Today, HBO announced publicly that they have experienced a “cyber incident which resulted in the compromise of proprietary information.” Like many other companies, HBO also stated that “data protection is a top priority” and yet we have seen a common theme that has become more prevalent in recent years. Large companies have trouble protecting their data.
Why is data protection hard?
Every major storage provider offers data encryption, so securing data should be easy, right? Yes and no. The normal practice for large companies is to do basic data-at-rest encryption. Often times this means that the drives where data is stored, whether they be on site or in the cloud, are encrypted. One encryption key is used for the entire drive or even worse, one key is used for multiple drives. This is done because it is easy. It is a means to check the box for data security at the lowest cost. In some cases, users must have a client that decrypts the data when accessed. But if the encryption key is never changed then a hacker only needs to look for one vulnerable person out of many to exploit, get their key, and grab all the data. Just as bad is an insider threat. An employee working at the company leaves and keys are not changed. Even if they still work there, often there is no way to see who accessed the data as every person uses the same access method to get to the data. All of these scenarios are far too common.
What can be done to make data encryption better?
It should be mentioned that HBO has not reported the exact method in which their data was exposed, but there are several practices that anyone looking to protect their data can employ.
- Key Rotation – Most storage systems create an encryption key when they are setup and the key is never changed. This means that every piece of data is encrypted the same way for however long the storage system is in use. For large enterprises, this can mean encryption doesn’t change for years and leaves data vulnerable to hackers and insider threats. Just as users need to change their password so it cannot be found and used by a bad guy, encryption keys need to be rotated for the same reason.
- Keep Up With Modern Encryption Standards – Going hand in hand with key rotation, the encryption standard for a storage system created 10 years ago is generally considered insecure by modern standards. The security standards that companies use must keep up with the advancement of technology available to bad guys.
- File Level Encryption – Often thought of as too expensive, using separate keys for each file prevents bad guys from being able to steal large portions of data, limiting the attack impact. In the case of the HBO attack, hackers were reportedly able to obtain 1.5 terabytes of data. Depending on the type of data, this can be devastating for a production company as it was for Sony.
- Link Access of Files to Encryption – It is common for companies to have permissions and policies so that data can only be read by the users who have a need to see that data. But in a world where passwords are more complex and must be changed frequently, users get lazy. They write their password underneath their keyboard or make easy to guess passwords leading to the question of who really accessed the data? Was it the authorized user or the person who simply acquired their username and password. With encryption based access, a user’s identity is tied to an set of encryption keys which are much harder to steal so a company knows that only the correct users have access.
Fornetix can help!
With Fornetix VaultCore, an enterprise can easily implement file level encryption and key rotation for minimal cost and overhead. VaultCore appliances allow for the creation of millions of keys with no additional cost to the consumer. Additionally, the policy engine and built-in job scheduler allows for keys to be automatically rotated and kept up to date with the latest industry standards. Fornetix is a proud member of the Key Management Interoperability Protocol Committee, working with companies around the world to enhance data security and develop the future of storage protection.
Note: This entry has been edited to reflect the ‘Key Orchestration’ solution name becoming ‘VaultCore’