Companies spend billions of dollars annually to secure their infrastructure and data, yet data security breaches routinely occur even when network security and user validation is in place. Everyone seems to agree that it’s not a question of “if” a company’s systems will be breached, but “when.” In fact, Forrester recently declared that attackers behind successful data security breaches “weren’t that sophisticated. Or if they were, they didn’t have to flex too many mental muscles to get inside the environment.” With that finding, there is obviously more work to do to prevent access from being gained, but it’s also time for a different approach to protecting databases and data in use so that companies can limit exposure.
To protect data for when it inevitably falls into the wrong hands, many companies encrypt their data. But it’s time for a reality check …while encryption has proven to be the most effective way to lower the impact of a security breach, encryption does NOT prevent all types of data loss. In fact, even with encrypted data, companies with sensitive data, including personally identifiable information (PII), are at significant risk of data loss.
How is that possible?
There is a major misunderstanding when it comes to data encryption and what it can and can not protect. A myth persists that encryption protects a company if an attacker gets access to a database holding sensitive data because the attacker wouldn’t be able to de-scramble and read the data. But that is true only in certain situations, such as if an attacker got access to a hard drive and tried to read the data directly from the disk. In other scenarios, however, the data can be accessed and lost.
Encryption Doesn’t Protect Data in Use
Traditional encryption helps only when data is at rest (disk encryption) or in transit via secure communication methods such as SSL and TLS. But what if the attacker walks in through the proverbial front door, entering a username and password to the database and running seemingly authorized queries? In that case, the attacker will look like they have access rights and the data will be decrypted and sent to them. The difference is that when the data is accessed via a query it is no longer “at rest” or “in transit”, but rather it is “in use” and traditional encryption doesn’t protect data in use. Stealing credentials and accessing data through queries is common in major data security breaches, such as the 2014 eBay data breach (145 million records) and the 2015 Anthem data breach (80 million records).
Unprotected Data in Use Makes You Vulnerable
When a company doesn’t encrypt data in use, the company is at risk in the following scenarios:
- Stolen Credentials – Credential theft is common. A great deal of data is available for hackers to access and exploit. An attacker targeting a specific company’s databases could go to LinkedIn and quickly find a few employees who are likely to have admin access to enterprise IT resources. A phishing campaign could then yield the codes needed to get unfettered access to systems with sensitive data.
- Internal Threats – An analysis by Verizon revealed that 34% of data breaches in 2018 involved internal actors. Internal actors, such as DBAs, are often granted access not just to the system, but to all the data that is included in the system. This “loose” database access control exposes sensitive data to people who don’t need to see it.
- Cloud Storage and SaaS Apps – Today the typical company is storing more data in the cloud – either in numerous SaaS applications or in infrastructure as a service (IaaS) product, such as AWS. Unfortunately, this also means that they are giving up control over their data. The cloud company may include a cloud data protection solution, but the cloud company’s admins usually hold the keys for encrypted data and can access not just the systems, but also the underlying data.
Combine Encryption, Access Control and Anomaly Detection to Protect Data In Use
Until recently, if you wanted to encrypt data in use, there were few alternatives. Most data encryption tools covered only data at rest or in transit. Any database encryption software that covered in-use data was limited to a specific database and left other systems and your cloud data unprotected. Today, however, solutions that can cover all in-use data such as the Sotero Data Protection Platform are emerging. Sotero, for instance, uses a proxy that sits between your applications and all of your data stores, providing a single encryption solution for all of your sensitive data whether it is in the cloud or on your premises. In addition to providing encryption for in use data, Sotero also offers additional layers of protection. It provides granular access controls and anomaly detection, which combine to restrict internal actors and cloud DBAs from having unfettered access to data and to identify and interrupt unusual and risky queries in real-time.
The best protection for in-use and cloud data is a layered approach that provides data level security. For example, Sotero’s data security solution combines data encryption (including cloud data encryption), access control, and anomaly detection. The encryption layer protects sensitive data at rest, in transit and in use. The access control layer combines with encryption to prevent unprivileged users from seeing sensitive PII data even when the data is in use. The anomaly detection layer protects data against theft even from inside operators or other privileged users. This approach results in comprehensive data protection because if one layer fails to stop the threat, there is another layer with a chance to stop it or at least minimize the damage. A layered approach like Sotero’s is born out of the reality check that we all need to take, which is to recognize that encrypting only data at rest and in transit is not enough to truly protect our data from today’s threats.