Firms are focusing data encryption efforts in the wrong place


Businesses urgently need to review data storage infrastructures if they are to remain confident that they are meeting compliance regulations. Historically, companies have been concerned that it would be those outside the organisation who would be a threat to data security. Fear and suspicion meant systems were traditionally built to keep the business protected from unlawful entry (hackers). However, increasingly, data breaches are being tracked back to originating from inside the organisation. Employees and sub-contractors are, perhaps unwittingly, now deemed to be in some way responsible as their data can be jeopardised with stolen credentials from compromised personal accounts often mirroring passwords also used at work. This concern has recently been validated in The Data Breach Investigation Report for 2018. The report cites that hacking is now the number one threat and that most organisations are compromised in minutes but take months to discover. In addition, it was found that 93% of hacks including phishing and pretexting to internal actors, making them unwitting participants.

In order to be fully protected going forward, it makes sense that businesses assume the attacker is already behind the firewall, and to plan ahead for what they could potentially do to attack the data in the system. Of course, individuals with a technology background, or those working in the IT department itself, will be relatively savvy – but humans still make mistakes. However, if GDPR guidelines are followed, specifically Article 32, which calls for encrypting/anonymising personal data, the business exposure is dramatically decreased. This is critical in relation to ‘Article 34’ that provides safe harbour from notifying data subjects in the event of a data breach if the data breached was encrypted.

Furthermore, Article 34 states: “The communication to the data subject … shall not be required if any of the following conditions are met …the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.”

Getting it wrong.

Not only is getting it wrong very expensive, it can also cause substantial damage to a business’s reputation. Unfortunately, Equifax was caught in the headlines when a data breach exposed information belonging to 146 million people. Whilst the breach originated in the USA, the ICO ruled the UK branch had “failed to take appropriate steps” and “multiple failures” had meant personal information was left vulnerable – information such as names, birth dates, telephone numbers and driving licence details.

Can CIOs reduce the business risk?

Most definitely. Protection against a physical theft of media comes as standard. Data centres have become modern day fortresses to protect thousands of servers. Today’s CIO however understands that the risk of attack is broader than just a direct theft of the data storage unit itself.

Hackers are highly intelligent, and don’t just extract entire datastores; they are looking for specific patterns in the data that suggests value. For example, in the UK, credit card numbers would commonly start with 4929 and have a further 12 numbers. Hackers will therefore scan data for 16 digits numbers, starting with 4929. If encryption has incurred early enough in the process the data will be useless ‘outside’ the system – a series of hidden code.

Encryption must also be applied further up the stack to protect information in all layers – including in transit over the network.  The longer the data is in a clear text format, the higher the risk and the more likely that mistakes are made. Encrypting data needs to happen as early in the data processing as possible. Generally, encryption involves randomising data. It can occur at many levels throughout the data centre stack, from inside the storage array itself, to network level encryption, to the operating system and application itself.

When data encryption occurs on the storage platform it leaves the data in plain text (readable) format as it’s moved across the network, as well as in the database and application servers. Application level encryption gives the highest protection level to data. Also, with lower entry costs there are no excuses for not exploring what a difference it can make to your data storage policies and compliance levels overall.

After all, no-one wants to be the next CISO explaining after a data breach why they didn’t adopt this gold-standard to protect customer data.


By Eran Brown, CTO EMEA, Infinidat

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.