Losing the Human Touch to Protect Data

Human nature means that we tend to default to the easiest option when faced with difficult and serious issues, and this can be the case when it comes to securing our data and information systems.

In the early days of information security, we focused on preventing access to the data we valued. We installed firewalls to protect our perimeters and bought anti-virus software to identify and prevent malware that might sneak through. If we had taken a more data-centric approach from the start, maybe we would have avoided many of the breaches that have hit the headlines over the last 30 years.

Encryption has been around for centuries and used by the Greeks and Romans to protect information if it fell into the wrong hands. Protecting electronic data has proven to be a more complex problem and it is us humans again who have been the Achilles heel of most encryption solutions.

Humans were never meant to worry about data security or having to make decisions about what is important to encrypt and protect and what is not. What was needed at the very start was a philosophy that makes security an inherent property of data that is Invisible from those who generate and use it every day. Inherent and Invisible security allows users to act as normal without rules or technology to ‘get around’ that would introduce risk.

It’s not too late though: most encryption solutions rely on symmetric encryption which uses the same key to encrypt and decrypt. Public Key Infrastructure (PKI) enables Asymmetric Encryption which uses two keys: a public key to encrypt and a unique private key to decrypt. PKI encryption allows for simple and natural file sharing across user groups, networks and in the cloud.

This is a major advantage, but individuals will find other ways of achieving something if the ‘proper’ way is difficult, so PKI-based encryption has to be both inherent and invisible to avoid these risks. This can be achieved by making the encryption processes work at the file system level so that humans aren’t even aware that they’re going on.

In addition, tightly binding authentication with encryption of the data inside the files ensures that even if information falls into the wrong hands – whether by accident, through insider theft or by malware attack – it remains encrypted and useless to anyone.

Number crunching

Technically, PKI-based file encryption is a complicated process and is a slow and mathematical task which takes many processor cycles. However, modern CPUs include some dedicated instructions for encryption operations, eliminating performance problems and user frustrations.

The other important factor is that there must be no disruption to the way people and applications work. For example, data must remain encrypted at all times on disk, even when files are being edited. If an unauthorized individual attempts to open a file that is not encrypted for them, they will then find that the data is unreadable – even if they take a copy of the file outside the network.

So, how is it different?

There are plenty of encryption systems on the market, but full disk encryption systems like BitLocker, for example, only protect data when the system is switched off so anyone or anything can access any file on a running system.

File and folder encryption, as well as data classifications, rely on the user making a security choice. Users must actively choose to encrypt files and remember additionally to delete the originals. This method assumes the user or administrator will make the right classification choice. If everything is encrypted, however, the need to make user decisions is removed and individuals cannot also decide not to encrypt some data.

By building authentication into each file alongside encryption we can be sure that only authorized individuals can access the data. This approach defeats insider data theft because any stolen information remains encrypted and therefore useless once outside the control of the organization.

This individual security shield is maintained on every file, no matter how it is used, where it is stored and on which media it is copied. That means even if someone has the correct ID, password and token, and has the authority to open a file encrypted with their public key, the file still remains encrypted.

What about the admins?

In conventional encryption, privileged users such as IT administrators are still able to access information, which presents a risk. With authenticated encryption, admins can still do their job, but they will be unable to decrypt files they do not have the authority to open.

It is also irrelevant where files are copied because each one has its own inherent security. To have access to any of the data, the administrator needs the file, the user credentials, their private key and the decryption filter. As a result, it is not possible to decrypt a file outside of the organization, even if an individual is authorized to decrypt the file when at work.

Mind the gap

It’s time to take a fresh look at data security. Rather than trying to fill in the security gaps to protect the increasingly disparate perimeter defenses, we need to take a data-centric approach to security and protect it at the most basic level, which is the file at rest, in use or in motion. We need to step back from solutions that protect some of the data some of the time, focus on compliance rather than security, or add complexity that can introduce risk itself.

Most importantly, we need to remove the human element of data security entirely, rather than try to account for it or change it. Training and monitoring doesn’t work all the time and human nature has shown that if the solution is not instinctive or logical, we will create our own, insecure methods. How many people leave the front door key under the pot by the door?

People should be able to work just as they want to or need to, without additional considerations and obvious pressures and similarly, usability needn’t be sacrificed to strengthen our data security.

To see data security in a whole new light, Spark can show you how to find real peace of mind.

Protecting Data when it is Most Vulnerable

Most organizations understand the need to protect data against cyber-attacks and data breaches by using encryption. Unfortunately, even the most well-informed and well-intentioned fail to encrypt their data when and where it is most vulnerable. Too often, they are not getting the protection they think they are when implementing full disk encryption or when told by email hosts, cloud storage and communication service providers that their data is encrypted and secure.

Encryption is not a single technology, tool, or solution. Many products are designed for certain tasks and data types, but an effective implementation of encryption needs to protect data when it is most vulnerable. The most well-known forms of encryption are those protecting volumes of files when they are stored and entirely dormant. But data is most vulnerable and valuable when it’s accessible, in transit, or in use. That’s precisely when volume-level encryption tools lose any and all effectiveness or utility.

Data at rest vs. data in transit vs. data in use

Data exists in three states: at rest, in transit and in use. Data at rest is stored in a digital form on a physical device, like a hard disk or USB drive. Data in transit is digitized information traversing a network, such as when sending an email, accessing data from remote servers, uploading or downloading files to and from the cloud, or communicating via SMS or chat. Data in use is information actively being accessed, processed or loaded into dynamic memory, such as active databases, or files being read, edited or discarded.

While there are various crossover points among the states, data must be protected in all three and during their transitions from one state to another. When a vendor or cloud service provider claims that data is encrypted on its servers, that doesn’t mean it is protected in all three states.

Full disk encryption: seat belts in a car that doesn’t move

Full disk encryption would suggest that every file and activity on that disk is encrypted and secure. In reality, it’s simply physical hardware security that only protects data when the host computer is either not logged in or not turned on. Imagine seatbelts that only work when a car is parked – when passengers are at their least vulnerable.

Full disk encryption protects data when a computer or cell phone is stolen or lost and someone attempts to physically access the contents. But few, if any, well-known data breaches have come from physically stolen computers. End-user machines are attacked remotely when running and disks are mounted. Servers and network devices are prime targets and they are almost always running. So, using full disk encryption would be pointless.

But vast amounts of data are transmitted across networks and over the air when there are no hard disks to encrypt and beyond any full disk encryption. Third-party intercepts, or man-in-the-middle attacks, occur outside controlled environments, making data in transit highly vulnerable. For example, attackers can use sniffer tools to capture data as it traverses a wired or wireless network in real time. They can then read any data not encrypted, including passwords, credit card numbers, etc. When data is in transit, another type of encryption is necessary, the most well-known being SSL/TLS (secure sockets layer/transport layer security), which secures most Internet traffic in HTTPS format. Many other encryption variants protect Wi-Fi data streaming and cell phone traffic.

The various states of data, and the transitions amidst them, all require protection and encryption remains among the best options. But confusion and complexity can arise when each data state demands a different method of encryption, quickly leading to fear when the notions of losing keys or forgetting passwords come to mind.

The problem with password-based encryption

When people think of encryption, they think of keys. And to access those keys, passwords always seem to be involved. Full disk encryption requires a password that unlocks the key that decrypts files on the disk as they are accessed. However, user-defined passwords play no role in cell phone calls or online purchases using HTTPS, both of which rely heavily on encrypted data streams.

Passwords and the fear of forgetting them or making weak ones stop many organizations from using encryption for all data states. Worse still, that fear compels them to use encryption only on a limited subset of the most sensitive data, leaving everything deemed innocuous plain and vulnerable.

Password-based encryption typically relies on a single symmetric key to encrypt and decrypt data. Efficient, lightweight and relatively easy to manage, symmetric key encryption is useful for rapid transactions, such as card payments. The data being processed is encrypted and only that same secret symmetric key can decrypt it. Often, that secret symmetric key is protected or even generated by a password.

Yet passwords have become one of the weakest forms of security because users choose easy to recall or easy to type passwords. When forced to use complex or limited duration passwords, they write them down or use easily guessed words, phrases, or patterns. Even when passwords are complex, users can be coerced or socially engineered into disclosing them or providing access to password manager-type applications.

Additionally, sharing a password with another party to exchange symmetric key-encrypted data is challenging. Often, the password is sent via the same communication medium as the file. For example, an encrypted email attachment is followed by a second email containing the attachment’s password, making it more vulnerable, even if that password is meant to be used only once.

Password-based, or symmetric key encryption, doesn’t enable seamless and secure file sharing or transport; so is not a good fit for securing data in transit. While it may protect data at rest, it does nothing for data in use. This is where asymmetric key pairs make more sense.

How to protect data in all three states

Whereby symmetric key encryption uses a single secret key to encrypt and decrypt, public key or asymmetric key encryption employs a key pair comprising a secret private key and a public key. Mostly, the public key encrypts data while the private key decrypts. Since the public key is just that, it can be freely distributed to anyone, enabling seamless sharing. Without the private key, data encrypted with the public key cannot be decrypted, making it safe for data in transit and data at rest.

Cloud computing is becoming more ubiquitous, but security tools are lagging behind and aren’t suited to protecting new environments designed to handle data that is constantly in transit. That is evidenced by the staggering numbers of data breaches on cloud infrastructure. One solution is to deploy encryption solutions that use a public key infrastructure to seamlessly protect data. Public key encryption does not require passwords or other secrets to be shared. Private keys remain private and can seamlessly decrypt data encrypted with the corresponding public key.

As well as data in transit to and from the cloud or at rest on cloud servers, data is in use by active databases or cloud-based applications. Technologies such as hashing and tokenization can encrypt certain fields of an active database, while file-level encryption based on public key infrastructure can protect even large databases, even allowing them to be accessed by authenticated users.

Beyond protecting data in use, file-level encryption also ensures data is encrypted as soon as a file is created or transferred across the network. Furthermore, that encryption persists regardless of where the file goes—whether moved to another drive, archived on backup media, or stored in the cloud. Combining the benefits of public key encryption with file-level encryption covers all three states of data. And by encrypting the packets in transport to create secure connections, such as SSL/TLS, those data streams not in a file format can also be protected.

When is encryption truly effective?

There’s no point only protecting data when it is least vulnerable, as does full disk encryption, or adding burdensome or inconvenient security measures, like complex passwords and password policies. Data with any value is active, in transit, or accessible, making it highly vulnerable to user error or malicious attacks – precisely when encryption must work. And file level encryption based on public key infrastructure over secured connections accomplishes that, ensuring data is always protected at rest, in use, and in transit.

Encryption tools of various shapes and sizes can effectively prevent data loss or breaches, regardless of data state. But it’s not enough to point to the existence of some form of encryption and claim data and systems are secure. Wherever data resides, is processed, or travels, the appropriate encryption solution must be there. Continuing the seatbelt metaphor, users—and data—must be ‘belted up’ throughout the entire journey, especially when the roads are rough, crowded and fast.

When you need to secure your data against all possible threats, Spark can show you how to find real peace of mind.

10 trends shaping the future of conferencing

The Conferencing services market is estimated to grow by 23% in the next seven years (2014-2021). The exponential growth will be spurred by high growth rates in visual communications and collaboration, growth of virtual teams, cost reduction and productivity enhancements. Thanks to the guys at EZTalk this list is based on research conducted on more than 20 of the leading conferencing-services providers.

1. User Experience is Key

Long gone are the days when only tech-savvy individuals could operate the latest technology. Simpler and more aesthetically pleasing interfaces are now a key factor for virtual teams before they agree to acquire a web conferencing service. A more-intuitive user experience is now more important than ever and will continue to be a major consideration. Video and audio conferencing tools should be well designed to meet the needs of the end user enabling even novices to adapt easily to the technology.

2. Mobile-First Strategies are Coming of Age

The emergence of powerful, affordable and reliable smart phones has shifted the attention of the entire world towards mobile. Web conferencing services have not been left behind. Some conferencing service providers have reported that mobile conferencing apps account for 60% of their customer base this gives a clear indication that the Smartphone revolution should not be taken lightly and will continue to drive the growth of video and audio conferencing services.

3. Company-Wide Conferencing

Firms are now actively deploying video and audio conferencing services for their entire workforce. The growth of this trend is attributed to active-host and full-deployment models and affordability of the service. This trend will only continue to grow as more and more companies realize the benefits of conferencing services.

4. VolP is Replacing PSTN

The traditional PSTN networks have served us well but VolP is increasingly becoming the go-to solution for conferencing calls. This is a natural transition and the growth of VolP traffic is expected to lower the average selling prices in the years to come.

5. Web Conferencing is becoming a Collaborative Platform

Enabling collaboration online is one of the strengths of web conferencing. Firms are finally coming to appreciate the ability to create an affordable work space online that previously required members to travel in order to collaborate. An example is the Cisco Spark which has made it possible for team members to share content, leave notes and host meetings online.

6. Firms are using Multiple Conferencing Solutions

The growth of conferencing services has led to the innovation of various audio, video, file sharing and collaborative solutions, unfortunately or fortunately these services are offered by different providers. This has led to firms using multiple conferencing providers at a time The growing trend has led to confusion and some disorganization but has enabled the smaller players in the industry to compete.

7. Visual Conferencing Continues to Grow

High-quality visual conferencing and the networks to support it on an array of devices have enabled the rapid growth of video. In addition, the increased number of millennials in the workplace and affordability of video conferencing solutions have helped the business world overcome the fear of being on camera.

8. Content Management is the Future

Managing audio and video recordings, file sharing and the collaborative work space is the next big step that conferencing services have to take in order to further mature their products. This will be made easier with the parallel a similarly accelerated growth of cloud computing. Conferencing services should be able to make information searchable, digestible and readily available.

9. Conferencing Minutes are Now Sold in Bundles

On-premise and hosted Unified Communications & Collaboration (UCC) bundles are now incorporating audio and visual capabilities. Enterprise communication vendors such as Microsoft have streamlined their packages and are starting to offer products within UCC entry-level bundles. This will ultimately keep reducing the cost of conferencing services enabling smaller firms to get involved.

10. Hosted Video is Becoming Mainstream

Traditional video conferencing is steadily transitioning to the desktop and Smartphone. This factor in addition to more firms adopting an open space work place has led to ad-hoc meetings. Hosted video will is expected to keep growing as more and more organizations realize that cloud computing and conferencing solutions can bridge the gap between them and large corporations.