This article was originally featured on the Ubiq blog. To read the original in its entirety, click HERE.
As cliché as it sounds, data is a company’s most valuable commodity and cyber threat actors are taking increasingly drastic steps to gain access to your data – especially your customers’ personal and financial information – which is one of the primary reasons data encryption is standard practice across many major industries.
Reading about data breaches in the news is a near-regular occurrence, but they only represent a tiny fraction of total data breaches – the majority are never actually reported. In fact, most data privacy regulations don’t even require breaches be reported to regulatory authorities, if the data was encrypted. That’s because with modern encryption algorithms, encrypted data is worthless to an attacker unless they can also gain access to the encryption keys required for decryption.
Traditionally, to protect both data and its associated encryption key, many organizations have taken a piecemeal approach – encryption efforts are siloed, applied inconsistently across their diverse environments, and antiquated encryption strategies are utilized. As a result, these organizations have gaps in the protection of their sensitive and confidential data.
Disk encryption is a commonly used tool for data encryption. While effective against certain types of attacks, it’s not effective against most modern, interactive attacks. However, the addition of application-layer encryption can significantly enhance a company’s encryption strategy, complementing solutions like disk encryption.
Disk encryption: protecting data at rest
There are a number of data encryption strategies used to protect the confidentiality of the data, and the strategy chosen is often determined by the type of data being protected, which generally falls into two categories:
- Data at rest: data stored on a hard drive or other storage medium
- Data in transit: data flowing over a network
Data at rest is commonly encrypted using disk encryption. However, disk encryption is designed to protect against certain attack vectors, which doesn’t include most modern attack types.
How disk encryption works
Disk encryption is primarily designed to protect a storage medium against unauthorized users or physical attacks. The entire disk is encrypted with the same secret key, meaning that an attacker must have access to this key to access any of the files stored on the system.
This key is also stored (and encrypted) on the drive using an encryption key derived from the user’s password. When a user authenticates to the system, the drive encryption key is decrypted, so the entire drive is then decrypted and accessible to the user.
The shortcomings of disk encryption
Though disk encryption is one of the most commonly used security controls for encrypting data at rest, it isn’t sufficient to protect sensitive data against modern cyber threats companies face.
For one thing, disk encryption was designed to protect against attackers with physical access to a device like a server or hard drive and provides little or no protection against attacks coming over the network. And, since hackers don’t typically drive to offices, break in and steal drives out of PCs, disk encryption is mostly ineffective.
Gaps in the data encryption lifecycle
Even when data is encrypted seemingly properly, there are times when it is decrypted and accessible to an attacker. For instance, disk encryption ends when a user authenticates—or successfully submits their username and password. At this point, the disk decryption key is readily accessible, allowing the user—or any applications that they run—to access unencrypted data.
In fact, in 76% of data breaches, the attacker begins by stealing and using the credentials of a privileged account, making the protection provided by disk encryption useless.
Access controls are too general
In cybersecurity, the principles of least privilege or “need to know” are critical to a robust threat model. A user or application should only be granted access to data or other functionality if it is essential for them to be able to complete their task. But with disk encryption, access controls are applied at the disk level, which is far too general.
When data is encrypted at the disk level, once a user logs into the account where the data is stored, any application on that device can potentially access unencrypted data. This increases the attack surface and risk since an attacker can exploit any application on a machine to gain access to sensitive data.
Poorly managed keys
Strong key management is essential to effective data encryption. Anyone with access to the encryption key can decrypt and read the associated data. With disk encryption, the encryption keys are often stored in the memory of the machine, making it possible to easily decrypt files as needed. This leaves the keys exposed to unauthorized users via cold boot attacks or the use of virtual machine introspection.
Application-layer encryption can provide more effective protection to stored data
Application-layer encryption is designed to enhance data encryption strategies and fill in the major security gaps of disk encryption, by allowing each application to manage the encryption and decryption of its own data. The encryption keys are only accessible to that particular application, making it easier to protect decryption functionality. Unauthorized users and applications can no longer access the encrypted data or encryption key. This approach to data security solves many of the problems associated with disk encryption:
- Data is decrypted only when needed: An application can decrypt data on an “as needed” basis, rather than making the data accessible once a user is signed in.
- “Need to Know” is enforced: The application that owns the data is the only one that can access it unencrypted, limiting the potential for unauthorized access to sensitive data.
Disk encryption is an important component of a data security strategy, especially for mobile devices that can be easily lost or stolen. However, it is not enough to protect data at rest on its own. Adding application-layer encryption enables an organization to fill the gaps in its current data encryption strategy, dramatically reducing its vulnerability to data breaches.
To learn more about how application-layer encryption can help secure your data, click HERE to download a complimentary copy of the white paper, “Overcoming OWASP’s Sensitive Data Exposure Risk Through Application-Layer Data Encryption.”