If you keep up with technology, you know major cyber security breaches have become commonplace. From Target and Home Depot to the US Office of Personnel Management, these break-ins are growing larger in scope and happening more frequently. While everyone acknowledges data theft is troubling, even security professionals just shrug it off as business as usual.
However, I believe a subtle but significant shift has occurred in the security landscape. If you build any sort of web/Internet system, the chances that your product's entire database will be stolen sometime during its lifetime are now close to 100%. Once you acknowledge this reality, new, worrying questions arise about how to protect application data – and what kind of liability companies may face if they continue to build applications without taking this reality into account.
The Placebo Effect
If you talk with security experts, they will tell you that the answer to our computer security problems is application-level encryption. While application encryption approaches are appealing, they have one serious flaw that these experts tend to hand-wave away: ready reversibility. Granted, application-level encryption provides general improvements in diversity, opacity and at-rest protection. However, with the right administrative access, it is usually trivial to reverse these protections. This makes the whole approach vulnerable to one of the most challenging security threats today: spear phishing.
Let’s say you develop a web application employing multiple encryption keys to protect data with multiple algorithms at multiple different points in your database. Sounds robust, right? At least until I spear phish one of your dev ops guys and use his administrative access to exfiltrate the source code to the application, its database and the keys that protect it all.
Oh, but you are using a Hardware Security Module (HSM) and are protected against this scenario? Well, all I have to do is be patient and use your dev ops guy’s access to all of the involved systems to run the data through the HSMs and decrypt it before exfiltration. Or even worse, I discover and use maintenance functionality (e.g. an “archive” function) already built into the application to get it to export all of its data unencrypted.
Houston, We Have a Problem
Once someone has administrative access to your systems, most encryption techniques are easily reversible. Thus, since it is likely impossible to keep black hats from penetrating your infrastructure and gaining administrative access, security that relies primarily on application-level encryption is fundamentally flawed.
What’s the answer? In Part 2, I’ll propose a new approach to application encryption which I call Distributed Application Encryption (DAE). In Part 3, I’ll discuss the strengths, weaknesses and implications of DAE.