Busting the Myths of Encryption in the Enterprise
As data breaches continue to spiral out of control, organizations that continue to rely on status quo cyber solutions will suffer incalculable damage. Among the existing solutions that many businesses continue to neglect is one of the oldest, and, arguably most important lines of defense — encryption.
Relegating encryption to a security afterthought reflects some common misconceptions about its use and value, which leads to data breaches that could’ve been prevented. This article seeks to debunk the most common encryption misconceptions and reinforce the need to treat encryption as mission-critical. Encryption must become a core component to achieve a successful overall cybersecurity plan and security posture.
Everyone agrees that encryption is the last line of protection for the sensitive information most coveted by cybercriminals. Even when malicious actors bypass every other security control, get inside your network, and access your sensitive data, properly encrypted data is rendered useless to them – of course the emphasis is on properly encrypted!
Given its importance, why is it that just 50% of enterprises have a consistent encryption strategy, 37% have a limited encryption strategy, and 42% don’t encrypt customer data? It’s clear that myths persist about performance, user frustration, and utility, all of which deter businesses from adopting encryption. Let’s take a closer look and bust some of these myths.
Myth #1: Managing encryption keys is challenging and requires expensive resources
The apparent administrative overheads and need to invest in costly computing resources for managing encryption keys deter many businesses from adopting encryption. Key management involves generating cryptographic keys, storing them securely, managing who they’re assigned to, replacing them, and destroying them. In one survey of over 5,000 IT and security professionals, 57% of respondents considered key management to be "painful."
Hardware security modules (HSM) and their alternatives are significant investments for helping with key management, but they are no longer mandatory. New technologies shifting to distributed key management have, for an abundance of use cases, rendered the need for these expensive devices obsolete.
One such use case where HSMs are no longer necessary is file encryption for which Atakama’s multifactor encryption is exponentially more secure than and makes HSM solutions obsolete. By splitting encryption keys into shards across multiple user devices, the organization achieves distributed key management and secure storage, but without the need for dedicated and expensive hardware to centrally manage keys. Moreover, Atakama removes the administrative burdens associated with key management.
Myth #1 Busted: Key management does not need to be expensive and challenging.
Myth #2: Encryption impacts user workflows
Anything with the potential to impact user workflows is understandably treated with hesitancy by business decision-makers. Security and IT leaders know how to make a compelling case for encryption, but getting executive buy-in for its widespread deployment is difficult because of pervasive myths about user friction.
One of the main concerns is the potential performance footprint on devices as a result of encryption. When users experience system slowdowns as a result of encryption, they become frustrated. Having to remember and type in passwords to access encrypted files is another potential performance overhead that could impact user workflows. Indeed, any change to existing user expectations, no matter how trivial, will likely result in pushback.
These user concerns are valid for outdated approaches to encryption. However, with Atakama’s multifactor encryption, the user experience is no different from common two-factor and single-sign-on solutions, to which users have already become accustomed:
- By leveraging the combined processing power of computers and mobile devices, the performance impact of encryption becomes negligible.
- Using a passwordless approach means users can easily open encrypted files by tapping “Approve” on their mobile devices, which limits friction in a similar vein to two-factor authentication.
Myth #2 Busted: Encryption does not need to impact existing user workflows.
Myth #3: Encryption is hard to deploy
Another common misconception is that encryption is hard to consistently deploy. Many encryption solutions require operating system modifications, proprietary platforms, or dedicated hardware. These requirements make it challenging to integrate everything and implement a unified encryption strategy that works across on-premise and cloud systems.
Additional ongoing deployment challenges include controlling access to data and centralizing key management. Most encryption solutions require organizations to centrally manage encryption keys and constantly tweak access policies to properly control and protect sensitive data.
Atakama integrates with access controls like Active Directory and data classification tools for streamlined deployment across all your infrastructure. Cross compatibility with all major desktop and mobile platforms keeps your data secure without any integration headaches. No matter the mix of systems and devices, deployment is easy.
Myth #3 Busted: Encryption does not need to be hard to deploy if you use the right solution
Myth #4: Encryption is only needed for those with regulatory requirements
A particularly perilous myth about encryption is that only those with stringent regulatory requirements need to encrypt their data. HIPAA mandates encryption for sensitive patient healthcare data while PCI DSS requires it for protecting cardholder data. These are just two regulations among several specifically requiring encryption.
Whether there is a legal obligation in place or not, businesses have both moral and competitive incentives to encrypt sensitive information. From a moral perspective, customers trust businesses with sensitive personal information in the belief that those businesses will take the necessary precautions to safeguard that information. Encryption is one of the best precautions you can take to protect customer data.
Viewed through a competitive lens, organizations typically store a wealth of sensitive non-personal data in their systems, including trade secrets, intellectual property, and business plans. It’s vital to encrypt all types of sensitive data and keep it secured from prying threat actors who’ll use it to compromise your competitive advantage.
Moreover, encryption is a requirement for any organizations hoping to obtain cyber insurance. With cyber insurance rates skyrocketing, insurance providers are mandating better internal controls, including encryption. Insurance underwriters have come to appreciate the risk of sensitive information walking out the door. That’s a tangible risk that has proliferated of late in the form of file exfiltration attacks where data is stolen with the threat of publication unless a ransom is paid. Any organization that can mitigate such an attack will not only be able to obtain cyber insurance coverage but will also be pleasantly surprised by the preferential rate they’ll be able to get.
One of Atakama’s security guarantees is that encrypted files will remain encrypted even when an adversary is able to compromise the file store and steal the files. The worst an attacker can do is steal the encrypted version of the file, which because each file is encrypted with its own unique AES 256-bit encryption key, is rendered useless to the attacker.
Myth #4 Busted: Every organization with any sensitive and non-public data should be using encryption.
Myth #5: Encryption in the cloud is secure
The transformation to cloud computing continues apace, and security is no longer the barrier to adoption that it once was. There is a myth, though, that just because most cloud service providers offer tools to encrypt data stored in their systems, this automatically makes your data secure. Cloud-native encryption is less secure than you may think.
The first security flaw is having to relinquish control of sensitive files to a third party cloud vendor, which in reality is just someone else’s computer, and depending on their tools to protect your files. You end up relying on the cloud provider to properly manage encryption keys and to ensure no threat actor compromises their environment—these possibilities put data security out of your hands.
Another issue is that anyone with access to the appropriate credentials can decrypt files. Poor password hygiene enables adversaries to reuse credentials stolen from other data breaches. If a cloud account uses the same credentials as those from a prior breach, outsiders can get in and access encrypted cloud data.
Businesses need a seamless encryption solution like Atakama that works everywhere and maintains control over data security, all without creating extra key management headaches. Because Atakama encrypts files before they sync to the cloud storage location, IT decision-makers can rest assured that their data is secure without needing to rely exclusively on the cloud provider’s security infrastructure.
Myth #5 Busted: Cloud-native encryption isn’t secure enough; you need a solution that leaves your business in control of encryption, wherever you store your data.
Myth #6: Encryption hasn’t advanced in years
Encryption is an old-school security technology that traces its roots back over 3,500 years. A misconception from encryption’s old-school perception is that it’s essentially a static, rudimentary technology. Solutions like BitLocker continue this myth by giving the impression that encryption is essentially solved for, and that no further advancements are necessary.
Conventional encryption solutions are typically tied to identity and access management frameworks. These frameworks give access to encrypted data through username-password credentials. Countless examples of credential compromise highlight how outdated these approaches are. Access to the right credentials gives access to your most prized data.
It’s not true, though, that encryption hasn’t advanced in years. Atakama decouples encryption from identity and access management through an innovative, user-friendly architecture. With keys broken into shards and distributed among multiple devices, there’s no need for authentication-based encryption. Atakama secures data in a new way without depending on usernames or passwords.
Myth #6 Busted: Game-changing advancements have made encryption far simpler to deploy, more secure, and less invasive for users.
Myth #7: Unable to perform queries on encrypted data
Searching through and performing queries is often hindered when data is encrypted due to the inability to “read” through the data without first decrypting. This is a major concern for organizations as repeatedly encrypting, decrypting and re-encrypting, leads to performance degradation and exposes the decrypted files to risk. Similarly, a crafty attacker can compromise a standalone search index to expose sensitive data.
Atakama eliminates these concerns. Its patented searchable symmetric encryption functionality does not require decrypting files to search them and does not rely on an exposed index.
Myth #7 Busted: Atakama’s encryption allows queries to be performed on data without first decrypting.
Closing Thoughts
With these encryption myths busted, it’s time to prioritize encrypting all of your organization’s sensitive data. To boost your data security without impacting end-users or creating admin overheads, you need a modern, lightweight, secure encryption solution.
Contact Atakama to learn how multifactor encryption is the best way forward for your organization.