Think Full Disk Encryption is Good Enough? Think Again.
Most often, the word “encryption” brings to mind decryption keys and complex processes that cause friction to the end users in order to access data. Because of the friction these processes create, it’s common for businesses to use alternate forms of encryption such as disk encryption to meet business or compliance requirements. Disk encryption protects information stored on a disk drive—such as an external hard drive, laptop, or even enterprise storage—by preventing the drive from being accessed without the proper password or authentication credentials.
While it is an effective way to protect data, disk encryption alone is simply not enough. In the past, encryption would often be too heavy or resource intensive to perform at extremely high volumes for high transaction volume organizations such as health insurers, card processors, or healthcare clearinghouses. In these cases, the volume of transactions and their low latency requirements were so at odds that using data-level encryption was just not a great option. Encrypting a disk, storage area network, or network-attached storage is a great security control in those environments, but it’s no longer good enough to be the only encryption solution in play.
The Reality of the Physical Risk
Often encrypt/decrypt mechanisms are tied to role-based access controls through an organization’s authentication, authorization, and accounting service (such as Active Directory). Only permitted roles have access to the data store and the decrypted data. Data at rest would be encrypted, and the keys protected, which means that if someone did gain access to the data store or the physical disks, the data would be worthless.
Physical obtainment of a disk or drive is still a critical thing to consider when developing your security programs, but companies also must consider if this is addressing a perceived risk or an actual one. The likelihood of physical tampering with disks exists, but the risk is quite minimal in environments such as professional data centers. These facilities often have impressive—albeit imperfect—physical security controls that minimize access to the actual hardware. A disk can be taken out for destruction and compromised that way as well, so the risk and impact are real, but the physical security measures are not protecting the data that’s at rest the way many organizations believe.
According to a study by Dark Reading, phishing is responsible for over 50 percent of the data breaches across surveyed responders. Phishing is a common method used by criminals to obtain sensitive information in order to compromise an organization or individual. In today’s decentralized and often borderless world of access and connectivity, organizations use credentialed access to protect themselves from unauthorized parties. Once stolen, those credentials are keys to the castle. If other factors of authentication aren’t in place, or the compromise is initiated from within the organization in an area that doesn’t require authentication, that’s all an attacker needs to appear as if they are an authorized user of the system. Password spraying attacks will take previously compromised credentials, which are known to criminals already, and attempt to use them on other environments. Many individuals reuse passwords or use easily guessable passwords. The point is that often credentials are not enough when protecting your organization from the outside world.
Let’s say that an attacker uses a malicious link, download, or exploits a vulnerability to gain access to an organization, but they don’t necessarily have credentials. Hunting for credentials within many environments is not a difficult task. Misconfigurations that make those credentials easy to find are common. For example, insecure protocols such as SMB or NetBIOS can make gaining access as easy as sitting quietly on a system or network and listening, or executing a script downloaded from the internet. In a security mature organization, some of those issue may not exist or be exploitable. But consider what happens when the attacker spawns a fake login page on a workstation: The login page looks just like the traditional windows login, but takes the password and dumps it to an area that the attacker can access.
All of this gives proof to the fact that credentials are simply not enough anymore. Disk encryption typically and traditionally relies on user permissions and access to determine who can access and decrypt the data stored on the disk. Considering how easy it is to steal credentials today, are credentials proving to be valid keys for unlocking sensitive data? As a long time security practitioner, I have never been a fan of relying solely on disk encryption, as it often creates a false sense of security.
Enhancing Protection with Targeted Encryption
Encrypting the data itself with encryption mechanisms that are not directly connected to authentication credentials is key to helping to mitigate these issues. Can your encryption architecture vet decryption requests for who the individual is, where they are, and what type of data it is? This is a very difficult task, however it ultimately does address the risk in a much wider and more effective way than just disk encryption.
When using disk encryption, it would a be a huge lift to map data types to what’s encrypted and where: Disk encryption performs encryption on the disk itself, so the data typically would need to be parsed into partitions and isolated, then encrypted. How do you perform these tasks when your data is co-mingled, or different roles required different views of the same data set to be decrypted?
Encryption of the data at the element or column level across structured or unstructured data and in conjunction with masking can greatly reduce the reliance on disk encryption for meeting compliance and security program requirements to protect data. Performing more targeted encryption that automatically considers what data elements are present along with the user’s role is a top consideration to mature these operations across the entire enterprise.
Secure Files and Data with PKWARE
Targeted encryption begins with complete administrative control. Automated protection solutions such as PK Encryption, part of the PK Protect data discovery and protection solution suite, helps organizations define granular enterprise data protection policies and protect sensitive data at the element level wherever it is stored. PK Encryption provides businesses with the power to encrypt sensitive data in files and databases—as well as data that is being transmitted or moved—with decryption capabilities only for those with properly approved access. With options for persistent file and email encryption, format-preserving encryption, dynamic data encryption, and transparent data encryption, PK Encryption builds on existing disk encryption solutions to keep your data protected no matter how it is accessed and used, all without impacting how you do business.
Learn how PK Encryption can automatically protect your organization’s most sensitive data. Get a free personalized demo here.