Stories about cyberattacks and security breaches are popping up more and more frequently in the news and it seems as though no company is immune to the sophisticated strategies hackers use to obtain high value confidential data. These data hacks result in bad PR, lost customer trust, possible fines, and potentially ruined reputations. Needless to say, it should have you questioning whether or not your data is properly protected, and the answer is — it’s probably not.
With every new advancement in technology comes new security challenges. And with each new piece of technology, comes someone who’s figured out how to attack it. Whether your data is stored on a server or in the cloud, you’ve no doubt encrypted your data. You can pat yourself on the back because in the cloud, 43% of databases are unencrypted. But providing basic encryption at the disk level, even when done properly (which it often isn’t) won’t be enough to keep your data safe.
The failures of disk-layer encryption
When using disk-layer encryption, you’re essentially attempting to protect your storage medium as a whole against unauthorized users or physical attacks. Typically, the entire drive is encrypted with a single encryption key, and often, the encryption key is stored on the very same hardware (e.g. motherboard/TPM chip), or in poorly implemented disk layer encryption schemes, the same drive as the encrypted data. This allows developers to easily change the encryption key when needed, but it also makes it easier for hackers to access sensitive information.
That’s because if an attacker is able to gain access to the encryption key by stealing a user’s credentials, they can then access any of the information stored on the drive or they can download the encrypted data and the encryption key and perform the decryption offline. This is a common scenario, in fact, 76% of data breaches begin with an attacker stealing and using the credentials of a privileged account.
What’s worse, once stolen credentials are used to log in, any application tied to the compromised account can access the unencrypted data. Yeah, yikes. That makes for a vast attack surface and attackers may exploit any application tied to an account to gain access to sensitive data. Not cool.
How does this happen?
You’re probably asking yourself: how did we get here? And by “here” I mean a place where your seemingly safe, encrypted data isn’t truly protected, and your customers’ sensitive data can be leaked at any moment. Well, the answer is pretty simple. Many organizations have taken a piecemeal approach to security and encryption efforts are siloed, leaving gaps in your security.
These security efforts are typically an afterthought, that are put in place after a compromise or red flag has been raised. In our fast-paced, “go-to-market-as-fast-as-possible” environment, developers are cranking out products at a pace security teams can’t keep up with. This means developers are often building insecure applications and deploying them before security teams can test them. Your developers may be using antiquated encryption strategies, broken algorithms or even fully functioning algorithms but in the wrong way — and your security teams, or upset customers, only catch these mistakes after the product has been deployed.
But your developers aren’t to blame. They’re not security experts and encryption algorithms are really difficult to get right as one small flaw can render them ineffective.
So, the question becomes, how do you truly secure customers’ sensitive information? And the answer is with application-layer security.
The future of data security and principle of least privilege
It’s no longer viable to simply secure the perimeter of your network or the hardware itself to prevent a data breach. The data also needs to be secured at the application layer. This means that the data should be encrypted by the application and only that application will have access to the encryption key. To reduce your organization’s attack surface, third-party applications and individual users shouldn’t have access to the encrypted data or its underlying keys. The only avenue for an attacker to access encrypted data in any meaningful way would be through the functionality exposed by the application itself – something that can be easily audited for authorization and access control issues.
How to adopt a ‘security-as-code’ culture
Securing your data at the application level requires your organization to adopt a ‘security-as-code’ culture. Developers and security teams need to work together more closely to secure applications and data on a more fundamental level. Security needs to become a fundamental part of the software and should be embedded into the development cycle. If your security teams are brought into the development cycle at an earlier stage, they can give developers the tools to build more secure applications.
One such tool is an API that encrypts data on the application level. By plugging in a few lines of code, developers can encrypt and secure data without needing to be encryption experts. It simplifies the complexities of encryption for your team and eliminates any instances of developers implementing cryptographic primitives incorrectly. Your customers’ data will be truly secure, and you no longer need to sweat the threat of a security breach.