Encryption strategy – vital part of security risk management plan?

Sunil Gupta | 10 Sep 2018

According to Risk Based Security’s 2017 Data Breach QuickView Report, there were 5,207 breaches recorded last year. The number of records compromised also surpassed all other years, with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion. This is about phenomenal 500 records stolen per second. The majority of breaches result in confirmed unauthorized access to sensitive data. Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to penalties and a higher rate of lost business. The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record.

If records are encrypted, stolen information is understood to be not of much use to hackers but reports indicate that less than 5% of the time data is actually encrypted. This brings up an important question “Do enterprises have an encryption strategy as part of their security risk management plan”.

In today’s IT scenario, enterprise-critical data is distributed and stored far beyond the organization’s boundaries. The sensitive and critical data remain in transit for a long time and this evolution from enterprise perimeter security to wide-area networking and cloud services increase the risk for enterprises by manifolds. Organizations have started to recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve. As per a FireEye report, the time between an attacker compromising a secured network and the breach being detected is the highest in the APAC region, with the median ‘dwell’ time 73 days above the global median of 99 days. Equifax took 141 days to discover the intrusion. Cyber Insurance can compensate for the loss of money but the company’s repute is impacted forever.

Given the rising number and impact of breaches in all type and sizes of businesses, organizations need to take serious steps in prevention, detection, and resolution of breaches. There are several solutions exists today including machine learning based Threat Anticipation, Detection and Incident management solutions but one of the first steps organizations can take it to adopt a well-thought encryption strategy as part of their enterprise security risk management plan.

Cryptography or Encryption is essential for securing data, either in transit or stored on devices. It provides assurance and confidence that communications will not be intercepted and that sensitive information stored on devices can’t be exfiltrated in the event of loss or theft. The value of encryption extends beyond proactive safety, as many organizations are obligated to encrypt sensitive information, with steep penalties for damages resulting from regulatory noncompliance. Enterprise encryption adoption is being shaped by multi-cloud use and new regulations such as the EU General Data Protection Regulation (GDPR).

Best practices prescribe a holistic security approach that includes a multi-layered, “defense-in-depth” strategy. A multi-layered encryption strategy demands a strong encryption algorithm, secure and quality encryption keys and a robust enterprise-wide Key Management Solution. The keys should come from a key generator that produces a high entropy and truly random, quality key to match the strength of the encryption algorithm. Centralized key management by enterprise security teams can ensure a single point of trust and consistent policy enforcement. This will also help security teams to explore and manage Quantum safe Key generation and distribution technology and solutions which are gathering significant interest and momentum with the imminent arrival of Quantum computers in 18-24 months as an exploit kit in the hands of hackers. With right encryption strategy and implementation, enterprises would feel more confident about distributing their applications across the wide area and utilizing cloud-based services which they are forced to do to reduce costs and increase the reach of their applications and services. The new distributed, cloud model is changing many aspects of our digital world, including the key role that Communication Service Providers and Content Delivery Network providers play to provide a global, scalable and secure platform for the connection of everything to everything.

Layer 1 security is the foundation for confidence and trust in securing data while in-flight. It isn’t just enough to know that your devices and communications are encrypted. Competently configuring encryption with ciphers which are secure today and tomorrow is vital to protecting data. More on this in next blog….

leave a message