How to stay secure in a changing world

In Sir Isaac Newton’s time there were three laws of motion, which dominated the scientific view of the world. While he, and his scientific peers, might have had many different opinions, what they all agreed was that everything in the universe moves. However, today, it’s the way that things move that has changed – phenomenally.

In Newton’s era, if you wanted something to move physical force had to be applied – whether this is someone throwing an apple, or gravity pulling the apple from the tree, the end result is it moves to hit Sir Isaac on his head.

Transfer this into the commercial world and we see goods, historically, either grown or manufactured in one place and then transported for sale or use in another. In the financial world money, regardless of currency, physically existed and as such had to be manually moved. Even physical attraction required both parties to be present in the same place and time.

What’s changed?
Enter virtual reality. Of course it’s true that not everything can be turned into 0’s and 1’s and sent over fibre optic cables, or travel wirelessly through thin air, but practically everything can be affected virtually. Take a book written in the UK – Harry Potter for example. Rather than one publisher printing billions of copies, and shipping them in containers worldwide – which of course garners additional time and expense, instead the book is turned into virtual packets and sent to the four corners of the globe where it is printed locally and sold. Today you don’t even need to physically turn the pages and read about the young wizard, this too can happen virtually on any number of eReaders.

By the same token, physically travelling to a central location and purchasing items is negated by virtually browsing the aisles with the merchandise then picked and transported to your location.

Visiting the bank to pay money in, or write a cheque to tell the bank to give your money to someone else is practically consigned to history. Instead your money doesn’t even have to physically move as it’s probably not in the bank’s vault anyway. It just exists on virtual paper and, as such moves, from one virtual place to another.

Even cupid is affected as people no longer rely purely on physical attraction to get the ball rolling. Instead singles can enter their preferences into a search engine with suitable matches returned. Businesses can be researched and products appraised without anyone a boardroom or demonstration suite in sight. This demotes appearance to an eliminating, rather than driving factor with the whole “getting to know you’ phase done virtually.

That’s progress, isn’t it?
Of course it is, and if we hadn’t moved forward, many of us would still believe the world was flat and be bartering with chickens. However, it doesn’t mean it’s all positive.

While the dandy highwayman may no longer stop a coach shouting “stand and deliver’, and the Great Train Robbery consigned to history, it doesn’t mean money is never stolen. Instead of months of meticulous planning new age bandits can, and do, virtually rob banks from the comfort of their living rooms. They hide behind a computer screen silently hammering away at the bank vault until they manage to break in. And it’s highly lucrative as, if it works on one door, the likelihood is it can be replicated on hundreds of others and in one night millions can be stolen from hundreds of vaults.

The sad truth is cyber thieves can, and will if you let them, visit your premises and ransack your filing cabinets to steal your plans or poach your customers and intellectual properly without physically setting foot in your building. In today’s virtual world millions of people can now attack you and distance is not a factor. I suppose that could be considered progress!

Virtually safe and sound
In the real world, if you buy and fit the strongest lock available on the market it might make your building secure. However, every time you give another person a key the strength of that lock is weakened as you’re now reliant on each person’s sincerity and their ability to protect your key. The question is simple, how strong is the lock if everyone can open it?

The same is true for your virtual assets. Whether it’s the customer database, your research and development data or even who is your top performing sales person – if it has a value to you it deserves to be locked away.

Many organisations think that, by encrypting their data, they’re secure. However, and here we must dispel a security myth, unfortunately it’s not true. It comes back to the strongest lock scenario outlined previously. Encryption means nothing unless they keys remain protected and accessible only to those who should have access to decrypt and consume data, otherwise the data that companies believe is protected remains woefully exposed.

To protect encryption keys, administrators must follow clear, well-documented processes that minimise the keys’ exposure. The sad truth is that most company’s manual key management practices fail to measure up:

  • Keys have multiple access points
  • Keystore passwords are not changed regularly
  • The same password is used across multiple keystores
  • Private key(s) are manually shared between administrators and applications
  • Distribution policies are lax or unclear
  • Private keys and passwords are not changed when administrators leave the organisation
  • Expansive key volumes leave glaring gaps in coverage.

With so many points of exposure, dozens of people can access thousands of keys. Additionally the reality of typically high IT staff turnover instead of reducing the risk of a compromise, instead actually magnifies it.
Instead, organisations need to implement sound encryption key management practices required to truly secure data. Using an automated and policy-based tool, you can then easily implement best practices such as separation of duties, regulated workflow, forensically durable logging, HSM integration, secure key distribution and regular key rotation.

With encryption keys’ exposure minimised, controlled and audited, companies know that their encryption assets truly deliver the promised security to truly protect vital data.

While Sir Isaac Newton may have a different take on the law of physics, were he alive today, I’m sure security would factor heavily in his theories.