Tim Compston, Features Editor at SecurityNewsDesk and SecurityMiddleEast.com, considers where end-to-end encryption fits into the mix in the quest by organisations to stop damaging data breaches.
The technology we use and volume of data we generate is changing at an unprecedented pace. However just as change opens up new opportunities so there are also unfortunate downsides that organisations are having to negotiate. High on their list of concerns is data security and where security measures like encryption should come into play. As more and moreinformation finds its way into 'the cloud', and onto an ever expanding range of smart devices, cyber criminals are all too willing to exploit any confusion over where, and when, to encrypt data.
On the hotly debated subject of encryption which has been much in the news recently, and feeds into the wider data and cybersecurity narrative, V. Miller Newton, President and CEO, of PKWARE - a leading provider of enterprise level smart encryption - is adamant that the way forward is to actually 'armour' the data at its core: "This is with persistent security that follows the data every place that it is used, shared, or stored. The days of 'castle and moat' security, the days of security at rest are gone. I think that the world is coming to the realisation that you just can’t keep the bad guys out of networks and systems. Historically that is where the spend in enterprise security has been but in spite of this we are seeing breaches at epidemic levels.”
Newton laments that even now, unfortunately, the implementation of encryption tends not only to be very complex but also widely misunderstood: "I am in conversations everyday with CEOs, CIOs, CISOs and the heads of agencies in the government, and they talk about encryption. It is just really misunderstood. You can talk about encrypting the transport, you can do full disk or whole disk encryption, you can do device encryption, but this is all very different from implementing it [encryption] at the data level."
Asked to put some numbers on the encryption gap, Newton estimates, worryingly, that probably less than five percent of critical information worldwide - either public or private - is actually protected. He says however that things are starting to change for the better, albeit slowly.
In terms of concrete action, Newton reveals that PKWARE recently launched its new Smartcrypt solution to simplify the complex challenges of data encryption, including key management, and, crucially, help enterprises to combat the rising tide of insider and external threats. Newton is keen to underline the expertise that PKWARE brings to the encryption issue: "We have provided encryption and compression software to more than 30,000 enterprise customers and 200 government entities around the world. We also invented the .ZIP file format which is really the company's claim to fame.”
Newton feels that the regulatory environment can make a real difference to demand for encryption solutions, citing changes in the US on the healthcare front and the European Union’s GDPR (General Data Protection Regulation) to underline this: “As soon as it becomes regulatory - and there are stiff penalties associated with that – you get a different level of attention. We saw that in the US with HIPAA [Health Insurance Portability and Accountability Act] which was initially a guideline but then it got some meat on it - a regulatory component - with fines and that is when healthcare companies really got serious about encryption. The same is happening in Europe with GDPR.”
As discussion turns to the latest trends, Newton's colleague Matt Little, Product Development VP at PKWARE, offers an interesting take on the nature of ‘the cloud’: “Our customers often joke that a lot of people misuse the term 'cloud'. Miller and I were talking to a CISO only last week who said it has taken a long time to convince people that the cloud is really just someone else's hard-drive. So you should start thinking about what kind of data you would put on there and what you would do beforehand to protect it.”
Newton agrees with Little that the advent of the cloud and BYOD [Bring Your Own Device] serves to reinforce the requirement for new thinking with regards to security: “We live in a very different world. Data is the new perimeter versus networks and systems. Sensitive information, all information really, has to be encrypted at source before it goes to the cloud and that is paramount if you are going to have a secure posture in the cloud.”
On the subject of BYOD (Bring Your Own Device), Little contrasts the reality today with the situation ten years ago: “Then everyone had two phones, their own phone and their work phone, and never the two shall meet. At some point, following the path of least resistance, a huge chunk of our customers have embraced BYOD and they have acknowledged that that data needs to be secured too.”
Ultimately it is encouraging to see that vendors are stepping up to the plate to offer more capable solutions to strengthen and simplify the implementation of data encryption and, crucially, to recognise the value of tying this form of security to the data itself, even whilst on the move.