The need for persistent encryption

The recent data breach at credit card processor Heartland Payment Systems may be the biggest ever, and it happened even though Heartland passed the PCI DSS security audit that credit card companies require. Heartland fell victim to a well-organized attack by cyber-criminals. These are adversaries that are part of the huge underground economy that obtains sensitive information and sells it for a profit. They're both determined and well funded.

It certainly looks like traditional security mechanisms aren't able to defeat such attackers. New approaches are needed, and the businesses that handle sensitive information that's valuable to cyber-criminals need to ensure that security vendors develop technologies and products that meet their needs. This isn't happening yet.

Encryption is probably the best way to protect against data breaches. If a cyber-criminal manages to get encrypted data but not the key used to encrypt it, the data is useless to him. If this is the case, then cyber-criminals won't be able to run profitable businesses that steal and resell sensitive information, and they'll have to look for another line of work. Unfortunately, the encryption products that are commonly used today don't provide enough protection for data. They provide good protection for it in some situations, but not in all situations.

In many cases, sensitive information was encrypted while it was stored in a database, but it loses this protection when it leaves the database. That can leave the door open to an attack that can compromise millions of credit card numbers. Almost all uses of encryption work similarly, providing protection in some situations but not others. This means that they don't stop cyber-criminals. Instead, they just limit the number of places where they can carry out their attacks. As long as there is a single place where the data is vulnerable, cyber-criminals will find it and exploit it.

Persistent encryption: protection by default

The best way to stop cyber-criminals is probably to encrypt data in a way that the data always stays encrypted until it's needed by business logic. You might call this "persistent encryption," or "protection be default," and it's a fundamentally different approach to information security than what's used today.

In today's IT environments, data is only encrypted if an application explicitly encrypts it. If no application encrypts data, it's in the clear where it's vulnerable. You might say that data is unprotected by default.

An alternative to this model is to have all sensitive data encrypted, and to only decrypt the data when it's needed by authorized business logic. You might say that data is protected by default in this situation. If data is protected by default with persistent encryption, then it's much tougher for cyber-criminals to get it. No matter where they manage to collect the data, it's going to be encrypted, and there's now no place at all where the data is vulnerable.

If you're using persistent encryption, you can copy sensitive data to your laptop and not worry about it being compromised if your laptop is lost or stolen. You can also copy the sensitive data to a USB drive or CD-ROM and not worry about the data being compromised if the drive or disk is lost or stolen. In each of these cases, because there's no authorized business logic that's decrypting the data, the data stays encrypted. This means that it's useless to an unauthorized user who might get it, either by accident or other means. Persistent encryption keeps it safe all the time.

Unfortunately, security vendors have been slow to create products that provide persistent encryption. This means that it's up to their customers to demand it. Software vendors finally took security vulnerabilities in their products seriously when their customers demanded security audits of their products as a condition of buying them. The result of this has been software that isn't vulnerable to some attacks that were once common. It seems likely that security vendors will be similarly reluctant to develop the tools that let enterprises implement persistent encryption. If you could benefit from this technology, let your security vendors know, and the rest will probably take care of itself.

Leave a Reply

Your email address will not be published. Required fields are marked *