“We need encryption! Make it end-to-end! Implement it everywhere!”
Sound familiar? These are the mandates that many CISOs are receiving right now. They’re coming from executive management teams that are alarmed by the rising tide of ransomware attacks, scrambling to address privacy pressures from customers and regulators, and wildly casting around for an easy, failsafe solution.
As is almost always the case in cyber security, CISOs know that no solution is completely infallible. Encryption can certainly be an asset, though. Used wisely, it can be a company’s best defence against unauthorised entry to corporate networks and theft of company and customer data.
And encryption has never been easier or more cost-effective to deploy. Many of the technology products in which our companies invest now come with default encryption settings included. Internal software engineers often incorporate encryption capabilities, too, when they’re developing new apps and services according to secure by design principles.
In short, encryption is a standard safety feature of many new software products, like airbags in a new car.
But is it easy? Is it foolproof? Absolutely not. CISOs are uncomfortably aware that, applied excessively and with too little forethought, encryption can make the job of IT security a lot harder and actually introduce new risks.
When applied haphazardly, encryption can reduce the visibility security operations teams require when they’re monitoring systems and data. This creates blind spots and shadowy corners that cyber criminals use to hide their malicious activities. And these attackers are by no means slouches when it comes to using encryption themselves. It’s a great way for them to disguise malware, for example.
So what’s the answer? How can CISOs strategically help executive management teams navigate the issues around encryption and steer their companies to a balanced approach that enables them to get the best from this technology while circumventing risk?
Flex your risk management muscles
Deciding when and where to encrypt (and decrypt) is a true test of a company’s risk management processes and practices. From an IT security perspective, this means upping your game when it comes to threat modelling. A deep understanding of the overall IT and business environment is required in order to pinpoint the most critical targets for attackers or malicious insiders. Coupled with this is a need to understand the potential business impact of encryption, because if you’re encrypting end-to-end, there’s always a danger that you impact data transformations or downstream business processes. Some data types may be obvious candidates for encryption, some may not. Some may even end up with double encryption, where you encrypt both the network traffic and the individual data elements. But all this needs to be considered in light of the specific business process at hand, and the potential risks versus the need for system performance. There is often a delicate balance to be struck in identifying what will work best for the business.
Manage edge security
With encryption comes a need to pay greater attention to securing edge devices and services, principally corporate laptops and mobile devices. At most companies, this is likely to be part of a wider ongoing effort, triggered by the shift to remote work during the Covid-19 pandemic, where encryption has had an important role to play in securing a company’s most far flung edges.
Many companies are adopting managed corporate browser technologies for employee computing devices, enabling IT security teams to configure and manage browser policies, setting, apps and extensions from a centralised location, across multiple operating systems and devices.
Some are adopting SASE (single access service edge) technologies, a cloud architecture model that bundles together network and cloud-native security technologies, and typically includes inline traffic encryption and decryption capabilities to inspect traffic to and from a company’s edge. Regardless of the technology used, more encryption means more focus on end-user systems for security teams, which in turn can create performance impacts for end users.
Above all, CISOs and their teams need to think differently about how they monitor and protect corporate systems where encryption has been deployed. It’s time to get creative, recognising there are often multiple ways to achieve the same objectives.
Creativity also comes into play when it comes to incorporating all of the requirements—risk, business and security requirements—and coming up with options that meet all of those. It takes a lot of experience, cross-functional knowledge and imagination to pull all that together. The onus is on security leaders to take their teams on this journey and ensure they have the skills they need to understand that, when encryption reduces visibility, there are usually other places to look in order to get the information they need about security issues and incidents.
They also have a role to play in helping guide in-house developers on where they should (and maybe shouldn’t) consider incorporating encryption into the apps and services on which they are working.
So when the issue of encryption raises its head (and it will), it’s time for the CISO to step up and take the lead on some pretty robust conversations that will help their businesses implement this technology as the precision tool it should be, and not a blunt instrument—or worse still, a double-edged sword.