Losing the Human Touch to Protect Data – Infosecurity Magazine

Human nature means that we tend to default to the easiest option when faced with difficult and serious issues, and this can be the case when it comes to securing our data and information systems.

In the early days ofinformation security, we focused on preventing access to the data we valued. We installed firewalls to protect ourperimeters and boughtanti-virus software to identifyand preventmalware that mightsneak through.If we had taken a more data-centric approach from the start, maybe we would have avoided many of the breaches that have hit the headlines over the last 30 years.

Encryptionhas been around for centuries and used by the Greeks and Romans to protect information if it fell into the wrong hands. Protecting electronic data has proven to be a more complex problem and it is us humans again who havebeen the Achilles heel of most encryption solutions.

Humans were never meant to worry about data security or havingto make decisions about what is important to encrypt and protect and what is not.What was needed at the very start was a philosophythatmakes security aninherent property of data that is Invisible from those who generate and use it every day.Inherent and Invisible security allows users to act as normal withoutrulesor technologyto get around that would introduce risk.

Itsnot too late though: most encryption solutions rely onsymmetricencryption which uses the same key to encrypt and decrypt. Public Key Infrastructure (PKI) enables Asymmetric Encryption which uses two keys: apublickey to encrypt and a uniqueprivatekey to decrypt. PKIencryption allows forsimple and natural file sharing across user groups, networks and in the cloud.

This is a major advantage,butindividuals will find other ways of achieving something if the proper way isdifficult,soPKI-based encryptionhas tobeboth inherent and invisibletoavoid these risks.This can be achievedby making the encryption processes work at the file system level so that humans arent even aware that theyre going on.

In addition, tightly binding authentication with encryption of the data inside the filesensures that even if information falls into the wrong hands whether by accident, through insider theft or by malware attack it remains encrypted and useless to anyone.

Number crunching

Technically, PKI-based file encryption is a complicated process and is a slow and mathematical task which takes many processor cycles. However, modern CPUs include some dedicated instructions for encryption operations, eliminating performance problems and user frustrations.

The other important factor is that there must be no disruption to the waypeople and applications work. For example, data must remainencrypted at all times on disk,even when files are being edited. If an unauthorized individual attempts to open a file that is not encrypted for them, they will then find that the data is unreadable even if they take a copy of the file outside the network.

So,how isit different?

There are plenty of encryption systems on the market, but full disk encryptionsystems like BitLocker, for example,only protect data when the system is switched off so anyone or anything can access any file on a running system.

File and folder encryption, as well as dataclassifications,rely on the user making a security choice. Users must actively choose to encrypt files and rememberadditionally to delete the originals. This method assumes the useror administratorwill make the right classification choice.If everything isencrypted, however, the need to make user decisions is removed and individuals cannot also decidenotto encrypt some data.

By building authentication into each file alongside encryption we can be sure that only authorized individuals can access the data. This approach defeats insider data theft because any stolen information remains encrypted and therefore useless once outside the control of the organization.

This individual security shield is maintained on every file, no matter how it is used, where it is stored and on which media it is copied. That means even if someone has the correct ID, passwordand token,andhastheauthority to open a fileencrypted with theirpublic key,the filestillremains encrypted.

What about the admins?

In conventional encryption, privileged users such as IT administratorsarestill able to access information, which presents a risk. With authenticated encryption, adminscan still do their job, but they will be unable to decrypt files they do not have the authority to open.

It is also irrelevant where files are copied because each one has its own inherent security. To have access toany of thedata, the administrator needs the file, the user credentials, their private keyand the decryption filter.Asa result, it is not possible to decrypt a file outside of the organization, even if an individual is authorized to decrypt the filewhen at work.

Mind the gap

Itstime to take a fresh look at data security. Rather than trying to fill in the security gaps to protect the increasingly disparate perimeter defenses, we need to take a data-centric approach to security and protect it at the mostbasiclevel, which is the fileat rest, in use or in motion.We need to step back fromsolutionsthatprotect some of the data some of the time, focus on compliance rather than security, or add complexitythat can introduce risk itself.

Most importantly, we needto remove the human element ofdatasecurity entirely, rather than try to account foritor change it. Training and monitoringdoesntwork all the timeand human nature has shown thatif the solution is notinstinctive or logical,wewill createourown, insecure methods.How many people leave the front door key under the pot by the door?

Peopleshould be able to work just as they want to or need to, without additional considerations and obvious pressuresand similarly, usabilityneedntbe sacrificed to strengthen our data security.

Excerpt from:
Losing the Human Touch to Protect Data - Infosecurity Magazine