Ex-DHS Cybersecurity Exec: Encryption is Key
Endpoint encryption, while a strong starting point, is not always adequate to protect enterprises from today's sophisticated attacks, according to a former director of global cybersecurity management at the U.S. Department of Homeland Security. But a startup security developer's novel "microencryption" and "microtokenization" approach may deliver more robust protection.
Far too often, public and private sector organizations fail to take even the rudimentary step of encrypting, said Richard Marshall, in an interview with EnterpriseTech. Despite increased pressure from federal authorities to expand encryption and the inclusion of built-in encryption from a bevvy of developers including Apple and Facebook, organizations such as the Office of Personnel Management admit to skipping encryption. The recent spate of high profile breaches – such as OPM, Anthem, CVS Photo, and Harvard University – along with questionable disruptions at United Airlines, the New York Stock Exchange, and the Wall Street Journal should mandate that all organizations use encryption, he said.
"There was no thought [at OPM] to encrypt that data because it was deemed too difficult and too complex to do. Well that's inaccurate," said Marshall. "Banking systems are able to encrypt their data. Many of them use Advanced Encryption Standard – AES – which is, of course, very good and that's good enough to protect classified information, by the way. I think the airline industry is going to pay more attention, United for example. The Wall Street Journal might pay a little more attention. The New York Stock Exchange story is, 'we were putting in security patches and things got out of hand.' That's an interesting story for the public and it may very well be true. But why was it done during the day? I don't know any CSO who would do an upgrade during heavy trading."
Timing aside, military-grade encryption features even more complex algorithms that are typically unavailable to general businesses, in part because of their high value to the government and in part due to the high performance computing required to operate these security protocols, he said. Yet as more organizations adopt HPC, iterations of military-grade encryption could become an option if developers address other key criteria.
"I would say the best cryptography in the world is developed by the National Security Agency. There are other government entities that develop excellent cryptography," Marshall noted. "When you're using that kind of encryption system it takes a tremendous amount of computing power to process that type of information and it's protected start to finish."
Speed is critical: Users resist any security solution that delays processes, even minutely. In some sectors, such as finance, milliseconds may translate into millions of dollars lost or made, so encryption has to act in real time, he noted.
Looking to improve security while maintaining speed and accessibility, five-year-old CertainSafe – founded by former contract programmers from the Federal Reserve – wanted to bring the tokenization surrounding credit cards to all other types of data, said Steve Russo, executive vice president, in an interview. Originally developed to meet the needs of one Fortune 25 company, CertainSafe's products and market evolved over its five-year history.
"The premise was this: Tokenization has ben a very powerful tool as a security method. The token is a replacement for the data. Standard encryption, when you encrypt a database, files etc., you're in essence putting all your jewels in the same place. You're encrypting it all at once," he said. "If a hack occurs, they hit everything inside. That's what you're hearing when they get all these millions of pieces of data at the same time."
Instead, CertainSafe tokenizes data and individually microencrypts each piece, said Russo. The developer created a new architecture designed to preserve speed and accessibility, he added. And since not all data is sensitive, organizations choose which fields or data requires microencryption, said Russo.
"Let's take a database of 100,000 records and let's say there are 30 fields in the database. Let's say it's a bank. Let's say there are six fields and if these six fields were exposed, the data would have meaning – [hackers] would be able to tie a person's name to a person's address to a person's bank account," he said. "By taking six fields out of each person's record and putting a token in its place, if an attack should occur, all they'd get would be a lot of meaningless data and six tokens."
That tokenized data could be anything – an x-ray, a Social Security number, movie, or any other sensitive, copyrighted, or privileged information, said Russo, and it is encrypted with AES256. These microencrypted pieces of data then are dissected and spread across small arrays of hard drives in stacks; if anyone stole the drives they'd have meaningless, disconnected pieces of illegible data, he added.
"Let's say someone stole all the hard drives and broke the encryption: it would look as though you took a White Pages and cut up every individual person – all individually, put it in a box, shook it, and said, 'here, you put it back together,'" said Russo. "When you have the current technology of today, like you're seeing with the government breaches, let's take those 100,000 records and [remove] six fields. In order for a mass data breach, 600,000 individual breaches – with all different sets of keys, master keys, rotating keys, customer keys – would have to occur simultaneously and they're all different. What's the probability of that happening? You hesitate to say impossible but it sure is pretty improbable. The documentation in our system is never stored in its entirety. It's stored in 12, 15 different pieces in different places."
CertainSafe developed multiple products including Digital Vault, a SaaS-based file storage and collaboration tool; Enterprise Services wrapped around the developer's offerings; Payment Services that micro-tokenize each transaction, and Smart for Office, which provides business users with 2 gigabytes of CertainSafe Digital Vault micro-tokenized and microencrypted storage for Microsoft Outlook email attachments. CertainSafe expects to release interfaces for Microsoft Word and Excel "soon," it said.
Industry is becoming more aware about the ramifications of inadequate security, Marshall said. Top executives, in particular, recognize their careers are at risk if a breach causes economic damage, as it did in the cases of Target and Sony, for example.
"I think the commercial world is starting to realize more and more they need to invest to protect," said Marshall. "Frequently when I'm talking at the C-level I give them a bunch of horror stories but you can only do so much of that. I tell them I'm not going to do any more FUD. We all fear death so we buy life insurance, but we still die. The uncertainty: 'I really doubt somebody's that interested in stealing my stuff.' We've got to get over that."