You Forgot to Lock Your Chest

Unencrypted Data Everywhere

Having a strong crypto background and dealing with data encryption my whole work life, I am always astounded when talking to representatives from various companies at IT security events. These companies do invest a lot in their IT security by deploying firewalls, EDR, XDR, SIEM, anti-virus software, DLP and you name it. But most of them forget to encrypt their data.

You can compare that with your gold chest being protected by a medieval castle with massive walls, strong gates and guards protecting the perimeter. But you left your chest with all your valuable gold unlocked.

Anybody who is able to bypass your security measures, e.g. through a backdoor or bribing your guards will be able to loot your gold. Also, there is no protection from internal attacks: Your employees could easily steal your gold as well, as the direct access is unprotected.

Figure 1: Culpable unlocked gold chest within a very well protected castle

Neglecting the locking of your gold chest, which is equivalent to leaving your company data unencrypted in the modern world, leaves a huge security gap, though locking your chest is actually the most obvious measure.

If you lock your chest, no one can steal the content. Meaning, if you encrypt your data, the data cannot be stolen or leaked. Combined with a proper backup system, you are far less susceptible to any ransomware attacks. This is far too often overlooked by companies, leading to severe damage, penalties, and loss of reputation.

Please be aware, the list of ransomware attacks [source] is frightening long and steadily growing. The list would be significantly shorter, if companies did encrypt their data. Attackers typically go for the low hanging fruits.

Applying data encryption to your data makes it much harder for attackers to steal it and they typically go away. So please encrypt your data just to increase your chance not to land on this ever-growing list.

Of course, do not get me wrong. All the other security measures, as listed above, are important and should be in place. They are vital for safe operation of your systems. But they are just not enough as they are missing the key point of locking your chest. They should go hand in hand with encryption of your data.

Regulations Demanding Encryption

The missing encryption of data throughout most of the companies is even more astonishing considering that several laws demand encryption of data and define high penalties in case Personally Identifiable Information (PII) is leaked. For example, in Europe, the following regulations must be followed, depending on the branch you are in. The list items link directly to the respective text in the regulation regarding encryption/protection requirements:

• General Data Protection Regulation (GDPR)
• Review of the Directive on Security of Network and Information Systems (NIS2)
• Digital Operational Resilience Act (DORA)
• Revised Payment Service Directive (PSD2)
• Payment Card Industry – Data Security Standard (PCI DSS)
• Cyber Resilience Act (CRA)

Following these regulations, you will benefit from encryption in other ways as well. In case of data breach, a company is obliged to notify the data subject about the data loss [source].

This can create quite a headache, if you manage data of hundreds of thousand data subject. Fortunately, GDPR article 34(3)(a) [source] states that this notification is not required, in case the data is made unintelligible, e.g. through encryption. Therefore, one big headache goes out the window.

Encrypting Data With DSM

So, you have some confidential or personal data in different systems that you want to encrypt. How can you do that in the best possible way? Fortanix does encrypt your data at rest, in transit and in use.

And here, Fortanix integrates seamlessly into numerous different 3rd party applications, as listed on the Fortanix solutions page. Typical integrations are encrypting the data in the cloud, in databases, in storages or in SaaS services.

This is achieved with the Fortanix Data Security Manager (DSM). DSM is a highly versatile key storage to protect the keys that encrypt your data. As the data are the highest asset in your company, these keys become extremely important and must never be exposed to the outside world.

This is achieved by utilizing a FIPS 140-2 Level 3 compliant Hardware Security Model (HSM). This HSM is bundled with a Key Management System (KMS), which eases the management of all your keys and covers the NIST key management requirements [source].

If you do not want to manage the HSMs yourself, you can also utilize DSM as a SaaS solution, which takes away all the operational and security burden of dealing with HSMs. Nevertheless, your sole control over your keys remains just as you had the HSMs on premises.

Conclusion on Data Encryption

Encryption of confidential and personal data is overlooked by companies far too often, leading to severe data leaks and ransomware attacks. And this is despite having several security measures in place, like EDR, XDR, SIEM, DLP, firewalls, and many others. Most of these attacks can be prevented simply by encrypting the data. This makes the data unappealing for the attackers, as the data becomes completely useless. Consequently, personal data should always be stored in encrypted form to protect against unauthorized access and data loss.

For more information, please contact Fortanix.