No Worries, We Have the Biggest FireWall. Oh Look, a Pretty Horse, Bring It Inside!

By Ameesh Divatia

There are plenty of security solutions designed to secure the fences that are the first line of defense in most organizations, but what about the threat from within? Recent high-profile leaks of highly sensitive data by NSA contractors Harold Thomas Martin and Edward Snowden are waking enterprises up to the fact that traditional perimeter security is not enough.

As per the 2016 Cyber Security Index, IBM Security found that 60% of breaches were caused by insiders either as inadvertent actors compromising their credentials or those with malicious intent.  Insiders are employees, contractors or consultants who have access to a company’s physical or remote assets. Inadvertent actors are instigated by insiders to cause harm by posing as them. What’s become increasingly clear is that despite the roughly $75 billion spent on cybersecurity reported by Gartner, data breaches continue to escalate. This is because the attack vectors are changing. Rather than penetrate an organization’s IT network by breaching the firewall, hackers get in on the inside with compromised credentials and lie in wait for months before attacking the data repositories.

Unfortunately, these kinds of insider threats are very difficult to identify because conventional security mechanisms like identity and access management or authentication can be fooled into thinking that the hacker’s access is a legitimate access. Being proactive can help. For example, behavioral analytics of IT activities can identify threats, but it is only a matter of time before hackers learn to fool these tools as well.

Preventing Insider Threats

The best solution is prevention at the data record level.  Protecting the data as soon as it is created using impenetrable encryption algorithms like AES will make the data unusable without the corresponding encryption keys.  The next step is to make sure that the keys are separated from the encrypted data. This will ensure that getting access to the data store will not compromise the data as it will only yield encrypted data.

According to the site, breachlevelindex.com, out of the 5.8 billion records that have been lost or stolen since 2013, only 4% consisted of encrypted data that was essentially useless to the hacker. Since most data is not encrypted, hacking continues to be a lucrative business.

Encryption Adoption Challenges

The initial challenge faced by security administrators when creating an encryption strategy is identifying what data to encrypt. Next, deciding what encryption technology to use requires detailed knowledge of cryptography which is not easily available. Managing keys is a significant challenge because if the key is lost, the encrypted data is of no use. The additional mathematical processing involved in encrypting data adds to the cost of computing as well as increased latencies for applications that need to access that data.

In short, adopting encryption can have a significant impact on enterprise application workflows because the data is transformed and it would require a significant development exercise to implement this critical need. To get around this, security administrators tend to take the easy way out by allowing a cloud provider to encrypt the media on which the data resides or use self-encrypting drives if the data is on premise. These shortcuts allow them to meet minimal compliance requirements but do not thwart hackers because the data and the keys are in the clear when the data is being processed.

Mitigating the Insider Attack Threat

The solution to the insider threat requires a multi-step approach.  First, the data and the keys should only be available to be accessed by authorized applications under programmatic control. This eliminates the use of database administrator’s credentials from being used to steal data by an insider or someone posing as one.

Second, applications should be able to access and process data in databases without de-crypting the data in the memory.  This prevents malicious insiders or malware from using tools like memory scrapers to extract data from memory. If the data in memory is available in the clear, it can be stolen if a hacker gains access to that server or if the database administrator’s credentials are stolen.

Last but not least, encryption approaches need to be developed that are easy to integrate, manage keys seamlessly and have little or no application performance overhead.


About Ameesh Divatia

Ameesh Divatia is Co-Founder & CEO of Baffle, Inc. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the datacenter infrastructure market.

More About Ameesh