When it comes to data security and the growing threat environment, many businesses view encryption as the ultimate protection. But a new global survey of 500 CIOs found encryption’s effectiveness as a security tool may be quickly eroding.
The survey, commissioned by cybersecurity firm Venafi and conducted by Vanson Bourne, found that though businesses believe encryption is a valuable tool in data protection, they aren’t doing a good enough job of protecting keys and certificates, which can create a “fatal flaw” in their security foundation.
“Keys and certificates—the foundation of cybersecurity that determines if software, devices, clouds and applications are good or bad, friend or foe—are being left unmanaged and unprotected,” according to the report. “The bad guys are taking advantage of this … and using keys and certificates to hide their actions and circumvent security controls.”
A compromised, stolen or forged key and certificate can enable attackers to impersonate, surveil and monitor websites, infrastructure clouds and mobile devices. They can also decrypt communications thought to be private, said Kevin Bocek, vice president of Threat Intelligence and Security Strategy at Venafi.
According to the survey, CIOs are aware of this, and it’s a growing area of anxiety for them. Of those surveyed, 85% said they are concerned that attackers are increasingly hiding in encrypted traffic. Thirty-three percent said they have already experienced attacks where “bad guys” have used encrypted traffic to try and disguise their attacks and 86% agree that stolen keys and certificates will be the next big market for hackers.
A recent Gartner report backs up these concerns. The report predicts that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls.
“Increasingly, the systems we’ve put in place to verify and establish online trust are being turned against us,” said Bocek. “Worse still, the vendors that tell us they can protect us, can’t. Endpoint protection, firewalls, IDS, DLP and the like are worse than useless because they are lulling people into a false sense of security.”
DevOps and Fast IT
An accelerated IT development environment may be exacerbating encryption challenges. The Venafi report found that IT initiatives like Fast IT, DevOps and Encryption Everywhere strategies, which are responsible for exponential growth in the amount of software and an increase in encrypted traffic, are also causing a dramatic rise in the number of keys and certificates created and used.
When balancing security and functionality, developers will always lean more toward usability and “creating a seamless user experience” while operating on deadline, according to Alex Heid, cybersecurity expert and Chief Research Officer at SecurityScorecard, a security rating and benchmarking platform provider.
In overly complex environments “security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted,” Bocek said. “The world of fast IT and DevOps are very developer centric, and developers don’t normally think first and foremost about security.”
According to a recent Ponemon report, today’s average enterprise holds 24,000 keys and certificates. Even worse, 54% of security professionals surveyed in that report said they do not know where all of their keys and certificates are located, who owns them or how they are used.
Many view encryption technology as a bandage that can automatically work to protect an environment. Because administrators have to tune and configure security tools to environments, some members of the security community are working to make encryption technology more user friendly.
The bright side
Given today’s environment, how can enterprises improve their security posture and mitigate risk?
The good news is, despite its challenges, encryption is still our friend, said Bocek.
Security and encryption has “so many moving parts that it really takes a mathematician with a specialty in cryptography to understand every aspect of it,” said Heid. But, “encryption, when used properly, is actually quite powerful.”
Properly configuring security solutions will go a long way in helping secure an environment. Companies should focus on providing strong security rather than simply creating a compliant environment, Heid said.
“We just have to know where all the keys and certificates live and make sure that we get them to our new security systems,” Bocek said. “We have to make sure that this really critical, fundamental layer of cybersecurity is protected.”
Bocek suggests CIOs also think long and hard about how they work with their security teams and how they can remove blind spots and get full visibility into their cybersecurity efforts and potential weak spots.
“Your security teams have to be aligned with DevOps, which is challenging, because DevOps is about thinking fast and moving fast,” Bocek said. “But if security is not involved the vulnerabilities we face are only going to get worse.