TokenEx.com or email sales@tokenex.com for more information on how to properly secure your organization. Read more about Encryption vs Tokenization under the Resources menu on our web site. Follow us on Twitter and LinkedIn.

 

Topic(s): data security , encryption , tokenization

Keep Up With Our PCI & Privacy Blog