Recently I visited a customer that heavily invested in security intelligence, incident response, cyber security, SOC, ISMS, awareness campaigns and governance but still after all these investments they did not have the feeling to be in control. Their feeling was also nurtured by data breaches and information leaks that were still happening in this professional and technical environment (they took all organizational and technical measurements that you can think of).
As we all know, technology in the ICT sector is changing rapidly. Innovations and technologies like Internet Of Things, Cloud, Blockchain and Big Data are no longer things to happen in the future but are already daily business. This means that we are more and more working in an open environment and therefore we are less in control of where our data is, where it moves to and where it will be used for.
On the other hand we see more regulations about protecting sensitive and personal data. In the Netherlands we need to comply to the ‘Wet Meldplicht Datalekken’ and the “eIDAS regulations” and soon we will also need to comply to the GDPR. So business consequences for not being in control will have a bigger impact on organizations (fines, image, reputation, trust, stock rates). Besides all this, these regulations and additional certifications have a positive impact on today’s business. It can also be used as a competitive advantage. So next to losing revenue these regulations can as well increase your revenue.
Looking at current innovations, technologies and regulations we have to consider whether our traditional NextGen security intelligence solutions processes and ISMS we are using and constantly investing in is the right way to go?
Isn’t it time to switch from “preventing the security breach” to “securing the security breach”? When you are able to classify and label your data by using for example Business Impact Analyses based on CIA you will be able to take appropriate measures by encrypting data where it is, were it moves to and who is using it. Even if you have not taken the whole transition to be able to classify or label your data you would still know where your data is and where it moves to and you can also effectively use encryption to protect it.
The most mentioned arguments for not using encryption were ‘performance’ and ‘costs’. Nowadays there are a lot of transparent encryption technologies that do guarantee minimum performance loss. When it comes to costs; consider that you might not have to invest in all the expensive security intelligence solutions and processes around it as much as you did before.
Essential for the success of using encryption is proper key management to stay in control of your encryption keys. Key management is the critical success factor for encryption and therefore the same or even more important as the encryption itself. Next to essential key management policies and processes, the equipment is very important as well. Are you using a key management system? Are you protecting, storing, creating, distributing, rotating and destroying your key’s? Are you using soft (Key Management System) and/or certified hardware (Hardware Security Modules)?
Above all, you need to be in control of your encryption keys yourself at all times. Of course in some cases it is interesting and worthwhile using the public and or private cloud, however encrypt the data in the cloud and do proper key management (policies, processes and equipment) yourself within your own organization. Don’t ever outsource your key management to the cloud. Control the keys yourself, it’s the only way to stay in control of your data.