All encryption tools are not created equal. Just ask the folks at Microsoft, who have recently demonstrated that encrypted Electronic Medical Record databases can leak information. Turns out that CryptDB, a SQL database add-on developed at MIT that allows searching of encrypted data, allows search queries to be combined with information in the public domain to hack the database. More on this in a minute. In the meantime, let’s consider the assumption that encryption is inviolate/ infrangible/ impervious to hacks. As I mentioned in an earlier post, encryption algorithms are too complex for most laypersons to understand, but we should at least wrap our heads around the concept that encryption is not a “set it and forget it” technology, nor is it foolproof.
Like all technology, encryption standards—and the tactics of those who try to break them—evolve. What was once state-of-the-art is now trivial. DES is replaced by AES. Russia, China, Great Britain, and the U.S. all capture and store away others’ encrypted data, awaiting the day when it can be broken. Notwithstanding the march of technology, some encryption models are doomed from the start. Take the Western Digital “My Passport” self-encrypting hard drive. According to vulnerability researchers, some of these drives contain backdoors, store passwords and keys on the drive itself, and generate keys using a method that is not cryptographically secure. Even NIST-certified USB flash drives with hardware encryption have been cracked.
There are many ways around most encryption, including poor implementation; insecure or inappropriate use of algorithms; weak keys; and leaving back doors open, a technique that has received a lot of buzz from the privacy community, particularly in light of the Snowden revelations.
So, back to CryptDB. Why do we need to concern ourselves with information in the public domain? Although the potential for some data leakage was known and expected when CryptDB was first announced, it was public information gathered and made available by state governments that fully enabled the decryption by Microsoft. Remember, too, that passwords and other “secret” keys may often be inferred from information we publish about ourselves, on Facebook, LinkedIn, and other social media. Great bait for spear-phishing.
John Wayne knew a thing or two, it turns out, about doubling up on security, if you believe his wardrobe of choice. Wearing a belt and suspenders may be a fashion faux pas, but should be all the rage when it comes to information security. In fact, keeping your pants up (i.e., your information protected) these days requires as many layers as you can comfortably and affordably wear. Do not assume that fancy encryption suspenders alone will protect your information, and take steps to ensure that the encryption tools you do use are well implemented. Have a sturdy belt underneath in the form of all those other security controls, like access rights, filters, firewalls, anti-virus programs, and intrusion prevention and detection systems. And don’t forget to ask your cloud provider where and how they enable encryption.