The Centralized Encryption and Key Management Your Users Won’t Notice
Several of the recent high-profile ransomware attacks that have made world headlines have stemmed from the compromise of trusted, administrator-privilege accounts. Malware was pushed by supply chain companies in trusted, signed code, bypassing many security checks.
The lessons organizations can draw might include:
– Should we be enacting a blanket encryption-at-rest policy?
– Do our supply chain partners have good enough security systems?
– Do we have sufficient failover and remote archive capability?
– Should we be considering deep encryption at file system or database levels?
In addition to concerns about loss of intellectual property, business continuity is an added focus to the issue of data loss and statutory compliance demands. Notably, the Australian government’s reclassification of multiple verticals as “critical infrastructure” is an indicator of what enterprises can expect on that score in the next few years. Organizations operating in healthcare and food & beverage are now classified as “critical infrastructure.”
Securing total file and volume data by encryption isn’t a simple process in today’s enterprise IT infrastructure, where the emphasis operationally is put firmly on real-time data ingestion and processing, production systems’ uptime, and general agility. With those business-led demands come complex topologies of multi- and hybrid clouds, and a mixture of proprietary and open-source database schema and operating systems. No organization can pause and wait for their digital resources to be obfuscated, even if it were a case of a single button-click to encode every data store on every platform.
However, the bottom line is that encrypted data lowers risk, and those risks can be lowered further by regular re-creation and rotation of encryption keys. A compromised AWS S3 bucket will remain highly problematic on many levels but will at least be a contained incident that won’t affect other parts of the organization’s infrastructure.
Therefore, when considering encryption of data to add extra security, the first questions to ask are:
– What can and should be encrypted?
– When should encryption happen (in the sense of when during the data life cycle)?
– Where should encryption take place (at what OSI layer[s], specifically)?
– How should encryption be applied?
– How should the encryption infrastructure, systems, and policies be managed?
At a high level, data encryption security level is determined by where they it’s employed: disk, file system, database, and application. In general, the lower in the stack encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats protected against are reduced. On the other hand, employing encryption higher in the stack realizes better security levels, mitigates against more threats, but comes with greater overheads.
Without a dedicated encryption and key management solution, oversight of these security layers is practically impossible in all but the smallest and simplest topologies. Adding to the mix just one on-premise production system that “bursts” to a cloud provider under peak demand, for example, provides a head-scratching exercise for security professionals and a larger attack surface.
There are very few specific suppliers of encryption and key management platforms operating successfully today, and the de facto choice for many (including military and peri-governmental bodies) is Thales. It provides a highly adaptable platform that applies high-grade encryption via hardware or virtualized devices, managing, rotating, auditing, and issuing keys for use in complex topologies.
In an environment of increased risk to sensitive data, enterprises need the ability to limit access to sensitive information to only those users, groups and processes that require it. This need extends across data centers, cloud, data lakes, and all information repositories. Additionally, sensitive data should be useless (and valueless) when unused without controlled access to the decryption levers by legitimate users. This is transparent encryption with user access control.
CipherTrust Transparent Encryption software for enterprises delivers data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging. This protects data wherever it resides — on-premises, across multiple clouds and in big data and container environments. The result is greatly reduced risk and an enhanced capability to meet compliance and regulatory data security requirements.
The FIPS 140-2 compliant CipherTrust Transparent Encryption agent resides at the operating file-system or device layer, and encryption and decryption is transparent to all applications that run above it. CipherTrust Transparent Encryption is designed to meet data security compliance and best practice requirements with minimal disruption, effort, and cost. Implementation of the server encryption software is seamless keeping both business and operational processes working without changes even during deployment and roll out.
The platform also emphasizes integration and ease of deployment, and provides in-depth data security analytics, so taking its place in the larger security stack. Those policies can also be modeled with regards to existing user schema, as in LDAP, AD, or other management tools.
The solution works in conjunction with the FIPS 140-2 up to Level 3 compliant CipherTrust Manager, which centralizes encryption key and policy management for the CipherTrust Data Security Platform. The CipherTrust Manager (physical or virtual) operates on multiple clouds, on-premise, and so on — whatever the infrastructure that the business operates with.
For highly intensive production workloads, an additional option permits live data to be re-encrypted as new keys are automatically deployed according to policy timetables (or in the event of a verified security incident, for example). There’s also a dedicated option to work with S4/HANA repositories natively and transparently.
The Thales offerings and product lineup provide significant additional layers of security for every business, not just those that work with what has been previously considered “sensitive data.” Because the PR and statutory impact of a data breach or successful ransomware event are potentially devastating, low-level, transparent, and simply-deployed encryption management is rapidly becoming a must.
To find out more about the best course to pursue and to find out how Thales will fit into your existing cybersecurity stack, we suggest downloading this whitepaper for comprehensive details on the platform’s interoperability and abilities. Alternatively, to discuss your scenario and needs with an expert, reach out to a local Thales representative today.