At first glance, it seems like a good idea to have encryption everywhere. However, in many ways, the pursuit of ubiquitous data security has undermined itself. This is because often the only way to reach ubiquity is to combine different point systems, vendors, and technologies to cover data in an exciting combination of different states and possible locations (on-premises, in the cloud, in use, at rest). To do. , and in speed).
Not only is this inefficient, but it also increases complexity – a known enemy of security. Multiple, different encryption systems can create confusion or obscure which assets are protected in which location area, as well as which data, in which state, is subject to specific policies and controls. This hodgepodge of encryption systems prevents knowing exactly what is encrypted at each data position, which can result in holes or costly overlaps in the data perimeter.
There are many reports of data breaches in organizations that assume encryption will protect their data when it is stored or transmitted. In fact, encryption was either not implemented in the expected manner, or it was subject to terms or conditions that did not provide the desired level of security. In other words, the complexity of encryption created dangerous gaps.
In addition, because of the inability to rely on the ubiquity of the underlying security, applications often have built in additional security controls that overlap other encryption mechanisms used in an organization.
Leaving data security in the application further increases the complexity, which requires multiple encryption instances to be deployed and managed on a per-application basis. This again results in potential gaps, policy or coverage inconsistencies, and scaling limitations in the business application portfolio.
The main problem with patchy encryption is that it often involves only stored or transmitted data. Today, virtually no organization extends encryption to data processing or execution at runtime, where it is particularly vulnerable to attackers or software. Releasing data into memory — standard in almost all computer hosts today — is akin to closing some doors in a building, but not bothering to close all others.
A central security principle is that an entity is only as secure as its weakest link. Many organizations believe that their data is completely secure. They are not even aware of the vulnerability present in the unencrypted memory at runtime. The lack of encryption of the data in use undermines all other encryption checks.
This loophole in protecting the data in use undermines all other encryption schemes as well. Encryption keys are often kept persistent in memory, meaning they are constantly exposed while they are used.
Attackers know how to get around these and essentially defeat these encryption systems by dumping and sorting unencrypted memory. To continue the analogy, this problem is similar to locking the front door, but leaving the key under the doormat.
Encrypting data at runtime has become possible recently. This type of technology is built directly into the current generation of public cloud infrastructure (including the clouds of Amazon, Microsoft, and others) to fully protect runtime data even if an attacker gains root access.
The technology excludes each unauthorized data access by using a combination of hardware-level memory encryption and/or memory isolation. It’s a small step that paves the way for a big leap forward in data security, especially in the cloud.
Unfortunately, this protection for runtime data has limited implications for enterprise IT. Using this alone, each application must be optimized to run on a specific deployment for each public cloud. In general, this involves recoding and recompilation – a fundamental route to adoption for already stressed application delivery teams. Ultimately, it becomes yet another encryption/data security silo that needs to be managed – on each host – adding to the encryption chaos.
Secure data for enterprise IT requires an integrated software build that covers all data states everywhere, eliminating potential gaps and complexity. From a technical standpoint, this security build can extend across providers and clouds, providing a continuous perimeter of security that can also be managed centrally.
This security feature not only makes data protection easier to manage, but also enables workloads to be processed virtually anywhere, protected by the security-enhanced hardware found in public cloud facilities located in unreliable geographic areas.
This embodied and ubiquitous implementation creates a new opportunity to bring security to the infrastructure and away from the complexity of implementation in the ‘application space’.
Posts
No comments:
Post a Comment