According to the upcoming Verizon 2014 Data Breach Investigations Report, the time it takes for an attacker to compromise a system in three-quarters of breaches is days or less, but less than 25% of breaches are discovered in days or less. If that 75%-plus failure rate isn’t alarming enough, then there’s the recent Enterprise Strategy Group survey of security professionals that found that almost half (42%) believe that “keeping up with the latest threats and vulnerabilities” is “much more difficult” or “somewhat more difficult” than it was two years ago.
Or how about security being the single biggest impediment to cloud adoption, according to Elad Yoran, CEO of security/encryption specialist Vaultive. “All of the major barriers to cloud adoption have been addressed with one exception, security.” Until that issue is addressed and enterprises can secure their data, even when it resides on systems they don’t control, they will be reluctant, and in some cases unable, to move to the cloud, he said.
“In 2013 enterprises got real about cloud computing. In 2014 we will integrate it into our existing IT portfolios – whether IT likes it or not,” said Forrester Research analyst James Staten.
“When this issue [cloud security] is addressed, we will see the floodgates of cloud open up,” said Yoran. “It will unleash billions of dollars in cost savings.”
Unfortunately, security concerns aren’t restricted to just the bad guys. “Revelations on surveillance and data mining programs like the NSA’s Prism have highlighted the risks that companies must come to terms with when their data is stored and processed in the cloud,” stated Yoran. “Whether it’s access to corporate data by the NSA or equivalent national security agencies outside of the U.S. and other U.S. federal agencies, or compliance with regulations that mandate data protection, businesses remain responsible for maintaining the privacy and confidentiality of their data.”
Staten said one solution is ‘bring your own encryption’. BYOE is a cloud computing security model that allows cloud services customers to use their own encryption software and manage their own encryption keys. This is going to be at the top of the security list for 2014 because of the whole NSA/Snowden data leak. We also expect in 2014 that other governments are going to get caught doing this [collecting data] too.
BYOE works by allowing customers to deploy a virtualized instance of their own encryption software alongside the business application they are hosting in the cloud. The business application is configured so that all its data is processed by the encryption application, which then writes the ciphertext version of the data to the cloud service provider’s physical data store.
It’s in the best interest of large enterprises that the data they have extreme concerns about would be a candidate for BYOE, said Staten. And there are multiple ways to handle encryption:
-you can bring the type of blanket encryption that encrypts the entire volume;
-you can bring encryption that retains the structure of the data; and,
-you can bring what they call tokenization, in which the integrity of the data is maintained, which is really necessary to consume the data and for different applications to do stuff with it, but which obscures the true identity of the data.
Security experts have long recommended using persistent encryption to secure data in the cloud but adoption has been low. Although the data is close to a year old, research put the percentage of overall IT security spending dedicated to encryption at 18%, up from 2012’s 10%. However, concerns about proper key management, potential performance impacts, and cost are the grains of sand in the gears of progress. Even though enterprises recognize the need and importance of encryption, the rate of adoption has been uneven to say the least.
There are a number of other vendors offering tools to make it easier for businesses to retain more control of their data while taking advantage of cloud hosted infrastructures and services, including CipherCloud, TrendMicro and HyTrust. They highlight the move to a zero-trust security model.
At the end of 2013 IBM patented a new data encryption technique, called fully homomorphic encryption. Unlike other encryption techniques where data must be decrypted before it can be analyzed, fully homomorphic encryption allows data stored anywhere to be analyzed without compromising its security.
“Our patented invention has the potential to pave the way for more secure cloud computing services — without having to decrypt or reveal original data,” says Craig Gentry, IBM cryptography researcher and co-inventor of the patent. “Fully homomorphic encryption will enable companies to confidently share data and more easily and quickly overcome challenges or take advantage of emerging opportunities.”
While the patent is noteworthy, and Yoran credits Big Blue’s long involvement with security and encryption, he believes implementation of fully homomorphic encryption is at least a year, maybe decades away. He said encryption typically comes down to three elements: encrypt the data while it is still under your control; encrypt it persistently across their lifecycle, while in use, in transit and at rest; and maintain control of the encryption keys. “The golden rule of encryption is whoever controls the keys controls the data.”
This fear of Big Brother and the use of encryption to combat it will also peak this year, said Staten, because even some of the most sophisticated encryption technologies still require you to be very good at encryption key management. If you’re not very good at encryption key management, you might encrypt your data and never be able to read it again, which would be quite bad. Key management is not a core competency for all companies, and they’re going to quickly learn that a good way to do key management is to not do it everywhere, [but] to do it in pockets where they really need it. And they’re going to start realizing this is something that they need to use, but not all of the time.
Moving forward, Yoran said Vaultive will add support for additional applications at an “aggressive rate”. In November it announced support for persistent encryption of data stored and processed by major enterprise cloud applications, including Box Enterprise, Yammer, SharePoint Online, SkyDrive Pro, SAP SuccessFactors and Microsoft Dynamics CRM Online.
“Down the road we will be releasing support for a growing list of applications, including the ability to encrypt data in custom applications. Finally, we are also going to be announcing over the course of 2014 a broader array of tougher security capabilities beyond encryption that are today lacking in the cloud.”