Chuck Hollis’ article on New Security Thinking For A New World mentioned the following very important comment:
“The latest challenge on the security front isn’t necessarily an exotic new threat vector: it’s the attackers themselves. They’re organized, well-resourced and patient. And there’s no silver technology bullet to effectively combat them.“
This is a very important point, and one that I have seen at other security conferences for the last 5 years or so. However, attacks are possible because there is a lack of confidentiality and integrity of the data held within the systems under attack. So the system becomes the week point.
In the virtual and cloud environments there needs to be one Mantra, and everything else must help to fulfill this requirement:
Secure the Data
The problem is that this is not the mantra of the compliance documents, instead it is about securing the system on which the data resides, or the network access to the data. Perhaps it is time to rethink our approaches to security so that we not only encrypt the data at rest, but encrypt the data in motion. Unfortunately, this may require more impact to the end user? Or does it?
If you take what Trusteer is doing and add other security measures, you could easily implement a level of security within the modern browser that encrypts data before it enters the cloud. Perhaps what we need for crucial data is a combination of Trusteer’s client-side server certificate verification, and encrypted data entry, is CloudCipher’s ability to encrypt data in a function preserving mode. This way, crucial data is encrypted before it hits the SaaS provider, healthcare, or even the bank.
However, to do this properly for a bank or healthcare, the bank and healthcare provider should be able to decrypt the data for their internal use once more using CipherCloud. This handling of certificates for this type of use would need to be engineered, so that the data being sent to the provider or bank is encrypted with the certificate of the user, delivered through a trusted third party; the bank or provider would also need to access the same data through its keys. Perhaps what we need is also to combine the capabilities of GoldKey with Trusteer and CipherCloud. GoldKey has a multi-level key mechanism that allows a master key to decrypt a user key’s encrypted data, the master key would be held by the institution.
This combination of tools would provide a unique experience where data is encrypted end to end and used encrypted as well with the ability for it to be possible to just hook into existing browser technology with a minimal of impact on the end user, but with a huge increase in security.
Security in the cloud era is about protecting the data, and not all about general systems protection. Yes, protect the crucial key holders, hardware security modules, etc. But at the same time concentrate on protecting the data. This combination of tools is not necessarily inexpensive, but we really need a way to encrypt data from the end-user-computing device to the cloud so that the data remains encrypted and confidential at every stage, in motion and at rest.
Data Security needs to be the norm instead of the exception. Once we do this for critical forms of data, we need to also do this for other forms of data, perhaps tying into all this some form of data loss protection to ensure data does not leak through other means such as social media, email, and instant messaging. If the data is secure, do we need the other measures?