Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 17 May, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Encryption is a Red Herring – Segmentation is the key to Effective Security

by The Gurus
September 3, 2015
in This Week's Gurus
Share on FacebookShare on Twitter

 

Encryption is a Red Herring – Segmentation is the key to Effective Security

A new month, a new data breach. This time the Office of Personnel Management (OPM), a major U.S. government agency, had to reveal that on top of an initial breach of 4.2 million personal records, an additional 15 million records may have been compromised, holding detailed background investigations information.  The implications for both compromised employees and the wider government infrastructure are significant. 
In the inevitable high profile fall-out, the debate has raged about the lack of encryption at the OPM – despite the fact that encryption alone could not have prevented a breach on this scale because there was no effective and secure segmentation of users or data. As organisations make haste to avoid another such monumental breach of personal information, Paul German, VP EMEA, Certes Networks, warns against repeating the old mistakes and insists the OPM breach really reveals that it is time to think differently about security and embrace cryptographic user-to-application segmentation. 

Theories Abound 

Every major data breach – and the OPM data breach was a doozy – prompts a huge array of theories regarding what could and should have been done to prevent it. When millions of personal records about government employees go missing, the investigations are both intense and high profile. From the extensively reported hearing by the House Committee on Oversight and Government Reform to calls for the OPM’s senior management to resign, this has been a breach that has played out in the public eye.
The general conclusion has been that the biggest issue was not the failure to block the initial breach but a lack of controls, time to detection and other safeguards that should have prevented intruders from obtaining any useful information. But the fact that the data stolen in this massive breach was not protected by data masking, redaction and encryption is something of a red herring.  What the OPM breach really highlights is the continued problem of traditional network based segmentation – namely the ability to compromise a single user’s identity to gain access to a mass of cross-organisational information.
Yet in an era of continued evolution of the threat landscape combined with an increasing diversity and complexity of the underlying IT architecture, just how can a Chief Information Security Officer (CISO) impose greater control and achieve that essential user specific level of application and data control?

Security Best Practice

There are some aspects of security best practice that are now a given. A defence-in-depth approach that combines multiple layers of prevention and detection technologies, combined with procedural controls and policies is essential; user identification and access control is a standard tool to provide central administration and control; and intuitive intrusion detection tools are becoming increasingly key to identify when breaches occur before they have had time to gain vast swathes of data – although this latter issue is certainly one with which organisations continue to wrestle.
Other areas of security best practice remain opaque.  And one of the biggest issues that continues to challenge the CISO is the need to segment sensitive and non-sensitive applications, or to segment networks into manageable areas that not only restrict access but also ensure that, should unauthorised access occur, critical applications and data are not compromised.
One fact, however, is clear: simply throwing encryption into the mix is not the answer. As OPM spokespeople have insisted, even if the information had been encrypted, it might not have been enough to stop attackers from getting usable data from this intrusion. According to the OPM, when an intruder has the credentials of a user on the network then data can be accessed even if it’s encrypted, just as the users on the network have to access data – which is what occurred in this case.
If, however, the OPM had had effective segmentation in place, this breach could never have reached this massive scale because the intruder could only have accessed that data and applications to which that user had been permitted, ensuring controlled access. Lateral movement from the compromised application into the more sensitive applications would have been prevented, effectively containing the breach and limiting its impact through segregation and compartmentalisation.

Software Defined Security

So how can that be achieved? The key is to leverage the power of encryption in a highly focused and targeted way to create a cryptographic flow between each user and each application. Building on the identity and access control technology widely deployed, a cryptographic relationship creates a clean and unbreakable link between each user and permitted data and applications. With this approach, an organisation can ensure that in the event of a breach the intruder cannot reach out beyond those defined limits/ privileges to access other restricted information.
One of the most compelling aspects of this model is that it removes the infrastructure specific constraints and embraces a new, software defined security approach.  Applications and data are located across a hugely diverse infrastructure – from LANs to WANs, private to public clouds, mobile networks, the Internet and other environments. Segmentation techniques utilised in each part of this infrastructure are equally diverse and fragmented, with VLANs, IPsec, TLS, SSL, ACLs and a range of other tools all playing a role in segmenting traffic. This ‘segmentation fragmentation’ and the difficulty with configuring and managing it from end-to-end is the primary reason that effective segmentation is so rarely deployed in practice.
But with each specific ‘user to application’ cryptographic relationship, the infrastructure becomes irrelevant. The issue is: what applications/data should each user be permitted to access and how should they be permitted to access these applications? The answer to this question should then guide segmentation implementation that is oriented around users and applications, not the infrastructure.
Most importantly, this evolved approach to access control and application protection can now be driven by business rules and requirements, as opposed to being limited by what the infrastructure can deliver.
Taking this approach, the privilege escalation that occurred in the OPM breach simply cannot occur. Rather than relying on traditional network segmentation to control access, with this cryptographic relationship between user and permitted applications, if the user is compromised the intruder gets access to this permitted information – but no further. The intruder cannot use a single compromised user identity to gain free access across the board and hop laterally from one application to another containing more sensitive data.

Conclusion 

There is a huge kneejerk reaction to this OPM breach, with demands that encryption is enforced across the US public sector to safeguard this critical data. But the risk is that organisations will make this entire process too complicated – and still fail to achieve the level of security required.  There is a massive difference between encryption to the point of entry and using encryption to manage the relationship between a user, the devices that can be used, and the permitted applications wherever they reside. Encryption alone is not the answer. Instead, the solution lies in strong encryption married to identity and access management controls, aligned with applications and user access rights as determined by business rules.
Organisations need to start considering security in a different way – and it is creating that user to application specific cryptographic relationship that will be the key to, finally, preventing these huge –and continuous – breaches in vital data security.

FacebookTweetLinkedIn
Tags: Certes NetworksCyber AttackCyber Securitydata breachEncryptionit securityPaul Germansecuritysegmentation
ShareTweetShare
Previous Post

Patients' HIV Status Leaked by Soho Clinic

Next Post

Unpatched software vulnerabilities continue to plague businesses

Recent News

Armis: Top Performer in Asset Visibility and Real-Time Detection in MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems (ICS)

Armis Launches new ‘Critical Infrastructure Protection Program’

May 17, 2022
jigsaw

Thanos and Jigsaw ransomware linked to 55 year old doctor

May 17, 2022
Google logo

Italian police thwart Eurovision cyberattack

May 17, 2022
nuclear power stack

UK announces nuclear cybersecurity strategy

May 16, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information