After having run WinMagic with the main focus as a data encryption company for more than 20 years, I asked our team for the first time last week the very basic question: When – and where – should sensitive data be encrypted?
The answers are eye opening for me.
Ideally, sensitive data should always be encrypted except when it is being processed*, e.g. used by an application, which requires plaintext data
With expertise in disk encryption we determined that data should be only decrypted in RAM memory for the CPU to work on; our disk encryption encrypts the data before it is written to the disk. But with advancements in memory encryption, the RAM can actually be always encrypted, with data being decrypted only within the CPU. That’s perfect! Well, almost.
The answer to “WHERE sensitive data should be in plaintext?” is within the (secure) CPU. With advanced technology like AMD’s Secure Encrypted Virtualization SEV the CPU will no longer has the memory encryption key for the RAM of the Virtual Machine (VM) as soon as the CPU exits the VM. So, the answer for “WHEN”: the shorts periods of time when the CPU is actually processing the workload otherwise sensitive data should always be encrypted.
At this level – with protection within the CPU –, the workload can run on a laptop or on the cloud. The data is almost always encrypted and secure…., provided the rest of the systems function accordingly –which is securely.
Most current encryption offerings are not that sophisticated or secure. Appliances sitting on the network, CASB included – with no endpoint presence – might not encrypt the data before it leaves the endpoint. And more importantly, the data would be encrypted with keys available to the appliance, the admin or even the service providers.
At this time it begs the next equally or perhaps even more important question: when encrypted, then with what key? Who should have access to the key, and thus the plaintext data?
We don’t and won’t have perfect security. Nobody will. Advancements in technologies take time and people operate usually well in “good enough” mode. Data might be unencrypted somewhere but the situation is still good enough. We see that the lack of granularity and proper key management might pose a bigger threat than when and where data is encrypted. WinMagic has the vision of “Key Management for Everything Encryption”, and we will discuss key management another time.
* In some cases it may even be possible to process encrypted data, for example, using homomorphic encryption ( https://en.wikipedia.org/wiki/Homomorphic_encryption )