Jean-Charles Barbou, PGP: Don’t mistake authentication and access controls for data protection
April 2009 by Jean-Charles Barbou, PGP
For far too long, there has been a general misunderstanding about the role of authentication and access controls with respect to data protection. This has been an issue born from the shifting threat model and where data is most likely to leak, but perpetuated through the lack of application data encryption features in enterprise software. Software vendors probed for information about the features that keep data safe often use authentication and access controls as their fall back position, creating confusion about how to create a safe environment for corporate data.
Authentication and access controls serve an important role in the security model, but it’s important to clearly define their role and the limitations of its use. Authentication provides the process to establish proof that a given identity matches the entity they proclaim to be. This is done through vetting of the user’s credentials through an authentication method, whether using a password, strong authentication or other related technologies. Upon establishing proof of identity through authentication, the access controls determine which resources the entity may use.
Based on this description alone, it does sound like a form of data protection, because only the proper user can access certain data. One must note that authentication and access controls are only effective for data accessed through the front door of the application. The limitation of authentication and access controls is that IT managers must also give due consideration to all of the possible ways that data flows above and beyond the front door.
Consider the role of the system administrator. The system administrator has responsibility for keeping the application running, and has super user privileges that bypass the access controls that exist to protect data. Thus, the administrator has the ability, but not the right, to view nearly all unencrypted information passing through the system. In order to maintain a proper separation of duties, administrators should be able to perform their duties without seeing the data within, and the right way to do this is to encrypt the data.
Another point to consider is that the threat model to data loss continues to evolve, as attackers find new ways to steal large volumes of data. Consider the recent Heartland data loss incident (1), which used network sniffers delivered through malware to steal unencrypted credit card numbers off of unencrypted network segments. These methods defeat authentication by going through the back door to get at sensitive data, and thus it is important to keep information encrypted, ensuring that it is safely delivered from one point to the other, regardless of the security of the network medium it traverses.
Modern application deployments have broken down the traditional perimeter security models that protected data in the past. Think about the growing number of applications being run through managed services, hosted services, or even being run as Software as a Service (SaaS). These applications place sensitive corporate data on networks, storage and backup tapes completely outside of control of the company. In the interests of both the Corporate and the 3rd party providing service, maintaining data privacy is critical, and that’s best served through encryption. By keeping the management of the application and management of the encryption keys separate, the 3rd party service provider can continue to run the application without any ability to access the information within.
One more consideration to think about is that data lives beyond the application of its origin. For example, email is an application that generates large volumes of sensitive data. However, email lives on the server only part of the time – most modern enterprise email provides methods to deliver email to a variety of clients, such as laptops, desktops and mobile devices. Without encryption of the data (either of the email itself or for the device it resides), then stealing the device easily defeats any protection afforded by the authentication and access controls of the email server. Encrypting data renders the data useless to the theft of the data in storage or data in transit.
Organizations concerned about data protection must give due consideration towards encryption. Encryption provides the last resort and most sensible method for keeping data safe (even when traditional perimeter security, authentication and access controls fail). Instead of adding encryption as an afterthought to existing security measures, modern IT organization should flip the order around and defend data at the core first and foremost, and layer additional security methods based on needs.