The potential for device theft and insider threats have always been a major concern for cybersecurity leaders. In addition to work-from-home and bring-your-own-device (BYOD) policies becoming ubiquitous, which increase the risk of a device being stolen, recent headlines have made these concerns even more pertinent.
On January 6th, laptops and iPads were stolen from the United States Capitol Building, including the laptop of Speaker of House Nancy Pelosi. Then, on January 22nd, Tesla filed a lawsuit against a former employee accusing that individual of stealing trade secrets by uploading several confidential files to his personal Dropbox account.
In both of these examples, as well as in others, the attackers could use the stolen data for a variety of malicious purposes, including ransomware (threatening to leak the confidential information if no payment is made), selling the information to competitors, and even national security threats.
This blog post will discuss how to protect your enterprise data when devices are compromised or insider threats are present.
Common Security Measures
Common approaches to data security include disk encryption, controlling access to file shares, and other techniques. While these are great security measures that should be used, they do very little to protect against a stolen unlocked device with files already downloaded on it or insider threats sending files externally. Even if a user’s permissions are revoked and their network access restricted, the files already present on the stolen device or already sent to a third-party have been compromised. A better approach is to ensure the protection mechanisms are built into the files themselves, and enforced on any device(s) the files may be moved to.
You may be thinking that we are about to propose some convoluted Digital Rights Management (DRM) solution or a client-side enforced access control, but we are not. The solution is actually available in the tools that many people use today, although one could argue it does fall under the umbrella of DRM (but it’s definitely not convoluted).
Built-In Security
Since an attacker can simply bypass any client-side access control measure, the content of the file must be encrypted and only legitimate users should be able to decrypt the file (when they are allowed to). While it is possible to implement this in many ways, any technical solution that requires end users to manually decrypt files will not scale well and will therefore not gain broad adoption. The solution must work with existing tools and should not require the user to do anything they aren’t already accustomed to doing.
For example, the file should decrypt and open after the user double clicks to open it, if the user is allowed to read the file at that time. If the user does not have access to the file, it shouldn’t decrypt and therefore the user won’t be able to view the contents (only encrypted ciphertext will be visible).
This may sound complicated but it is actually well-supported. PDF files, Windows Encrypted File System, and Microsoft’s Sensitivity Labels all support using public key cryptography to encrypt content. Using this, it is possible to build a robust data security platform that can help protect data even when devices are stolen or files are compromised.
Those familiar with Garantir know that we are strong proponents of securing the enterprise’s private keys in a centrally managed HSM and providing proxied access to use these keys without ever exporting them. With the keys centrally managed and controlled, advanced security controls can be placed on the keys and every usage can be audited. If a user should no longer be able to read certain files, you can simply revoke their access to the relevant keys. Using techniques like enveloped encryption and client-side hashing, this solution is highly performant and users won’t notice any impact.
In the example below, we show how this concept can be applied to PDF files using its native support for certificate encryption.
In this next example, we show how the same idea can be extended to other file types via Encrypted File System for Windows.
Microsoft’s sensitivity labels feature extends this same concept to other files and platforms. With it, you can apply this protection to many file types on Windows, macOS, iOS, and Android.
Economics of an Attack
While this solution certainly raises the bar for an attacker, it is not impossible to get around for an insider threat. It is always possible for a user who has access to the files to take screenshots of the content (or otherwise copy it), and then send that data in an unprotected format to third-parties. Regardless, this approach increases the cost of pulling off the attack and, if many files are decrypted in a short period, it could trigger an alert by the cryptographic proxy server which would be processing those decrypt requests.
Interested in implementing this approach to data security in your organization? GaraSign supports this feature and more, with keys secured in your enterprise’s HSMs and key managers. Contact us to learn more.
