Unravelling encryption

You only need to look at recent headlines to realise that data is still being stolen – the Russians allegedly stealing Covid-19 vaccination research for one. Organisations spend millions on IT security – identity and access management, disk encryption and data loss prevention, to mention just a few technologies that many resellers have in their portfolios. These are all great and necessary, but clearly there are still gaps between systems.

Often, when introducing the idea of file-level encryption to CISOs and CIOs, we hear, “But we already encrypt all our data”. When probed further, it turns out that what they mean is that they have full disk encryption. It’s shipped as part of Windows, and there’s a variety of products that help organisations to manage the technology.

The problem is that disk encryption is all about protecting data when it’s on a specific piece of hardware. Now, if you’re a cyber criminal and you’ve successfully compromised a legitimate user’s account – Twitter’s recent woes seem to have stemmed from this kind of criminal access – then you simply take a copy of all those company-in-confidence files out of the organisation’s network. Full disk encryption will happily hand over the goods, carefully removing the encryption on the way – no questions asked.

As for managed services, the customer is essentially outsourcing data security to the provider. But what happens when the managed service provider (MSP) gets hacked? MSPs are a great target for the cyber criminal because they hold data for multiple organisations, so it’s a one-hit hack with a bumper pay-off.

This all nicely illustrates the issue with the common approach to data security: information is stored in “security silos” where it is deemed to be protected. It’s a lot like putting cash into a safe. When a cyber criminal takes data out of its “safe”, it loses all its protection.

So, here’s the opportunity for the channel – look into solving the security silo problem for your customers who don’t want a brand-damaging, embarrassing and costly data breach. And the solution? Your customers should take a data-centric approach to security by deploying 100% file level encryption – every file, every place, every time. Yes, everything. After all, that’s what organisations are trying to do with disk encryption – it’s just that it’s not implemented in a way that actually secures data when it is stolen.

File-level encryption works all the time by building both authentication and security into data so that it becomes an inherent part of every file. This way, if information is stolen – taken out of its security silo – then it remains encrypted and therefore useless to the data thief. It’s a little like a very sophisticated way of password-protecting every file – but working silently in the background and without annoying the user, plus much, much stronger security.

By protecting all files, all the time, no matter where they are stored or copied, stolen data is rendered useless. Legitimate data users, however, must not be aware that any of this security is going on. If you ask users to make security decisions, they will often go with the choice of least resistance – which is usually the least secure.

This approach also resolves the potential problems for MSPs because the customer is now taking responsibility and control over their data security. So, no cloud service misconfiguration or rogue MSP administrator will result in a data breach, because all data is encrypted by the customer, not the MSP. 

And the best bit is that this also solves the age-old problem of insider data theft. Even where a user has legitimate access to information at work, if they steal data it will remain encrypted. No General Data Protection Regulation (GDPR) fines, no embarrassing headlines, no legal action.

By implementing a 100% file-level encryption approach, your customers can finally take control of data security – no matter whether the data is held in their network, with an MSP, or at an employee’s home.