When it comes to protecting confidential information, we find that clients require different approaches or pose different protection needs. Some clients need to protect the information on their mobile computers or laptops in case they are lost. Others want to keep their documentation protected on file servers so that it can even be protected from improper access by IT staff. Sometimes some customers need to protect documentation when it travels attached to an email because they use managed email servers or in the cloud. Some customers ask to protect the documentation when it is sent to third parties or even internally in order to minimize the possibility of it being copied, unprotected or accessed by inappropriate users.
The three states of data
We can consider three states for information or data:
- Data at rest: By this term we mean data that is not being accessed and is stored on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc.
- Data in transit: Data that travels through an email, web, collaborative work applications such as Slack or Microsoft Teams, instant messaging, or any type of private or public communication channel. It’s information that is traveling from one point to another.
- Data in use: When it is opened by one or more applications for its treatment or and consumed or accessed by users.
Protection of Data at Rest
Documentation is considered secure at rest when it is encrypted (so that it requires an unworkable amount of time in a brute-force attack to be decrypted), the encryption key is not present on the same storage medium, and the key is of sufficient length and level of randomness to make it immune to a dictionary attack.
In this area we find different data protection technologies. For example:
- Full disk encryption or device: Hard disk encryption allows that if the laptop or computer is lost for example, the data contained in it cannot be accessed by simply mounting the hard disk or device in another machine. It has the advantage of being “transparent” to the user in that if the user has logged in correctly, he or she can access the documents in the same way as he or she would on a non-encrypted computer. However, if the computer or the file server is accessible by the administrator, nothing prevents a dishonest user from accessing the data, copying it, resending it, etc. The data is protected while residing on the device or hard disk, but is no longer protected once it is extracted from the device (copied to another device, resent, etc.).
- File-level encryption: No partition or hard disk is encrypted, only individual files. Public-key or symmetric encryption allows you to encrypt files, for example. Files are not only encrypted when they are stored on the disk, but can also be protected in transit, when they are sent for example as attachments in an email. In this case, transparent access by a user is lost, as well as transparent protection of the user. That is, with PGP, for example, it is necessary to have the public key of the person with whom I want to share the protected file, and on the other hand, she must have my public key in order to be able to decrypt it. On the other hand, once the document has been decrypted by the recipient, it can be stored unprotected, resent unprotected, etc.
- Database Encryption: Database systems such as SQL Server or Oracle use TDE – Transparent Data Encryption to protect data stored in databases. TDE technologies perform encryption and decryption operations on data and log files in real time. This allows application developers for example to work with encrypted data using AES or 3DES for example without needing to modify existing applications. This type of encryption protects data at rest in the database, but not when the data has already been accessed by the corresponding application and can be extracted.
- Protection through Digital Rights Management (IRM): Data Rights Management technologies as SealPath (Information Rights Management) allow the encryption of documentation by applying persistent protection to it. The documentation at rest is encrypted and is only accessible to users who have access rights to it. Unlike encryption at file level, the receiving user can access it to read and even modify it, but cannot completely decrypt the file (unless he or she has been assigned Full Control permissions on the file).
- MDM (Mobile Device Management): One way to control data in mobile devices is through MDM tools. They allow limiting access to certain corporate applications, blocking access to the device or encrypting data on the mobile or tablet. As with standard encryption, they are useful in the event that a device is lost, but when the data is sent to the outside of the device, it leaves unencrypted.
- DLPs (Data Leak Prevention): A DLP, among other functions, enables a search or location of sensitive data on an endpoint or network repository. In the case of data in repository, they can delete the data for example or block access to certain users in case it violates any security policy (eg is in a computer that should not be). They are valid while the data is inside the organization, but they cannot act on it once it has left.
- CASB (Cloud Access Security Brokers): These are systems that allow us to apply security policies to the documentation we have in cloud systems such as Office 365, Box, Salesforce, etc. You could say for simplicity that it is a DLP system applied to a cloud application instead of the organization’s perimeter. With regard to data at rest, CASBs are capable of detecting sensitive data in certain cloud data repositories and applying protection policies to the documentation, for example, removing a public link to the document and restricting it to a group of users if the data is determined to be sensitive. Like DLP, they can act while the data is in the cloud (e.g., G-Suite), but not once the document has left the cloud.
Challenges of Data at Rest Protection
Today’s IT departments are faced with numerous challenges when it comes to protecting idle documentation:
- The data can be stored in different media and equipment: Important documentation is not only found in the file servers, or document managers, but there may also be copies on the users’ PCs, USB devices, etc.
- Scattered on mobile devices: Mobile phones and tablets are one more work tool that may contain important documentation at rest that must be protected. It must be taken into account that in many cases where sensitive data is managed, the mobile devices in which it is found are not corporate but personal and out of the control of IT departments.
- Inability to control cloud storage: Many storage providers offer encryption and protection of the data they manage at rest. However, the encryption keys are owned by the storage provider and not by the companies that hire them, so control of the documentation stored in these clouds is lost.
- Need to comply with different data protection regulations: Depending on the vertical in which our company operates, it may be subject to stringent data regulations regarding the protection and control over data. For example, patient data in the healthcare sector or customer data in the financial sector is protected by regulations such as EU-GDPR, HIPAA, PCI, etc. depending on the territory. These regulations impose protection policies on data at rest, regardless of whether it is stored in a database, on a file server or on mobile devices.
To overcome these challenges, IT Departments must analyze the main risks they face regarding the management of their data at rest and select the technology or technologies prioritizing those that will eliminate or mitigate those most likely and/or of greatest impact to their organization.
Protection of Data in Transit
We are in the age of digital collaboration and there are now plenty of ways to share our data with others. One of the most widely used has traditionally been email. With over 3.9 billion users using email today (Statista, 2020), these numbers are expected to grow to 4.3 billion users by 2023. However, we move data through other platforms such as collaborative work like Slack or Microsoft Teams, through cloud storage applications such as Box, OneDrive, Dropbox, etc.
Among the different technologies to protect data in transit are the following:
- Email encryption: Provides end-to-end protection for message bodies and attachments There are a wide variety of tools for encrypting email. One of them is based on PKI (Public Key Infrastructure), a combination of a private key (known only to you) and a public key (known to those to whom you want to send the protected message). The email and attachments are protected using the recipients’ public key, and on receipt, the recipient uses his or her private key to decrypt the content. Once the email or attachment has been decrypted, control over it is lost and it can be forwarded, copied, etc.
- Managed File Transfer (MFT): This is a secure alternative to transferring files via FTP for example. The file is uploaded to a platform and a link is generated to download it. This link is sent by email or other means to the recipient who makes the download via HTTPS. It is possible to set expiration dates for the link, password to access it, etc. As it happens with the e-mail encryption, once the file has been downloaded, it is unprotected and you can do whatever you want with it.
- DLP (Data Leak Prevention): DLP technologies provide in-transit or in-motion protection in that they are able to detect whether an attempt is being made to send confidential data outside the organization (e.g., credit card numbers) and block the sending of such data. They also allow for blocking copies of data to a USB drive, sending to network drives, uploading to web or cloud applications, etc. The problem they pose is that if the data has been sent it can no longer be controlled. Additionally, they can be prone to false positives and block valid submissions that should be allowed to pass through.
- CASB (Cloud Access Security Brokers): With regard to data in transit, they can detect if a user tries to download sensitive data, and if he does not comply with certain security policy (e.g. is not a reliable user for this type of data) they can block the download. As with DLP, if the data has been downloaded, control over it is lost. They apply security to a finite number of cloud applications, usually the most well known.
- In-transit protection with digital rights: For example with SealPath can be applied in the email to not only encrypt the body and attachments, but also to apply usage rights leaving only the content to be viewed, or to view and edit but not print, etc. They also allow for example to restrict the forwarding of the email to the recipients if desired. As a file protected with digital rights travels with the protection, protection in transit is offered via any medium. They are also integrated with tools such as DLP or CASB so that if a sensitive document is detected as coming out of the network or a confidential document is downloaded from a cloud application, they can automatically protect it depending on the security policy.
Challenges of Data Protection in Transit
- There are an infinite number of means and channels of communication: These tools are normally in protecting a certain channel such as email, web downloads, etc. but it is complicated to reach any protocol and means of communication.
- Infinity of Cloud applications to protect: If we are talking about a CASB-type approach to secure the data that is downloaded from the cloud, it is very difficult to reach any application. Options are usually available for the most popular cloud applications such as O365, G-Suite, Salesforce, Box, etc.
- Impossibility to maintain control at the receiving end: In the case of email or MFT encryption, once the recipient has received the file and has it decrypted for him, control is lost. They offer point-to-point protection, but no further, with the exception of digital rights protection.
- Difficulty determining what should be protected and what should not: PIt is difficult for a DLP or CASB system to determine what should be blocked or not. Certain rules can be set, but they can result in false positives that block the output of data when necessary. Sometimes, a “protect all” approach (with exceptions) is the best policy, for example, in the case of email encryption because if someone compromises an email box we are sure they will access encrypted data, but this is not always possible depending on the type of organization.
IT departments have to see if covering a portion of the data in transit is worth preventing most potential problems. If I cover 20% of the media, e.g. email or certain applications, I prevent 80% of possible problems may be a good approximation, although I will certainly not be covered at all.
Protection of Data in Use
As mentioned above, we are talking about data in use when it is accessed by an application for treatment. Normally, behind the application there is a user who wants to access the data to view it, change it, etc. In this state, the data is more vulnerable, in the sense that in order to see it, the user must have been able to access the content decrypted (in the case that it was encrypted).
To protect the data in use, controls should normally be put in place “before” accessing the content. For example, through:
- Identity management tools: To check that the user trying to access the data is who he says he is and there has been no identity theft. In these cases it is increasingly important to protect access to the data through a two-factor authentication.
- Conditional Access or Role Based Access Control (RBAC) tools: Allow access to data based on the user’s role or other parameters such as IP, location, etc.
However, in these cases, we are protecting the data by limiting more precisely who can and cannot access it, but once the database or a document has been accessed we cannot prevent the person from doing what they want with the data.
- Through digital rights protection or IRM: we can obtain effective protection in the use of the data as we can limit what actions the user can take once they have accessed the data. For example, we may prevent you from editing, printing, etc. There are Cloud collaboration platforms or document managers that allow you to set digital rights controls such as only viewing, preventing, downloading, etc. However, if we have downloaded the document, it is completely unprotected.
With an IRM protection applied directly on the file (not on the document manager or collaboration platform itself) we can apply a protection that travels with the documents and limits the opening permissions wherever it goes. Whether the data is in the cloud or has been downloaded, I can get a user to see it, but not completely unprotect it, print it, etc.
Challenges of Protecting Data in Use
- Most of the tools that control access to data do so before allowing access, but once validated, as we said above, it is more complex to control what can be done with the data.
- Even if we are limiting permissions on the documentation, if it is being shown to the user in the application, in a viewer, he can always take a picture, for example, although we can mitigate this action through dynamic watermarks on the open document.
- Collaboration platforms that limit rights such as prohibiting downloading or only letting the document be seen, can be efficient when we only need to access the document, but have limitations if we need to modify the document for example with an agile tool on the desktop. In addition, we must not forget that the cloud platform itself has the document decrypted at the time of access and stored in their systems so it is technically possible to access the content of it. This can be a problem when we are talking about confidential data or subject to strict data protection regulations.
Without going into questions of protection of data in use through encryption of data in memory while the application has it open to avoid dumping it, the protection of digital rights or IRM is the most efficient data in use protection because it combines encryption + permission management + identity control.
This protection allows to keep the documentation safe in its three states: In transit, in remote and in use. The protection travels with the document and accompanies it wherever it travels allowing the user to work with the data, knowing that if necessary, he will not have complete control of it.