CS1705
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
encryption<br />
BEWARE THE DOUBLE-EDGED SWORD<br />
ENCRYPTION PLAYS A VITAL ROLE IN PROTECTING VALUABLE INFORMATION FROM BEING STOLEN<br />
OR ALTERED. BUT IT CAN BE USED BY YOUR ENEMIES JUST AS READILY<br />
How do you stay one step ahead of the<br />
attackers, when it comes to employing<br />
the latest encryption technology?<br />
What is the right solution for your<br />
organisation? How do you make sure your<br />
systems aren't breached? In the wake of<br />
constant breaches, the time to focus on<br />
encryption has never been more urgent.<br />
As Mark Hickman, chief operating officer,<br />
WinMagic, points out, encryption is the last<br />
line of defence against any data breach, such<br />
as an external hacker. "But it is often forgotten<br />
that the role of security is to protect against<br />
problems on the inside, as much as the<br />
outside, whether an accidental breach of data<br />
or a rogue employee. Sensitive data, whatever<br />
it is, should always be encrypted and be kept<br />
in that state. A simple rule is that, if you don't<br />
want just anyone to see it, then it should be<br />
encrypted. That way, encryption becomes<br />
embedded in the organisation from a<br />
technology and process perspective."<br />
QUESTION TIME<br />
Starting from that premise, we can then ask<br />
the following, he says: “What do I need to<br />
encrypt? How will that data be used and<br />
shared? Where will it be stored? Who needs<br />
access to it? These questions help you identify<br />
the scope of your encryption needs - for<br />
example, whether you need to be able to<br />
encrypt in the cloud.<br />
Any data that you would fear losing, or that<br />
is sensitive in any way, should always be<br />
encrypted at the end point in the<br />
organisation, he adds. "This can also be used<br />
to ensure that, when data leaves the<br />
organisation, it remains encrypted wherever<br />
it goes by enforcing a security policy that<br />
requires it. The only way to make this work<br />
over modern infrastructures, which are<br />
diverse and multi-layered, is through<br />
centralised key management."<br />
Since you own and control the encryption<br />
keys on a centrally controlled key server,<br />
access to the files remains completely under<br />
your control - wherever it goes, on any device.<br />
With centrally controlled encryption, it is also<br />
possible to ensure that files are only readable<br />
by certain individuals, thus helping a<br />
company enforce both regulatory and<br />
governance requirements.<br />
But there are other examples where it is<br />
helpful, Hickman points out. "If an employee<br />
leaves the company, or you stop working with<br />
a specific partner organisation, access can be<br />
instantly terminated. Without encryption,<br />
users would retain access to those files and<br />
the practice would have no way of removing<br />
them from devices. Using centrally managed<br />
encryption, access can be removed in the<br />
policy engine; the user instantly loses the<br />
ability to decrypt and read the files."<br />
If your company wants to use third party<br />
cloud storage services, it is critical to use<br />
solutions where encryption keys are always in<br />
the control of the organisation, rather than<br />
the cloud service, he says. "This adds yet<br />
another level of protection, should a breach<br />
of usernames/passwords occur at a thirdparty<br />
cloud service provider. A hacker will not<br />
be able to read the files they can see."<br />
This type of cloud-based approach to<br />
encryption, does not just protect from<br />
hackers, he continues, but equally it protects<br />
against anyone, accidentally or otherwise,<br />
sharing data with those that should not have<br />
access to it.<br />
RANSOMWARE ATTACKS<br />
Although encryption forms one layer of<br />
a cyber security policy by providing a<br />
mechanism to protect access to data by<br />
unauthorised individuals, whether at rest or<br />
in-transit, that is far from the whole picture.<br />
"Unfortunately, we also see encryption used<br />
as a tool against us in Ransomware attacks,<br />
where our data is encrypted by a third-party<br />
preventing our access to it," says Brian<br />
Chappell, senior director, Enterprise &<br />
Solutions Architecture from BeyondTrust.<br />
"Given that Ransomware will encrypt any data<br />
a user has access to write to, it makes it very<br />
hard to protect against. The rapid evolution<br />
of Ransomware means that signatures,<br />
14<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk