How to Prevent the
Next Data Breach with Encryption (Part 1)
Another day, another costly data breach headline. This time, it was Sony Pictures as the victim
of a devastating cyber attack. Newspapers
report that North Korean hackers broke into Sony’s computer systems stealing
and exposing a trove of sensitive documents. The studio’s reputation is in tatters as embarrassing revelations spill
from tens of thousands of leaked emails, private documents and other company
sensitive materials. Millions of dollars
in lawsuits are expected from ex-employees over leaked Social Security number
and other personal information.
Sony is not alone. Security breaches and cyber attacks are
rising at an alarming rate. Verizon Data
Breach Investigation Reports indicated that between 2002 and 2012 over 1 billion
records were compromised. Some 97% could have been prevented with basic security
controls and data encryption. According to the Ponemon Institute Study, the
average cost to a breached company to investigate, notify and respond to these
attacks was $3.5 million in 2014—not including legal liabilities, regulatory
fines, and intangibles such as loss of customer confidence and brand reputation.
Data encryption is a much less expensive option.
What You Can Do to Secure
Data encryption provides very effective protection against malicious
cyber attacks, unauthorized access, use and theft of sensitive information. It
is not only a good business practice, but is fast becoming a compliance
requirement by many businesses and government agencies.
Data encryption uses very sophisticated algorithms to transform
plaintext into cyphertext that’s impossible to read without highly secure
encryption keys, such as those based on the 256-bit Advanced Encryption
Standards. Once encrypted, data can only be accessed and read with the corresponding
encryption keys, which need to be managed appropriately based on established
business security policies.
What and Where to Encrypt
To protect against breaches, you want to encrypt all your sensitive
information, both current and archived. There are several encryption options, including
encryption at the application, network, or storage levels.
Encryption: Data encryption at the
application level, like Oracle Database encryption, is performed by the
application at time of the data’s creation. This is good as encryption is done
at the source, but it’s application specific, and often puts a heavy load on
the application server negatively impacting application performance and
Encryption: Data is encrypted at the
network level (aka in-line encryption) either via a dedicated encryption
appliance or in a switch. While this might seem convenient, it does introduce
additional hardware, management complexity, and cost. It can also impact
network performance and increase pipe costs as encrypted data can’t be
compressed or de-duped, which is often a common practice when moving large
amounts of data over the network, like in the case of Business Continuity,
Replication and DR.
Encryption: Storage-level, or
data-at-rest encryption, is performed by the storage system itself, either by
the controller or special self-encrypting drives (SEDs). While both are effective, controller-based
encryption is more desirable as it’s more flexible, scalable and often less
expensive than the SED type. Controller-based encryption can be applied to all your
storage on standard drives and not just that on the specialized and much more
expensive SEDs. Data in-flight information, or network data, is often protected
by numerous existing network security and encryption standards and protocols, such
Storage-level (or data-at-rest) encryption is
the best option against data breaches and theft, potentially saving companies
millions of dollars in cost and reputation. It provides
the optimal data security by protecting all of your sensitive data across all
environments. Storage encryption is application, host, and transport
independent offering better security, higher performance, and lower cost than
application-level or network-level encryption without burdening the application
servers or increasing network loads.
In Part 2, I will review the Oracle ZFS Storage Appliance Encryption and Key