In practically any type of organization, important and confidential information is managed which, if it gets into the wrong hands, can be detrimental to the organization. This information may contain management data, financial information, strategic data of the organization or even trade secrets. It can also be detrimental to the company to lose data that is subject to a regulation such as EU-GDPR with regard to third party data. This is especially important in sectors such as Healthcare where Medical Centers or Hospitals manage patient data, where appropriate security measures must be put in place so that there is no leakage of information from this type of data.
This is normally assumed by all organizations: They know that they are managing sensitive data, whether their own or that of third parties, and they understand that it must be protected in some way to avoid possible leaks. On the other hand, the IT or Security teams of the companies know that one of the best ways to protect information is through encryption, and in fact at the communication level encryption is an indispensable requirement via HTTPS/TLS..
In fact, according to a report by the Ponemon Institute for IBM, one of the most effective ways to reduce the cost of a data leak is encryption.
However, it is striking that in most of the information leaks that occur, the encryption of the extracted information was conspicuous by its absence. In fact, in only 3% of information leaks, the extracted data was encrypted and unusable. This has recently been exploited in ransomware attacks, where not only is information encrypted for ransom, but unencrypted data is extracted from the organization and ransom demanded for not making it public.
The creators of ransomware have realized that this is proving more effective than ransoming encrypted data, as in many cases organizations are turning to backup copies to recover their data. We recently saw news of a hospital that had paid a large ransom to attackers who had extracted 240 GB of unencrypted data from the organization through ransomware and threatened to make it public.
Why is the use of data encryption in enterprises not more widespread?
When we talk about unstructured information (files, documents, etc.) it is no longer so clear who should encrypt it and which information to encrypt. Managing encrypted information is not as simple as managing unencrypted information, and using it means a change of mentality in the organization that must be managed.
Some impediments that appear in organizations for the use of encryption are:
- It is difficult to use for the average user: You have to manage passwords or certificates to access the protected data. It is possible that on your device you can access correctly, but if you take the file to another computer, you need to install software to decrypt the information. Tools are missing to manage encrypted information easily in any place and on any device.
- No clear guidelines on what to encrypt and what not to encrypt: As we said before, it is not so clear which information to protect and which not to protect. In some organizations, encryption of data at rest is used, encrypting for example the hard drive of laptops. This is used to prevent leaks in the event of loss of the computer, but when documents are sent from that computer to third parties the files come out unprotected. Encrypting files or encrypting folders on file servers requires guidance to end users as to what information should be protected. It is also important to use automation to facilitate file protection, especially when it comes to encrypting folders or protecting data in information repositories.
- Difficult to integrate with corporate tools: In many cases the most sensitive information is found in applications such as ERPs, Human Resources applications, etc. Introducing encrypted files in certain corporate applications can “break” the internal document management flows since these applications are not prepared to manage protected documents. On the other hand, it is not operational for a medium-size organization to encrypt based on passwords. Tools such as the Active Directory are essential for centralized management of what a user encrypts without the need to use individual passwords per file or folder. Encryption solutions are required that can be easily integrated with corporate tools such as AD, internal applications, etc.
- Relative value of the encryption. Once the file has been decrypted, it cannot be controlled: As with email encryption, the problem with traditional file encryption based on passwords or certificates is that once the file is decrypted, the user can do whatever they want with the file: Copy it, resend it, etc. This is one of the main disadvantages of “in-transit” information protection. Accessing protected information should not necessarily mean unprotecting it completely.
- It does not facilitate the audit of access to information: When we talk about confidential, sensitive or important information, it is important to be able to audit and have under control what is done with it: who accesses it, when, if someone who does not have permissions cannot access it, etc. Technologies are required that, while keeping the information encrypted, can audit access to it.
When to encrypt data and when not to encrypt?
We have talked before about accompanying simple guides on when to protect information. Users should know when to protect a file and when not to. As the Zero-Trust security model indicates (see “Forrester Five Steps for a Zero-Trust Network”) it is important to identify the data you need to protect.
Some organizations use solutions to search for or identify sensitive information, or data labeling or classification solutions as a first step to determine what should or should not be protected. However, we must not forget that identifying sensitive information or labeling it does not mean protecting it. In this article we talk about two technologies that help classify and protect data: DLP and IRM.
Many organizations have very simple information classification policies with levels such as “Public”, “Internal Use”, “Confidential”, etc. On paper, they seem perfect, but what good are they if we cannot then apply them and protect the information from “Internal Use” or “Confidential”?
A practical approach to deciding what to protect and what not to protect is explained in the figure below:
Depending on the “toxicity of the data”, understood as the extent to which a possible loss or leakage of it may harm customers, employees or the organization itself, I must apply a more restrictive restriction or encryption. For example, if I am managing information that may involve a breach of regulations, I must apply restrictive protection by limiting access to it to certain users in a certain department and with view-only permissions. If the information may have value for a competitor, I should restrict its access or use within our organization, but not make it accessible to external users.
By taking this model further and simplifying it further, I could give internal users the following guide: If I have data that can harm the company, employees or customers, this information must be protected. Later on it is possible to differentiate in the level of protection to be applied, but it can be a good guide to start.
In order to apply this type of guide, it is necessary to have encryption or protection solutions that can go beyond traditional encryption: I must be able to limit who can or cannot access my information and even the permissions with which they can access it. A password or certificate- based system where anyone who has the key can access it is not valid, or that once unprotected, I can do with the file what I consider. In this sense it is key to have a “protection in use” of the information and not only protection in transit or at rest.
Data Encryption requires a change in mentality in companies
As we said before, protecting or encrypting information requires a change of mentality in the organization, but this change of mentality is necessary if we want to extend a culture of protection within the organization.
In fact, by implementing a document management system in the company we will have faced something similar. In the following figure, we simulate the change involved in implementing a document management system with the change involved in encrypting information or applying a data-centric security strategy.
The Return on Investment with data encryption is immense
However, despite this change in mentality regarding the implementation of a document management system, all the companies that have implemented it have observed its benefits.
If we talk about the possibility of avoiding a data leakage, the return of investment or ROI (Return Of Investment) that we obtain by implementing a data-centric protection system is even greater. The following figure shows the related ROI of an information protection solution. There are companies that have directly closed down due to the impact of an information leak.
Anyone in the organization should be able to protect their data
Seeing this Return on Investment and the benefits of reporting, all users in the organization should have the ability to protect their data through easy-to-use tools. If someone in the organization has a file with sensitive information that needs to be protected, they should know that they have to protect it and have the tool at their disposal that allows them to protect it without having to consult with IT to understand how to perform the encryption operation.
Automation helps
Whenever possible I should make things as easy as possible for the users in my organization. For example, by automatically protecting sensitive information when:
- It is stored in a certain folder on a file server or in a SharePoint library or any cloud application such as Box, Dropbox, Google Workspace, etc.
- Be discovered on computers or file servers by a DLP solution such as Forcepoint, McAfee or Symantec.
- Be identified in the cloud by a CASB solution.
- Is classified as “Confidential” by a user who uses a labeling or classification system of information such as Titus, Boldon James, etc.
- It is downloaded from an internal corporate HR application, ERP, etc. containing highly confidential data.
In the following article we explain how to automate the classification and protection of data effectively.
It is essential to extend a culture of protection in the organization
Encrypting information, as we said before, has proven to be one of the most useful practices to protect our data against a possible security breach. However, encrypting data does not have to be complicated, but rather a useful means of extending a culture of protection in the company.
SealPath recommends a secure information management cycle based on the following pillars:
- Protection: Encryption and control of rights over information with IRM (Information Rights Management) or E-DRM (Enterprise Digital Rights Management) that allows protection at rest, transit and use of data.
- Monitoring: Allow the user to know what is happening with their data. Who is accessing, when, if someone tries to access without permission.
- Automation: Wherever possible, facilitate protection through automation, for example, by having documents stored in a certain folder on a file server protected.
You can read the original article in SealPath website.