The Last Encryption Gap – Data in Use
- Itsik Musseri
- 3 minute read
How the lack of technological advances prevents the encryption of your most sensitive asset: data
Data has its own ebb and flow; it cannot be considered a static object. Instead, it needs to be viewed as a fluid entity, with various stages of existence, some at rest, some in transit, and others in use. These are the ‘states of data’. These states are interchangeable, they ebb, and flow, as required to perform a task. Each state has its own protection requirements. It is this interchangeability that can create an issue for encryption solutions that are not flexible enough to work within the use cases needed in modern data usage.
A Short Overview of Data Encryption
The Breach Level Index provides a review of the state of data breaches. Between 2013 and 2018, there were 14.7 billion data records exposed; only 4% of those were encrypted. Getting encryption correct across all of the states of data is essential for continuous protection. There are, however, several choices that can be made and making the right one is challenging.
The following is an overview of the typical encryption options available to protect data across the lifecycle of the data ecosystem:
Encryption of Data at Rest
Typically, data is stored in a database, on a disk, or backup tape, or similar. The data is then encrypted. In the simplest terms, an encryption algorithm(s) such as the Advanced Encryption Standard (AES) is used to transform plain text into a ciphertext version of the data; this ciphertext can be changed back to the original with the correct encryption key. Databases often have their own proprietary methods of encrypting data. The encryption can be granular to the cell level right up to the entire database being encrypted.
The problem with encrypting data at rest is that it is a point solution. Attacks such as insider threats, within cloud-based databases, place cloud providers at risk.
Encryption of Data in Transit:
A recent survey found that 95% of data center traffic emanates from the cloud. Once data moves outside the cloud it becomes more visible and requires protection. If not, the data is vulnerable to interception attacks such as Man-in-the-Middle (MitM). This protection is used to ensure that the data has integrity, is available, but is protected (encrypted). Encryption mechanisms for protecting data in transit, require that the data is protected before transmission, making sure it is encrypted during the transmission, authenticating the endpoints are valid at either end of the transmission, and checking the data at the arrival end.
The security protocols Transport Layer Security (TLS) and the earlier version Secure Sockets Layer (SSL, which is less secure) are commonly used to encrypt data in transit for online transmission of data.
A Virtual Private Network (VPN) is also a common method for encrypting data in transit.
Encryption of Data in Use
Typically, encrypting data in use has been more challenging. To be able to freely work on updating and changing data, this data needs to be unhindered by processing events, as required by encryption/decryption. In a public cloud environment this is even more problematic with issues such as cloud provider access control.
Homomorphic Encryption (HE), like many forms of encryption, allows data to be manipulated, whilst in use, without it being decrypted.HE, however, has a major downside and this is speed. A process based on HE is slow and not suitable for many data use cases, although bootstrapping can help to improve efficiencies.
Another example of encryption of data in use is Trusted Execution Environment (TEE). TEE creates a protected area on a connected device. TEE tends to be OS and device-specific and does not support a more cloud-based data infrastructure across multiple providers.
The issue with the commonly available options for data in use is speed, use case limitation, and control.
Specific Challenges of Encryption in the Data Ecosystem
The data ecosystem has a problem at the point of use. The industry has developed solutions for encryption at rest and in transit. However, data in use has proved more challenging to deal with in terms of a secure and seamless manner. Protecting data in use and transit is not enough -- all parts of the data lifecycle need to be plugged to have an end-to-end solution for data security and privacy.
Most methods that try to address this are slow or difficult to set up – in other words, there is a deep rift between encrypted data traffic and the subsequent use of this data. Data that is in use has special requirements. The encryption/decryption process has to be seamless, fast, and agnostic across the myriad ways that data is accessed and used.
This gap has been plugged by the concept of “Zero-Trust Encryption”
Control is a key issue facing data in a cloud-based environment. The very nature of a cloud-based infrastructure means that cloud providers have access to the keys used in an encryption scheme. A ZTE scheme means just that –a basis of zero trust is applied; the result is that the cloud providers are unable to access the plain text or encryption keys.
Conclusion: Apply Encryption of Data in Use
The modern data ecosystem is a complex and fluid matrix that is increasingly cloud-based. To provide the protection needed in an aggressive cybersecurity landscape, we need encryption that is fit for purpose. Using the ethos of zero-trust we can support this fluidity. By applying a model of Zero-Trust Searchable Encryption, your organization can have the flexibility and control needed to use data safely without compromising fast processing and cloud-based applications.