The high-profile leaks of highly sensitive data by NSA contractors Harold Thomas Martin and Edward Snowden woke enterprises up to the fact that traditional perimeter security is not enough.
In its 2016 Cyber Security Index, IBM Security found that 60% of breaches were caused by insiders either as inadvertent actors compromising their credentials or those with malicious intent.
What’s become increasingly clear is that despite the roughly $75 billion spent on cyber security reported by Gartner, data breaches continue to escalate. This is because the attack vectors are changing.
Rather than penetrate an organisation’s IT network by breaching the firewall, hackers get in on the inside with compromised credentials and lie in wait for months before attacking the data repositories.
Unfortunately, these kinds of insider threats are very difficult to identify because conventional security mechanisms like identity and access management or authentication can be fooled into thinking that the hacker’s access is a legitimate access.
For example, behavioural analytics of IT activities can identify threats, but it is only a matter of time before hackers learn to fool these tools as well.
Preventing insider threats
Protecting the data as soon as it is created using impenetrable encryption algorithms like AES will make the data unusable without the corresponding encryption keys.
The next step is to make sure that the keys are separated from the encrypted data. This will ensure that getting access to the data store will not compromise the data as it will only yield encrypted data.
According to breachlevelindex.com, out of the 5.8 billion records that have been lost or stolen since 2013, only 4% consisted of encrypted data that was essentially useless to the hacker. Since most data is not encrypted, hacking continues to be a lucrative business.
Encryption adoption challenges
The initial challenge faced by data managers when creating an encryption strategy is identifying what data to encrypt. Next, deciding what encryption technology to use requires detailed knowledge of cryptography, which is not easily available.
Managing keys is a significant challenge because if the key is lost, the encrypted data is of no use. The additional mathematical processing involved in encrypting data adds to the cost of computing as well as increased latencies for applications that need to access that data.
In short, adopting encryption can have a significant impact on enterprise application workflows because the data is transformed and it would require a significant development exercise to implement this critical need.
To get around this, IT administrators tend to take the easy way out by allowing a cloud provider to encrypt the media on which the data resides or use self-encrypting drives if the data is on premise. These shortcuts allow them to meet minimal compliance requirements but do not thwart hackers.
Mitigating the insider attack threat
The solution to the insider threat requires a multi-step approach. First, the data and the keys should only be available to be accessed by authorised applications under programmatic control. This eliminates the use of database administrator’s credentials from being used to steal data by an insider or someone posing as one.
Second, applications should be able to access and process data in databases without decrypting the data in the memory. This prevents malicious insiders or malware from using tools like memory scrapers to extract data from memory.
If the data in memory is available in the clear, it can be stolen if a hacker gains access to that server or if the infrastructure administrator’s credentials are stolen.
Last but not least, encryption approaches need to be developed that are easy to integrate, manage keys seamlessly and have little or no application performance overhead.
Sourced from Ameesh Divatia, co-founder and CEO, Baffle