Time to rethink encryption

Lori MacVittie, principal technical evangelist at F5 Networks, discusses.
Business, Strategy, Encryption, F5 Networks


Image: Lori MacVittie

We are so enthralled by our own brilliance in cryptography that we forget that most data at rest - tucked away inside databases - is unencrypted.

Case in point, a Skyhigh analysis of encryption controls found that 81.8% of cloud service providers encrypt data in transit using SSL or TLS but only 9.4% of providers encrypt data once it’s stored at rest in the cloud. That makes the growing number of organisations found to be offering unfettered access to cloud databases and AWS S3 storage buckets a nightmare waiting to happen.

The problem is that cryptography doesn't completely protect our data, computer networks, and other digital systems. It protects data in flight and, if we're lucky, at rest. It augments access control for critical systems. But the reality is that in order for the "networks" and the "systems" to process data and execute logic, it must be able to view data in plain, naked text. Organisations face a bigger risk from unprotected and unpatched applications than they do from digital peeping Toms.

This is ultimately why breaches continue to occur at increasing rates. Not because the data isn't encrypted in flight or at rest, but because applications and APIs can't process the data in its encrypted form. It must be unencrypted, at which point it is vulnerable to exposure. And vulnerabilities attract attackers.

The applications and APIs which interact and operate on that unencrypted data are a more significant threat to the security and privacy of data than that of cracking quantum-based cryptography. That's one of the reasons they are so frequently targeted. In F5 Labs analysis across a decade of breaches "applications were the initial targets in 53% of breaches." Not only are they the easiest route to data, they're one of the only places left in the increasingly encrypted data path where data is unencrypted and readily usable by those seeking it.

We are nearly numb to breaches today because they happen with such alarming frequency that it is normal to see news of millions of records ripped from some database through an application today. This is in spite of efforts to force us to use encryption - to use HTTPS instead of HTTP. This is in spite of browsers enforcing cryptographic standards on the algorithms and key lengths used to encrypt data from "prying" eyes.

If today's "cyberdefenses" truly do rely heavily on the strength of cryptography, then we are truly in trouble. Because it is not the strength of cryptography alone that prevents the breaches and exfiltration of data that plague our newsfeeds and clog our inboxes. It is the strength - and increasingly, the intelligence - with which we can recognise and prevent an attack that leads to the loss of data.

Encrypted malicious code is still malicious. Encrypted stolen credentials stuffed into application authentication systems are still stolen credentials. Eliminating middleboxes doesn't eliminate the threat of a vulnerable web or application server executing an exploit to gain access to valuable, naked data.

It isn't enough to gaze lovingly at our ability to strengthen encryption if it carries the attacks that threaten exploitation of applications and APIs straight into the heart of our digital economy.  Protecting our digital assets (applications) and the channels through which they are accessed (APIs) requires a more holistic approach to application protection that combines intelligence, identity, and detection of attacks in addition to strong cryptography.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

Editor's Choice

Emerson expands analytics platform for industrial enterprise-level wireless infrastructure management
Plantweb Insight platform adds two new Pervasive Sensing applications that manage wireless networks more efficiently with a singular interface to the enterprise
Digitalisation seen as a competitive advantage by Middle East private businesses
Nearly 80 per cent of private business leaders acknowledge that digitalisation can impact business sustainability
Etisalat introduces Multi-Access Edge Computing architecture delivering best-in-class video streaming performance for 5G networks
MEC architecture achieves performance gains of as much as 90% in video streaming, validating how ultra-low-latency applications will be delivered over 4G and 5G networks

Most popular

Don't Miss a Story