Article posted: Nov 01, 2015
By Joakim Thorén, CEO
Your home provides shelter for your family and likely houses important documents, maybe some cash and jewelry, and perhaps the rare stamp collection you inherited from your Uncle Stanley. You want all of these things to be protected, so you visit a locksmith and purchase the best lock money can buy for your front door. You like the lock so much you put one on the back door, too.
These new door locks are fantastic - only the most sophisticated lock picker could get through them. The problem is, your back door also features an oversized pet door so your Labrador Retriever can play in the yard while you're at work and then have free roam of the house when he wants to go indoors. When a thief shows up, he doesn't have to worry about the expensive lock. You've essentially granted him access to the entire domicile through the doggie door.
The scenario above is a lot like companies that rely heavily on data encryption. The thinking is that when data is encrypted, only those with legitimate access can decrypt, and then use, that data. Encryption greatly improves confidentiality. An entry-level employee would certainly have far less access rights than the chief operating officer.
It makes perfect sense, right? But relying on encryption alone is like having that great lock securing a door that also has a gaping hole for the dog. If an outside hacker successfully impersonates someone who has legitimate access to sensitive data, all the encryption in the world can't help: the hacker has gained access, which generally also includes decryption capabilities.
A recent Gemalto Breach Level Index for the first half of 2015 showed that more than 62% of 888 reported breaches were caused by malicious outsiders, compared with 12 percent attributable to malicious insiders.
The thing is, what's driving this very real outside threat is an easily correctable inside weakness. One of the easiest ways for the outsiders to access corporate data is by pretending to be a legitimate employee. But when companies make sure the person seeking data access is actually the person who he claims to be (with authentication) you can accurately control data access. The encryption, which provides document confidentiality, is not the sole remedy for a failing access control mechanism. Identification (authentication) is the precondition for enforcing strong access control. The level of access control security depends upon the security level of the authentication.
One aspect of encryption that is worth considering is physical security. If someone breaks in and steals the hard disks from your office, you'd better hope the data is encrypted. But once again, that means that the access control system has failed. This, of course, becomes even more obvious in mobile and cloud environments.
So, what can we do? The solution involves increasing security with better access control. Perhaps the most innocuous and affordable of these is two-factor authentication - using a physical access device such as a smart card along with a password. If a hacker gains access to the system, he'll be unable to emulate any particular user because even if he could determine a user's password, he'll still lack the physical element (such as a smart card) that would grant access to the data.
At Versasec, we manage identity and access management for companies' access-enabling devices, making the process of better protecting corporate assets simple and fast, from the time of issuance until the day a worker's employment with your company ends. Our authentication technology is relevant for addressing both external and internal attacks.
So buy that great lock, but check that it's only good old Fido that enters through the pooch portal.