Up to now, the implementation of substantial encryption as a form of asset protection has been limited by several things. The first of these is the sheer amount of resources that are required to encrypt the data in the current technological environment.
In general, cryptographic engines tend to be somewhat slow. The decision trees within the algorithms that drive the encryption are by necessity complex and mutable. Therefore, organizations have made the decision to minimize the amount of encryption that is being done on their data in order to meet service level agreements and other performance metrics.
The other bar to widespread encryption has been the cost. When calculated as part of TCO or by cost allocation based on system activity, encryption has been an extremely costly feature to implement and maintain. It is not just the expense of the hardware and software necessary to drive the encryption, but the fairly significant amount of personal time that is required to determine what is to be encrypted and the basis for that encryption.
With cryptographic engines that are tied to human input for decisions, the flow of encrypted data has been an exception pathway that interrupts any application’s straightforward activity. That extra component within the processing stream causes a significant delay and requires a fair amount of care and tending on an ongoing basis from knowledgeable personnel.
There are exceptions to this state. The large majority of mobile devices, such as phones, use fairly widespread encryption to protect their data. This process is built into the ongoing operations of the device and does not require any significant hands-on maintenance, nor does it appreciably degrade performance. This enviable position is in part due to the smaller volume of data that is being handled on the devices. Where data strings are fairly short, the necessary bandwidth within the device to perform the encryption is proportionally smaller, resulting in lesser performance drag.
The other major contribution to the ability of the mobile devices to maintain encryption protection is that the cryptographic process is built into the operating system. This means that there are no independent decisions that are made whether to encrypt or not, the data is simply all processed. This is not to say that there is no at-risk data on a mobile device. Especially on those devices that have been unlocked, or have an open operating system, there is a fair amount of hacking activity. However, the more closed operating systems, such as iOS, maintain a high level of encryption and do so in a cost-efficient and timely manner.
The result is that there is more encrypted data carried on cell phones then there is in data centers around the world. One could argue that more attention is paid to protecting the privacy of the individual than is applied to the protection of corporate and organizational assets. The contravening argument is that business runs on cost-benefit analysis. When risk and benefit are balanced against exposure, most frequently the cost side wins out.
The rise in concentrated hacking has changed that consideration. Where the probability of damage, theft, or subversion is low, the prudent business may very well not consider encryption a significant factor. However, with the rise in incursions and associated damage, the business case has shifted.
The average overhead for security perimeter defense capacity consumption has gone from less than 2% 10 years ago to as high as 68% in the global market today. Reevaluation of the cost and risk benefit analysis is needed. Normal planning parameters are breaking as organizations’ ability to appropriately tabulate and evaluate risk is crippled by lack of data.
Executive management cannot adequately set strategy, control finances, and deliver services without protection for its assets, or valid data feeding its decisions. That horrific exposure can be seen easily by looking at the 2017 market. News and articles call out organizations that have been caught short in this position almost every day. Choices that would have been reasonable five years ago, in a less combative environment, are naïve in the cyber business world we are living in.
The changing paradigm that is being demanded is one that alters the way organizations evaluate risk. With the combination of passive and active risk, a better understanding of vulnerabilities and exposures can provide important input to critical thinking. Additionally, shifting from a focus on perimeter defenses to one that incorporates both perimeter and internal defenses has become cost justified, even with the current state of encryption.
The challenge is for the technology that supports cyber business to expand its offerings in a changed universe. To develop the technology and the mechanisms that will allow data at rest to be protected.
Eventually, all perimeter defenses can be breached. That may be from an overpowering attack of rapidly changing threat directions, deception vectors, or even personnel subversion.
When the castle walls are broken, and the cyber barbarians storm through the breach, will they find your organizational assets lying there ripe for the plucking? Or will there be another layer of defense that is carried out automatically, irrespective of application, irrespective of other budgetary considerations? Will your data be encrypted and of limited use, or will be there for theft and damage?
Cyber business is at war, and your assets are at risk. How are you going to protect them?