BLOG

Stop Navel Gazing at Encryption

Lori MacVittie サムネール
Lori MacVittie
Published April 29, 2019

We are so enthralled by our own brilliance in cryptography that we forget that most data at rest - tucked away inside databases - is unencrypted.

Case in point, a Skyhigh analysis of encryption controls found that 81.8% of cloud service providers encrypt data in transit using SSL or TLS but only 9.4% of providers encrypt data once it’s stored at rest in the cloud. That makes the growing number of organizations found to be offering unfettered access to cloud databases and AWS S3 storage buckets a nightmare waiting to happen.

Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems.
From <https://it.slashdot.org/story/18/12/05/2342226/quantum-computers-pose-a-security-threat-that-were-still-totally-unprepared-for>

This statement is inarguably true. The problem is that cryptography doesn't completely protect our data, computer networks, and other digital systems. It protects data in flight and, if we're lucky, at rest. It augments access control for critical systems. But the reality is that in order for the "networks" and the "systems" to process data and execute logic, it must be able to view data in plain, naked text. Organizations face a bigger risk from unprotected and unpatched applications than they do from digital peeping Toms.

This is ultimately why breaches continue to occur at increasing rates. Not because the data isn't encrypted in flight or at rest, but because applications and APIs can't process the data in its encrypted form. It must be unencrypted, at which point it is vulnerable to exposure. And vulnerabilities attract attackers.

The applications and APIs which interact and operate on that unencrypted data are a more significant threat to the security and privacy of data than that of cracking quantum-based cryptography. That's one of the reasons they are so frequently targeted. In F5 Labs analysis across a decade of breaches "applications were the initial targets in 53% of breaches." Not only are they the easiest route to data, they're one of the only places left in the increasingly encrypted data path where data is unencrypted and readily usable by those seeking it.

We are nearly numb to breaches today because they happen with such alarming frequency that it is normal to see news of millions of records ripped from some database through an application today. This is in spite of efforts to force us to use encryption - to use HTTPS instead of HTTP. This is in spite of browsers enforcing cryptographic standards on the algorithms and key lengths used to encrypt data from "prying" eyes.

If today's "cyberdefenses" truly do rely heavily on the strength of cryptography, then we are truly in trouble. Because it is not the strength of cryptography alone that prevents the breaches and exfiltration of data that plague our newsfeeds and clog our inboxes. It is the strength - and increasingly, the intelligence - with which we can recognize and prevent an attack that leads to the loss of data.

Encrypted malicious code is still malicious. Encrypted stolen credentials stuffed into application authentication systems are still stolen credentials. Eliminating middleboxes doesn't eliminate the threat of a vulnerable web or application server executing an exploit to gain access to valuable, naked data.

It isn't enough to gaze lovingly at our ability to strengthen encryption if it carries the attacks that threaten exploitation of applications and APIs straight into the heart of our digital economy.  Protecting our digital assets (applications) and the channels through which they are accessed (APIs) requires a more holistic approach to application protection that combines intelligence, identity, and detection of attacks in addition to strong cryptography.