Boaz Gelbord wrote a thoughtful response (as did Mike Andrews) to my post earlier this week on the state of web application and data security. In it was one key tidbit on encryption:
The truth is that you just don’t mitigate that much risk by encrypting files at rest in a reasonably secure environment. Of course if a random account or service is compromised on a server, having those database files encrypted would sure come in handy. But for your database or file folder encryption to actually save you from anything, some other control needs to fail.
I wouldn’t say this is always true, but it’s generally true. In fact, this situation was the inspiration behind the Three Laws of Data Encryption I wrote a few years ago. The thing is, access controls work really freaking well, and the only reason to use encryption instead of them is if the data is moving, or you need to somehow restrict the data with greater granularity than is possible with access controls. For most systems, this is to protect data from administrators, since you can manage everyone else with access controls.
Also keep in mind that many current data encryption systems tie directly to the user’s authentication, and thus are just as prone to compromised user accounts as are access controls.
Again, not true in all cases, but true in many. The first step in encryption is to know what threat you are protecting against, and if other controls would be just as effective. Seriously, we toss encryption around as the answer all the time, without knowing what the question is.
(My favorite question/answer? Me: Why are you encrypting. Them: To protect against hackers. Me: Um. Cool. You have a bathroom anywhere?)
Reader interactions
6 Replies to “Boaz Nails It- The Encryption Dilemma”
I posted a response to Adrian on my blog but let me chime in here too. The problem with database encryption is that as Rich says it is hard to do, even using native encryption. Encrypting would be worth it if there was some big reduction in risk, but I think we all agree that enabling database encryption doesn’t significantly lower the risk of data compromise by a hacker. The only case where encryption really matters is a lost backup tape or stolen server, but there are much cheaper ways to mitigate those risks than encrypting a database (like just encrypting backup tapes).
Of course Rich’s third law of data encryption still holds – if someone tells you to encrypt, you still need to encrypt. Although database encryption is sometimes contractually required, there is currently no state or federal regulation that I know of that legally mandates this (the closest is Nevada and it only requires encryption of cardholder data in transit).
Laptop encryption – no doubt a must have and a no-brainer
As for DB encryption, I like Boaz’s argument somewhat – encryption is good, and yes another control has to fail before it gets that far, and defence-in-depth/layers are always good (you never know what is going to fail), but from my experience it doesn’t really matter.
Once a hacker (or one of our PenTesters) are in (to a corp network), they are 99 time out of 100 very much IN – key’s to the kingdom and all that. I’ve worked with a very talented guy that during pen tests was “an hour and a half for your domain creds or your money back”. I think in the 4 years I’ve known him he’s been wrong (and VERY pissed off) only once.
So sometimes defence-in-depth/layers or certain technology just doesnt add very much to the equation.
Or, as referenced in the quote, in case of catastrophic failure of security controls. Account privileges normally do all you need, but if someone breaks into or steals the server, encryption might save your bacon.
I agree with the premise, albeit for different reasons. I think we have to clear up the terminology as to what we mean by database encryption, and my motivation for trying to change the terminology in the database encryption series. Left a long comment on Boaz’s blog in regards to his statements.
-Adrian
Yes and no. Sometimes a layer doesn’t add any security. We’re “conditioned” to think of defense in depth, but many times that translates into spending more money for no security improvements. Especially with encryption.
But isn’t security about layers, not absolutes?