Bloomberg was wrong. Encryption would not have stopped Snowden.
CipherPoint is a partner of Concept Searching. This blog is well worth the read and provides value to any organization concerned with security.
The following blog was posted on the CipherPoint web site. CipherPoint identifies, encrypts, controls and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems. CipherPoint’s patented technology is unique in preventing privileged IT administrators and outside attackers that target IT-level access from accessing sensitive information. The CipherPoint Eclipse solution suite secures data across file servers, on-premises Microsoft SharePoint, Microsoft SharePoint Online, Microsoft Office 365 and other cloud collaboration systems from a central data security console. A winner of the SINET 16 award as a top security company in 2012 and Cyber Defense Magazine’s Most Innovative Cloud Security Solution for 2014, CipherPoint is headquartered in Denver, Colorado.
The author, Coby Royer serves as CipherPoint’s Director of Product Management where he sets product strategy and requirements, as well as supporting customer needs. He is a seasoned veteran in cyber security, having broad and deep experience in product development and enterprise security. Coby’s experience includes entrepreneurial ventures, consulting, and work with several Fortune 1000 companies. Projects have spanned many fields, including Cloud Computing, Internet security products, financial services, social networking, intellectual property, open source, and software development tools. Coby’s previous roles include CTO, Senior Manager, Enterprise Architect, Product Manager, QA Specialist, and Software Developer. Coby holds over a dozen US patents for security and financial instruments, many as primary or sole inventor.
Bloomberg published a story last week, Encryption Would Have Stopped Snowden From Using Secrets. Bloomberg describes that encryption is key to preventing insiders from accessing and using classified data. In our view, we think they only got the story part right. Encryption is a great security control but to stop a determined system administrator you also need trustworthy key management and intelligent decryption (aka access control).
Encryption is a critical security control in these situations. Data that is encrypted using standard (i.e. not proprietary) encryption algorithms, and where the keys are properly protected, is highly secure. But there are a couple of other considerations here. First, the encryption should be applied high enough up in the technology stack so as to prevent the sysadmins from being able to view data using their application, database, or operating system administrator privilege. Low-level encryption mechanisms (such as encrypting drives, TDE, EFS and Bitlocker) are aimed at mitigating risks of lost or stolen computers or disks, and they use rudimentary key management. Also, we frequently see these implemented such that systems admins know the key since the administrator are responsible for encryption key backups and other tasks. Implementing encryption at a higher level, for example at the web application layer, and using encryption keys on a per file/directory/user basis makes for much more robust security, including from systems administrators.
Second, it’s also critical to apply an integrated access control mechanism to make sure information is decrypted only under the expected circumstances. This too needs to be done at the application level, with awareness of the application context, user role, etc.
Done right, encryption coupled with access control can effectively mitigate insider threats (including malicious systems administrators). One final point, at CipherPoint, we pride ourselves on making this sort of security technology highly usable. Meaning, even though our product supports highly sophisticated environments, with hundreds or thousands of encryption keys, we make the technology simple to manage. And, as you might expect, our CipherPoint Eclipse products do insert at a higher layer, as suggested above, and they do couple AES-256 standards-based encryption, with FIPS validated cryptographic modules, and a robust access control capability.
If you are worried about the potential Snowdens in your organization or your Cloud providers’, give us a call, we have a solution!