Siamak Nazari, CEO of Nebulon, discusses the data encryption lessons that enterprises can learn from consumer tech
In every country, requirements around data security and compliance regulations are continuously under review, and IT professionals face an ever-more-complicated challenge to secure their data. In parallel, organisations encounter a growing number of threats – from phishing and social engineering to network breaches – that require new procedures and technologies.
One attack which recently made the headlines resulted from unencrypted decommissioned equipment. In this highly publicised case, confidential personal information, including social security numbers, was compromised. It is alleged that unwiped data was left on the decommissioned data centre servers in an unencrypted form due to a software flaw. With this, the enterprise paid $60 million to settle a data breach lawsuit.
Data breaches of this kind are not out of the ordinary. In fact, it is bewildering that encryption continues to be a stumbling block for enterprises in the 2020s. To explain why, we need to take a step back.
Take your phone, for example. You do not need to manually encrypt the data, nor do you need to manually manage or think about an encryption key. For Apple and Android users alike, the personal data on our phones is encrypted by default. If you lose your phone, you do not have to worry that the data on that phone could be accessed by whoever finds it. Astonishingly, this is not the case for enterprise data. Whether it is stored in data centres centrally or at the edge, data is often not encrypted by default as it is for consumers. This is clearly a serious issue for various sectors, especially those with large edge deployments such as telecom, finance, retail, and healthcare where multiple edge locations mean a greater number of potential entry points for hackers.
So, what can enterprise IT teams learn from this data breach, and from the way consumer devices protect our data? To ensure the security of an organisation’s business and customer data, here are two key demands that IT teams should make when discussing their infrastructure needs.
Automated and always-on data-at-rest encryption
Data-at-rest encryption means that data is protected wherever it is stored. It is likely that the data breach mentioned earlier occurred because the organisation had never enabled data-at-rest encryption for the data on the decommissioned servers that were responsible.
If Joe Bloggs doesn’t need to think about whether the information on his phone is encrypted or not, why should it be any different for enterprises? How can an organisation’s IT infrastructure deliver the same standard for its data?
To do this, it is vital to look at the software and the hardware layers at the same time. Security must be built into the hardware for the software to be secure. One way to achieve this is to create the encryption key at the hardware layer. This reinforces protection against any malware that enters via backdoors related to software vulnerabilities. It also provides a solid foundation for secure authentication, encryption key management, and secure boot. Users can avoid having to manage encryption keys and can also reduce the risk of human error when hardware-generated keys are securely maintained at the hardware layer.
In short, a master, hardware-based encryption key works like a smartphone, meaning that the data is automatically encrypted when it is written to the hardware. Encryption is always on, and the user or IT admin doesn’t need to think about it.
In addition to encryption-at-rest, IT teams should also consider employing in-flight encryption for protection against man-in-the middle attacks, as well as two-factor authentication and Role-Based Access Control (RBAC), which ensures that users can only access the data they need.
Inherent erasure of boot or local data drives on decommissioned servers
Assuming the data is encrypted from day one, the simplest and most effective way to protect customer data after the server is decommissioned is to destroy the encryption key. This does not take longer than a few seconds. When an encryption key has been destroyed, the encrypted data is permanently inaccessible. It means that even if the equipment is misplaced or stolen, the data cannot be unencrypted and accessed with zero risk of a data breach occurring.
In a world where data is the new oil and data breaches occur at an alarming frequency, automated and “always-on” data encryption must be a default for all data centre infrastructure devices. This is a critical area where enterprise technology can learn a lesson from consumer technology. By leaving no margin for human error, automated encryption will provide a vital layer in protecting an organisation’s data.
Related:
Busting the full disk encryption myth — Nigel Thorpe, technical director at SecureAge, unravels the facts around full disk encryption when it comes to protecting data against ransomware attacks.
The best IT compliance tools for your business — Exploring the best IT compliance tools and methods that are suitable for all types of business.
