Data breaches are becoming bigger, bolder and more widespread than ever before. As a new government takes office in Washington, we need a mandate that stipulates cyber security as a fundamental right. This will also translate to a call to arms for the technology industry to develop solutions that answer that call.
In my 25-plus years of enterprise infrastructure and application experience, I have never seen a more profound and urgent need to protect assets that have taken years to accumulate — and I believe a critical part of protecting data is the need to encrypt it with keys that are always controlled by the owner of the data.
Three major trends are shaping the industry today:
1. The rise of insider threats is leading to a wider adoption of encryption in private clouds.
Data breaches continue to escalate at a frenetic pace in spite of the $90 billion Gartner projects will be spent on cybersecurity this year. One possible explanation is that the hackers are finding new ways of attacking data repositories. Rather than come in through the front door of the application, they are stealing database administrator credentials and are going through the side door to the database itself.
The only solution is prevention at the data-record level. Using encryption algorithms like Advanced Encryption Standard (AES) can help thwart brute force attacks.
2. Compliance requirements are expanding to protect privacy.
Consumers are demanding that service providers that collect their private information protect it or face huge penalties.
Emerging privacy regulations require that business entities that have customers in certain geographical locations comply with strict requirements concerning disclosure and remedial actions following a data breach event. A large number of states in the U.S. have such regulations already, but the one that is getting the most attention is the European Union’s General Data Protection Regulation (GDPR) (EU 2016/679). GDPR, which goes into effect in May 2018, mandates that any business (including non-EU entities doing business with EU residents) report breaches within 72 hours of the event. Non-compliance with these regulations may cause the entity to be subject to fines as high as 4% of their annual turnover or €20 million, whichever is greater, irrespective of the actual damage caused by the breach.
One consequence of the laws requiring disclosure of breaches is that the business is under no obligation to disclose that a breach has occurred if it only loses encrypted data. As a result, the call to arms to the business community is to adopt encryption of records as soon as they are created and make encryption easier to adopt without undue DevOps stress and significant performance impact.
From a privacy perspective, keys for encrypting the data should always be controlled by the owner of the data, and no one else. This is the only foolproof strategy that guarantees the security and privacy of the customer’s data. It is time for the industry at large, whether it is retail, financial, healthcare or technology, to embrace this paradigm and truly consider investments in cybersecurity to be a competitive advantage (rather than a necessary evil) to thwart regulators, or to do the bare minimum in ensuring their customer’s information is safe.
3. New delivery mechanisms for encryption are driven by ease of use, higher performance and better management.
As encryption becomes ubiquitous, it is critical that it becomes easier to consume and interferes less with how applications process data.
What’s Next For Encryption
Today, encryption for sensitive data is available in multiple flavors:
1. Media-based encryption, where either blocks or files are stored in an encrypted format, with the service provider controlling the keys as well as the encryption/decryption process.
2. Transparent data encryption (TDE), where the database server takes on the burden of implementing encryption by sourcing keys from a key management system (KMS). TDE will support the ability to encrypt at a column granularity so that the entire data store is not encrypted, resulting in a reduced performance overhead.
In both of these cases, the data in the server’s memory is in the clear, which tends to be the source of an insider breach.
3. Application layer encryption, where the enterprise IT team has to identify a cryptography library and modify the existing application to make the library calls necessary to encrypt and decrypt sensitive data as it is being transferred to the database. The only operation that is possible on encrypted data is equality check while all other operations require the data to be extracted from the database and decrypted in the application.
Now, in this era of “cloud-first” development, we are moving to a paradigm of services being programmatically integrated into applications (see Here’s Why Google Is Acquiring Apigee).
As cloud adoption accelerates, encryption and key management are being offered as a service so that they can be easily integrated into existing enterprise workflows. It’s something we’ve been working on, as have other providers, and personally, I see this development making it easier for companies with fewer IT resources to adopt encryption of their sensitive data and thus adopt a preventive posture to data protection, as opposed to scrambling to restrict damage caused by data breaches after it has happened.