Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Encryption

7/2/2018
08:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Seamless Cloud Security Depends on Encryption Done Right

As the enterprise shift to the cloud, there's a debate about what's best for securing data as it moves from one platform to another. A Boston startup is looking to encrypt data in motion and at rest, and this could be the next big trend.

To the InfoSec neophyte, it may seem axiomatic that data should be encrypted always and everywhere -- particularly in the age of the so-called "seamless" cloud.

And, despite sophisticated arguments to the contrary, one recently funded Boston-area startup is founded on the proposition that the neophytes are right.

Some pundits contend that accessibility tradeoffs may outweigh any security benefits when it comes to encrypting data at rest in addition to data in transit -- not least of all because compromising the right user's credentials can make encryption a moot point. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

In an interview with Security Now, Randy Battat, CEO of email- and file-encryption startup PreVeil, countered that -- tradeoffs aside -- end-to-end encryption of data both in transit and at rest is vital to seamless cloud security because of infrastructural trends -- particularly as IT organizations evolve from on-premise to hybrid clouds, from hybrid clouds to multicloud, and from all of the above to seamless cloud environments.

Additionally, for Battat, a yet more pervasive yet often overlooked problem lies in the data lying in between -- data in use.

"There's a new generation of apps emerging to deal with this latent... legacy problem of plaintext data living on servers," Battat said. "Whether it's encrypted at rest or in transit, the problem is plaintext data being decrypted in use."

While not everyone is in agreement, these trends have some analysts thinking about encryption in the cloud era in new ways.

"Encrypting data at all times (at rest, in transit, and during processing) and during the whole data lifecycle -- from creation to destruction -- is that 'ideal world' that we all look for," Martin Whitworth, IDC's Research Director for European Data Security and Privacy, wrote to Security Now. "Unfortunately, practicalities often get in the way."

The way Battat puts it, however, security trends themselves have become impractical -- often amounting to little more than "building higher and higher walls" that do no good when intruders get in through a door or a window. While data segmentation is being increasingly deployed to achieve data-stewardship goals in seamless cloud environments, these goals may be self-defeated by the very accessibility measures used to make seamless clouds so seamless to begin with. The fundamental end-to-end security problem of email and file-sharing lies in the accessibility demands inherent to those applications' nature; they require storage indefinitely (sometimes forever).

"Certain discoveries are only unlocked when you have enough mass," Stefaan Vervaet, Western Digital's Senior Director of Strategic Alliances and Market Development, wrote in a recent blog post. "It's no surprise that some companies may decide to never delete data again."

Many enterprise IT organizations wind up with a severely poor software-development lifecycle (SDLC) -- having sensitive data hiding in all of the places where they didn't intend and don't know about, often in multiple centralized locations. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.)

"Centralization creates exposure," points out PreVeil's "manifesto." "If an attack on a single server or network device yields vast quantities of valuable information, one can be sure the attackers will target this central point of failure."

While the decentralization of a seamless cloud can thereby aid information security, new problems crop up in such an environment as accessibility issues intersect with particularized processing challenges.

"If you have a hybrid [cloud], how do you effectively manage the encryption schemes (and keys) across these different environments?" Whitworth said. "[This includes] the challenges of managing keys -- not just for encryption/decryption, but also the issues of key rotation, issuance, cancellation, distribution, etc."


Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

PreVeil's end-to-end encryption (based on XSalsa20, a stream cipher) for filesharing and email purports to work similarly to applications like DropBox, with users being able to "drag and drop" to encrypt data and synchronize that encryption across all devices -- all without having to be concerned with individual keys. Battat reports that PreVeil's cloud servers, meanwhile, sees neither any of the plaintext data nor the decryption keys. Additionally, with encryption-based validation instead of whatever business logic has been stored on the servers for administrative access, an intruder who has compromised one VIP admin or executive does not necessarily get the whole pot of gold.

Ultimately, said Battat, this kind of end-to-end encryption is uniquely qualified for securing a seamless cloud environment because of the problems of trusting data exposure on strange servers -- or any servers at all.

"The hybrid environment doesn't have to be any less secure if you're using end-to-end encryption because the whole premise is that anything on the server is not trustworthy," said Battat. "End-to-end encryption does a pretty good job because the encryption is handled at the client side -- so you're not really relying on server qualities to guarantee your safety."

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.