When I look at the recent events and data exfiltration cases, it really looks like we are at the losing end of a battle. It seems to be fairly simple to compromise a network and exfiltrate data nowadays. Now you may claim that you deployed all kinds of cool technology like hardened clients, data loss prevention etc. etc. If you do so, please have a look at this blog post: From the Trench of Insecurity
As harsh as it seems, I am convinced that the author is right. It is not only about the fact that it is possible to get access to critical data, it is actually not that hard if you know what you are doing. But giving up is no option. So, what do we need to do?
Well, at the end of the day to protect our date it means we need to encrypt it, completely, company-wide. Everything which is not public needs to be protected with something like Microsoft’s AD RMS, transparent, simple to use and on all platforms. Unfortunately, vendors do not get the technology right, yet. Keys (especially master keys) need to stay on premise. There is no way that they shall leave the company and be moved in the public cloud. That’s to me a simple one most vendors do not get right yet. Metadata is then the next big thing. We want control who is seeing what, when it comes to metadata. Which users accesses which file when is something which might need to be protected and is confidential for us.
If this and the problem how to search encrypted data is solved, public cloud will get another boost as you do not care anymore where your data is: on premise, in the public cloud or in the attacker’s hands.
The rest (besides that we need properly engineered solutions) is open for negation.
If one vendor gets this done right, they might easily own the market. Whether it is Microsoft or Ionic (or anybody else I do not know yet) is still open but we need a solution for this problem and then shall encrypt data company-wide