Information Security’s Best Kept Secret
This is a tough time of year to find encouraging news about information security. The end-of-year technology reports will no doubt spend a fair amount of time on data breaches, which are never good news. But a look at the trends and patterns this year may show some early signs of progress. The Identity Theft Resource Center’s 2016 Data Breach statistics as of October 14, 2016 show that even though the number of breaches with confirmed record exposure is rising, the number of exposed records is surprisingly low. ITRC is reporting “only” about 29 million records exposed so far this year, versus about 177 million in all of 2015 and about 675 million in 2014. So, it is possible that organizations are doing a better job of keeping their data secure even if they are breached.
As Verizon’s 2016 Data Breach Investigations Report points out, “no locale, industry or organization is bulletproof.” There will be data breaches in 2017, in spite of an organization’s best efforts to prevent intrusion to their networks. But extensive use of encryption or tokenization can mitigate the financial loss of a breach.
Encryption is more valuable than you might think. Many people and organizations dislike using encryption, because it seems too expensive and time consuming to be worthwhile. In fact, many organizations only encrypt their data for compliance reasons. But as information systems and threats evolve, encryption provides more value than ever. Network perimeters have expanded; information is flowing in and out of cloud storage through mobile devices and across enterprise server networks. Access control is more difficult, and the number of data breaches is steadily rising. Encrypting or tokenizing data is the best way to limit the effects of data breaches, and preserve a company’s reputation and business in the face of persistent attacks.
Cost of Data Breaches
In their 2016 Cost of Data Breach Study, the Ponemon Institute examined the costs of data breaches at 383 companies in 12 different countries, and estimated the average cost to be $4 million, a 15% increase over the $3.5 million reported in 2013. The costs vary widely from country to country, from a high of $7.01 million in the United States to a low of $1.6 million in India. The cost of data breaches also varies widely from industry to industry; the average cost per stolen record ranges from $335 for healthcare records, to $80 for public sector data. Surprisingly, finance is only in third place with a cost per record stolen of $221.
The costs can be broken down into direct and indirect costs. Direct costs include investigations and forensics analysis, auditing and legal services, and identifying, notifying, and compensating victims. These are comparatively straightforward. Indirect costs, which include reputational damage and loss of business, as well as opportunity costs to the organization’s customers, are harder to quantify. According to the Ponemon study, this indirect opportunity cost to the organization is the biggest component of the total cost of a breach for most organizations. Indirect costs to US organizations, for example, were 57% of the total cost.
The overall indirect costs may be even higher. A study commissioned by the UK Ministry of Defense in 2012 concluded that indirect costs of payment fraud accounted for about 75% of the total costs. This study used a broader definition of indirect costs that included reduced use of online services, reduced electronic transaction fees, and the higher cost of in-person transactions compared to online transactions. It estimated the indirect costs of UK payment fraud as $2,300 million and the direct costs as $768 million. For the purpose of comparison, Ponemon calculated indirect costs in the UK as 47% of the total costs in their 2011 Cost of Data Breach in the UK study.
Although the estimates vary with the study methodology, the bottom line does not change: organizations in highly regulated industries are at risk of incurring substantial costs from reputation damage and lost business in the event of a successful data breach.
Avenues of Attack
Attacks can come from external actors or from malevolent insiders. Estimates of the percentage of attacks from external actors vary rather widely. Verizon’s report states that 80% of breaches are the work of outsiders, Ponemon estimates 48%, and IBM’s 2016 Cyber Security Intelligence Index puts it at 40%. The one thing they all agree on is that organizations have to defend against both external and internal threats. Most organizations, particularly those in highly regulated industries, such as finance and healthcare, have invested in perimeter-style security solutions; and yet they still suffer data breaches. The perimeter defenses do not prevent all external attacks, and do little to protect against malicious insiders.
Data-centric Security & Encryption Limit the Consequences of a Breach
In addition to perimeter defenses, organizations need to consider adopting a data-centric, layered approach to security which includes encryption or tokenization of sensitive data. The cost benefit analysis performed by Kevin Soo Hoo at Stanford in 2000, suggests that encryption may provide the highest value of any security investment. Other measures, such as firewalls, anti-virus software and intrusion detection may reduce the probability of a breach, but they cannot prevent every breach. Encryption is the only measure Hoo studied that actually limited the consequences of a data breach. The most recent Ponemon and Verizon studies agree that extensive use of encryption reduces data breach costs. Ponemon estimates it reduces cost by $13 per record, Verizon estimates that encryption technologies have a 21% ROI.
Experts may disagree on what percentage of data breaches come from insiders or external actors, but extensive use of encryption can help limit the damage, regardless of where the breach originates. Encryption addresses the security threat organizations need to worry about the most.
Encrypting or tokenizing data actually has two immediate advantages: it can reduce compliance costs by limiting audit scopes, and it may exempt an organization from publicly disclosing a breach, if the exposed data was properly encrypted to tokenized. Extensive use of encryption or tokenization is the one strategy most likely to reduce the reputation damage and consequent loss of business that dominate the cost of data breaches.
Data-centric security solutions, such as HPE SecureData and XYPRO Data Protection (XDP), can protect sensitive data by encrypting or tokenizing it the moment it is acquired and ensuring that the protection continues wherever the data is stored, transferred, or used. HPE SecureData supports diverse platforms, works with a wide variety of databases and is extensively deployed. XDP optimizes HPE SecureData for NonStop servers.
The Difference Maker: Encryption vs. Layered Point Solutions
To illustrate the difference between data-centric encryption, and the layered point solutions offered by other security tools, we can look at the layered stack models commonly used to describe data networks and data storage systems.
Storage systems can be modeled as a five-level stack: Application, Middleware, Databases, File Systems, and Storage. As shown in Figure 1, there are point solutions to provide security at each level. Disk encryption, for example, encrypts data as it is written to the disk and decrypts it as it is read. It only protects the data actually stored on the disk. It does not protect the data when it is retrieved from the disk and sent up the stack toward the application layer. Database encryption, however, will protect data at the database layer, and the layers below it.
Figure 2 shows examples of point solutions that can protect data as it is transferred over computer networks. This model uses the TCP/IP communication protocol stack defined in RFC1122 and RFC 123. The stack comprises four layers: Application, Transport, IP and Network Access, as shown in Figure 1. As the arrows in Figure 1 suggest, information is only passed between adjacent layers of the TCP/IP stack. A process running at the Transport layer can pass information to a process running one layer away at the IP layer but not to one running two layers away at the Network Access layer.
Again, encryption can take place either relative to or at different levels in the TCP/IP stack. TLS encryption, for example, operates between the Application layer and the Transport layer. IPSec operates at the IP layer. Link encryptors encrypt at the Network Access layer. There are good reasons to encrypt at different places in the encryption stack, but when you encrypt at a particular location, the encryption only protects against threats that target layers at or below the point where the encryption takes place
If you use TLS to encrypt data between the Transport and Application layers, the TLS encryption will protect against attacks that target the Transport layer, the IP layer and the Network Access layer, but it will not protect against attacks that target processes running at the Application layer. Once data that’s encrypted using TLS gets passed up the stack to the Application layer, the TLS encryption is no longer protecting it.
The key advantage to the data-centric encryption provided by HPE SecureData and XDP is that it is applied at the application layer. It protects against attacks that target every lower layer of the network stack or storage stack.
Application Level security: Protection at Every Level
HPE SecureData and XDP use Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST) to implement protection at the application layer without changing the data’s format or requiring changes to the application’s source code. This transparent application level security uses a library to intercept all I/O calls, and selectively encrypts and decrypts specified fields as necessary. The data is encrypted before it’s sent to the disk and decrypted only as it arrives at the application, so it is protected at every level below the application layer. By tokenizing/encrypting all sensitive data, and therefore rendering it valueless to hackers, XDP can significantly reduce data breach damages.
Conclusion: Limiting the Damage Potential is Your Best Defense
The bottom line is that the number of data breaches is rising; perimeter defenses cannot prevent all attacks. Breaches appear inevitable, particularly in the healthcare and financial industries, which incur the highest costs from breaches. The good news is that data-centric security protects sensitive data from both malicious insiders and attackers that have evaded the perimeter defenses. HPE NonStop systems support critical processes in the industries that are paying the most for data breaches. XDP data-centric security, optimized for the NonStop environment is the best way to limit the damage. Encryption and tokenization are a better value than most people think.
 Anderson, Ross, Chris Barton, Rainer Böhme, Richard Clayton, Michel JG Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. “Measuring the cost of cybercrime.” In The economics of information security and privacy, pp. 265-300. Springer Berlin Heidelberg, 2013.
 This study does not estimate the total costs of data breaches in the UK; it surveys a sample of organizations and calculates the average cost of the data breaches those organizations experienced in 2011. As costs vary depending on the size of the breach, Ponemon reports the average cost per record exposed in a breach.
 Hoo, Kevin J. Soo. How much is enough? A risk management approach to computer security. Stanford, Calif: Stanford University, 2000.