File and Email Encryption held the promise of protecting sensitive data from attackers, but proved ineffective and difficult. This article explains how innovation and emerging technology allow us to deliver much needed advanced data protection.
About a decade ago, adoption of file encryption software was on the rise, though the trend was short-lived. Software was too hard to use, and the impact was minimal: Attackers continued to find ways around protections. As a result, security practitioners focused on other technologies, and encryption innovation slowed.
But all of that has changed. As encryption technologies have progressed, so too has opportunity for enhanced authentication. Techniques fundamental to this marriage - such as secure auditing and data access reporting - lend themselves to related challenges. And with achievements in application integration and the removal of control containers, file encryption now offers end-users a near-seamless experience while providing continuous protections wherever data travels. And with ever-increasing capacity of file sharing and enhanced collaboration, never before has an effective data encryption solution been more necessary.
Data Encryption Needs in Today's Threat Dynamic
In the last 5 years, we have seen new technologies in behavioral analytics, the maturing of SIEM, and numerous anti-virus and anti-malware replacements. But no matter how effective, none can stand alone to defend sensitive data. In each case, content encryption can provide a last line of defense for both data disclosure and theft. This is easier said than done, though with proper design and implementation, it's more than suitable even against advanced attacks.
End to End Encryption Is Not Enough
When it comes to data storage, so-called End to End Encryption simply isn't enough. E2EE insures that two endpoints sharing data with an independent transport do not expose data to that transport. While required, it's not enough - attackers simply compromise the endpoints then steal protected content and decryption keys. For this reason, cryptographic operations have to be offloaded to an isolated, protected environment where they can be managed independent of Domain Administrator (and other) credentials, which are often the first to go when a network is breached.
Next Generation File and Email Encryption
While cloud technology innovation has flourished to now offer a diverse set of hosting and distributed computing services, so too has the threat landscape evolved into a market of hacking tools for hire and exploits for sale. Thankfully, widespread adoption of and heavy investments in IaaS provides more than adequate support for new platform developments, and it has already proven itself as a viable foundation for the Next Generation File and Email Encryption services listed below.
Encryption containers are like zip containers - they create another layer of UI elements to navigate, and more often than not require end-users to determine for whom information is destined so encryption can be carried out accordingly. In some cases, they even require users to import, export, and sign cryptographic materials. These controls don't belong in the end-user's interface, they reside with and are managed by policy administrators. Next Generation File and Email Encryption decouples controls from end-users, minimizing complexity, training, and deployment costs.
Cryptographic offloading allows you to isolate sensitive crypto operations and materials from potentially hostile environments. This is part of what Hardware Security Modules (HSMs) and the Trusted Platform Modules (TPM) do. Unfortunately, these custom hardware modules are not (yet) available with all systems, and aren't always cost-compatible. With better than 99.99% availability, cloud services provide a compelling alternative, decoupling encrypted content from the keys required to access plaintext. This insures protections remain intact, even on compromised hosts.
Integrated Access Control
When you offload cryptographic operations, you create a central control point that can now determine who has access to managed decryption keys. This allows cloud services to authenticate the identity of a requesting user before authorizing access to operations that provide plaintext content. This addresses one of the most critical shortcomings in today's file encryption software, protecting decryption keys with strong access control, such as that provided by Two-Factor Authentication.
Central access control also provides a foundation for secure data sharing. By utilizing a role-based or user-centric security model with central authentication, you can deliver facilities to support flexible data sharing relationships for users and organizations. This is critical for secure collaboration across diverse environments that span the entire globe.
Backup and Restore
The growing prevalence of Ransomware drives justified need for enhanced encryption security services more than any other threat class except advanced, targeted nation-state attacks. It is no longer enough to have data restoration capabilities at the ready - sensitive information has to be effectively encrypted and unavailable to assailants lest end-users suffer the consequences of sometimes life-changing dynamics resulting from public disclosure of private information. Cryptographic offloading provides the perfect control point for integrating seamless data backup operations together with controlled and secure data restoration, delivering high-availability in a tightly controlled environment.
Secure Auditing and Reporting
Cloud cryptographic offloading also provides for central control of data access event auditing and reporting. Because logic is executed in a closely managed and secure environment, event information entertains the same isolation as cryptographic materials. The means attackers can't easily cover their tracks. It also means failures to request and acquire plaintext content are recorded and stored for further analysis. To bypass system controls, attackers would have to compromise both the cloud service layer and also the host endpoint. Until that time, data reporting provides secure reports with date/ time and location information that is much more precise and reliable than data generated on a compromised host.
Minimizing Breach Impact While Limiting Exposure Risks
Next Generation File and Email Encryption helps minimize the data exposed to malicious activities while providing precise and secure insight into detailed host-based data access events. This together with facilities for easy application integration and secure data sharing provide a platform that can offer a highly effective last-defense against those with malicious intent.
Available Today with SSProtect and KODiAC
DefiniSec delivers the promises of Next Generation File and Email Encryption with SSProtect, an applied cryptosystem that's easy to use and administer. Details will be available in Part II: Next Generation File and Email Encryption with SSProtect, which will be available Monday March 13th. In the meantime, you can visit our online support pages, view our online printable PDF documentation, and/ or download a fully-featured time-limited trial of the software, which can be installed and provisioned for Windows files and Outlook Email messages in less than 90 seconds.
But whatever you do, please be sure you're doing something. If you would like assistance, whether pursuing DefiniSec technologies or otherwise, do not hesitate to email firstname.lastname@example.org.
This article was published March 9th, 2017