I am starting to get the impression the phrase “Encryption is not the answer” is becoming the chic catch phrase ‘du jour’ among security professionals. I was attending a high profile cyber-security conference recently and heard this statement uttered on more than one occasion to very large audiences (although I must add that one of these experts did add a meek “by itself” one time).
This trend is leading me towards my own new catch phrase of the day: “When did this happen?”
I think this provocative catch phrase has gained traction in light of the latest round of large-scale data breaches. In December 2013 Target reported a major data breach even though the data was encrypted. Most recently, it has been reported that in the Anthem data breach the data was housed unencrypted, but the attack was sophisticated enough that experts have published blog entries stating that Anthem was right not to encrypt their data because it would not have stopped the breach.
Here I would like to point out one of the tremendous advantages of proper encryption – as long as the key is not compromised, encrypted data stays protected everywhere it goes. This includes (but is not limited to) stolen hard drives, stolen backup tapes, breached database backups, stolen or intercepted data transmissions, stolen or compromised files with sensitive information, stolen laptops or other personal devices, etc… It can be reasonably argued that data encryption is largely the reason why these types of data breaches are no longer in the news and fortress type breaches are now more the norm. It makes me wonder if, had the attackers known the data at Anthem was not encrypted, they would have simply opted to ship one of the database backup files to an external data store. Reportedly, the breach was detected when one of the system admins noticed a rogue query that he did not initiate being run using his identifier code. By taking a backup file instead it is possible that the attackers never would have been detected.
To use a potentially misguided analogy, I feel like some of these experts are saying people are right not to wear seat-belts because recent automobile fatalities have been attributed to rollover accidents and passengers would have died anyway. Perhaps a more appropriate assessment would be to continue wearing seat-belts but, in addition, take measures to reduce the risk of rollover accidents. If we apply the transitive property (notice the addition of a misguided math analogy), I feel the more responsible expert opinion may perhaps be: “In addition to encrypting sensitive data, care and resources need to be dedicated to protecting key user credentials, securing and monitoring networks, and training personnel on good cyber hygiene.”
If the pundits are trying to say that encryption alone without utilizing other measures is not enough, I can understand that position because it helps managers to realize that simply encrypting data does not mean that all threats are eliminated. By leaving out the ‘alone’ or ‘by itself’ caveat, however, the mistaken impression can be that data no longer needs to be encrypted. And that gets us into ‘out of the frying pan and into the fire’ type stuff – three analogies and I am out.