The near simultaneous advent of cloud, true mobile, and big data technologies has hugely complicated data security, a problem that many companies are only beginning to understand, says Securosis Analyst and President Mike Rothman. This growing realization is helping to drive adoption of data encryption. But while encryption is an important tool for protecting data that no longer resides solely and always inside corporate firewalls, Rothman warns that it should not be seen as a silver bullet for security issues.
“It’s very hard to make generic statements about encryption because there are so many variables,” he says. Whether encryption is the right tool depends in large part on the architecture, the data being protected, who is likely to try to get at it, and how they are likely to do so. And, he warns, “folks who think, ‘Hey, I’m going to encrypt all my databases and that will solve all my problems,’ well, not so much. If I break an application server that has the credentials to access the database, game over. Your encrypted database doesn’t help so much.”
Encryption also has two important costs that have traditionally limited adoption to highly secure environments and which, Rothman says, are still with us today. The first is the extra compute load encryption creates every time someone wants to access encrypted data. At first glance one might think that Moore’s Law would have obviated this problem. But Rothman says that while the increase in compute power helps, it also makes brute force key breaking, in which a computer tries different possible keys until it discovers the right one, much more practical. As a result, keys have become more complicated and longer, increasing the encryption/decryption compute load. “I think it’s a wash,” he says.
This should be kept in mind when answering basic questions such as which data really needs encryption and should that encryption be applied when data is at rest, when it is in transit, or when it is in active use. And he warns that if encryption is applied badly, “you can hose your application.”
“Encryption is easy. Key management is hard.”
The other major practical issue has been key management, whose complexity has been increased thanks to the adoption of cloud services. A fairly small number of large enterprises use company-wide key management utilities. Rothman does not necessarily recommend these. Again, he says, whether your company needs to go this route depends on several factors including how much data is being encrypted, where it is being stored, and where it is used. Many more organizations use application-specific encryption, both internally and in the cloud. Increasing numbers of Salesforce clients, for example, are encrypting their data to the point that Salesforce bought an encryption company to provide as an extra service to users. Users of the hosted version of Exchange also often encrypt attached files, so that if someone hacks their e-mail they cannot read the attached files, which are often more important than the e-mails themselves.
In these applications the data is encrypted at the gateway, usually by a cloud service, which takes care of the compute load problem. But a company with four or five encrypted databases, each with its own key and each with large internal user populations, faces a complex key management problem. The problem grows even more complex if users are in multiple locations and include part-timers or freelancers, or if the data needs to be accessed by third parties, such as business partners in a supply chain or customers.
Another issue that comes with the cloud, says Larry Warnock, CEO of encryption startup Gazzang, is that if your sensitive data is on a cloud service, you don’t want employees of that service reading it.
“That was an issue with services like Dropbox and iCloud,” says Rothman. “The fact is that if you are using a SaaS application, and you don’t have to put your credentials into it to access that data, then clearly the provider has the key.”
On the other hand, Securosis itself makes heavy use of Dropbox. It just encrypts the data before sending it into the cloud.
And encryption is not only for cloud services. One Gazzang customer, a financial services company who asked not to be identified by name, is only starting to become involved in cloud services, but uses encryption to provide a last-line of defense for sensitive data in its in-house applications.
Overall, Rothman says, “Encryption is good, and there will be more encryption tomorrow than there is today because more data will be out there tomorrow. Do we need to encrypt as we move data to cloud and hybrid cloud environments? Absolutely. If you have data everywhere, then you need to encrypt. But alot depends on the problem you’re going to solve, the types of data, and the types of adversaries you face.”