Skip to main content

Encryption: The Solution to Corporate Breaches?

February 24, 2015

In the aftermath of recent breaches, the discussion has centered around encryption of data, more specifically, data at rest, when data resides in the database. In some cases, experts have stated that if databases, file archives, etc., had been encrypted, the information would not have leaked. Along the same theme, some laws force companies to encrypt personal information. In a previous blog post I asked if there was a need for more legislation, but is legislation really effective? Let’s examine what encryption can do.

If you compare data to valuables in a bank vault, encryption is the actual vault. The vault most certainly protects the valuables in the vault; there is no question about that. However, if you give the bad guys unchecked access to the locked vault for three, six, nine months, or even a year, the bad guys will find a way to the data, through the vault. 

The same can be said for encryption and data. If you allow the bad guys to operate on your network for long periods of time, they will find a way to break the encryption. This can be done by pure brute force, stealing keys to the encryption, impersonation, or a combination of several different methods. 

Laptop and mobile device encryption, however, is a different story. You can achieve a reasonably high expectation of privacy by encrypting the devices, and configuring the encryption software to wipe the storage after a small amount of failed authentication attempts.

Let’s go back to data at rest in databases. Encrypting file archives or other methods of storage, unfortunately, is not the end all be all solution to corporate breaches. However, encryption will buy you time, if properly implemented. 

Encryption is not the silver bullet; you still need a network that actively works against the bad guys, a layered defense approach. The appropriate preventive controls should be put in place to block access to the data in the first place, the appropriate detective controls should be in place to identify unauthorized access, and then you need to have corrective controls in place to minimize the impact of a breach. 

My previous blog posts on data discovery and network design offer a deeper dive into layered defense.

Related Blogs

November 13, 2014

Busting Password Managers: Encrypting Passwords on the Client

Hypothesis: If passwords are encrypted (e.g. AES) on the client in JavaScript, then browsers will not save passwords. The Technique: Normally, it is i...

See Details

March 08, 2010

Recent Encryption Research Demystified

Last week, NetworkWorld published an article  under the headline “RSA 1024-bit private key encryption cracked.”  RSA encryption was one of the first w...

See Details

December 23, 2014

The Transcendence of Breach Assessments

This blog post isn’t intended to be a panacea that will resolve past, present and future organization security breaches. That is a tall order many fee...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.