Common mistakes with endpoint encryption
(Last updated on June 17, 2020)
Endpoint encryption is one of the cornerstones to securing data but it can introduce new challenges which can result in costly mistakes.
Encryption is the process of changing information to make it unreadable without a proper authentication key. Administrators tasked with implementing data security measures are trusting encryption as a simple way to protect data, and comply with data protection regulations.
Encryption at the hardware level is the go-to solution that promises to protect customer data, and intellectual property. However, it is anything but simple. Administrators who blindly believe that it provides unbreakable security are at-risk of common mistakes that compromise the benefits of the technology.
Not understanding the limitations of your approach
Data protection regulations such as the GDPR, and HIPAA call for the protection of personal data. To determine which data encryption solution will best meet this requirement, consider your most critical risks alongside your use cases. Most companies want to protect data at rest on devices that are susceptible to theft. This will ensure that the data is inaccessible even if the hard drive is removed and replaced in another machine. While this is the simplest method of deploying encryption, many forget that its protection is limited. Once the machine is powered on and functioning, it provides no protection against unauthorized users. A hacker can get through a web vulnerability, and access any data stored in plaintext.
Full-disk encryption addresses this problem, but its protections are limited to the loss or theft of device. For optimal security, you will want a layered approach. Full-disk encryption must be used in conjunction with file-level encryption for additional protection. Data protection is embedded in the file, and stays with the data. Even if the data is exported to a USB flash drive, it would be unreadable until a user with the right permissions accesses the document. It’s an effective way to protect sensitive data on servers, desktops, laptops, and even mobile devices.
Encrypting only data at rest
Encrypting data at rest is a small part of a complete security plan. It provides little protection against data in transit – moving from one component, location, or program, to another. To protect data across endpoints, you will need to use encryption alongside robust network security controls. Use encrypted connections (HTTPS, SSL, TLS, FTPS, etc.) to protect the content of data in transit.
Key recovery introduces security risks
It is common that endpoint encryption implementations involve a pre-boot authentication environment protected with a password. An authorized user can trigger a device lockout if they forget their password, or when working remotely. Many vendors offer a key recovery method to alleviate this pain-point. These can have a self-service component or depend entirely on the helpdesk. These key recovery methods usually rely on security questions. This introduces a security gap as most answers can be easily guessed or uncovered via social engineering. Specops Key Recovery secures the key recovery experience by verifying users with multi-factor authentication, without burdening the helpdesk.
Poor user experience
Experiencing an encryption lockout due to a forgotten password is frustrating for end users. First the user must perform an encryption key recovery, after which they can reset their password. This is the point where the user can get back to work, or not, based on cached credentials. Many password reset systems will not update the user’s cached credentials on the device if they are outside of the network. Since working remotely is a common use case in most organizations, endpoint encryption can mean user frustration and a loss of productivity.
Thinking you are secure
We are using encryption and are compliant, so our data is secure. Don’t let encryption give you a false sense of security. Every organization needs to assume attackers can get in – hope for the best, but prepare for the worst. Data encryption can make the aftermath of a breach more palatable, but it’s not a cure-all. Attackers can and will continue to take advantage of other vulnerabilities – specifically users and their credentials. Whether they’re phishing passwords, or buying them online, any compromised account can be leveraged to steal data.
Data is the most valuable asset for most organizations and data privacy laws and regulations dictate how organizations must protect this data. Encryption plays an important role in safeguarding that data, but not without introducing its share of challenges. Understanding which form of encryption is right for your organization comes down to the regulations you must adhere to and the use cases relevant to your business. Encrypting various forms of data (at rest and in transit) is crucial. Implementing encryption shouldn’t introduce new risk so closing these security gaps is key to a fully functioning encryption strategy. While data encryption is a security measure and not designed to improve usability for end users, causing major user disruption will become a headache for the IT staff. As a final word of advice, encryption is one piece of the puzzle but there are other attack vectors at play – user credentials continue to be the easiest way to breach an organization.