I originally started to title of this post "Oops, They Did It Again...", having sort of a bad Britney Spears flashback. Thankfully, good judgment prevailed and the title ended up something less pop and more practical. Still, it's hard not to think that way -- Staples acknowledges they are investigating a data breach that appears to have compromised payment card details. This is only the latest in long and growing list:
- January: Target, Neiman Marcus, Michaels
- April: Arron Brothers (a subsidiary of Michaels)
- June: P.F. Chang's
- August: UPS Stores
- September: Home Depot, Goodwill Industries, SuperValu
- October: Dairy Queen
...and now the Staples data breach. And these are the breaches only from this far into 2014. While details of the breaches will be buried for years behind disclosure firewalls while investigation and litigation run their courses, the publicly available evidence is that the attack vectors are similar and the technology used comes from the same base code.
In at least two instances (and likely more), the attacks originate through the compromise of third party vendor or supplier credentials. Once inside the logical perimeter, it seems that variations on a base POS-corrupting malware are used to siphon away payment card details. We have to conclude there is some degree of organization behind this -- a predictable outcome based on the economics of supply & demand. As criminals are successful, the more payment details are available for sale, driving the unit price downward, motivating the criminals to obtain bigger collections of details to maintain a target level of income. Getting these larger lots requires more sophistication, personnel, coordination, and technology -- decades from now this will be the fodder for gangster movies just as Prohibition was for movies I grew up watching.
To my eye, it really boils down to the real world impacts of complexity theory (for fun, also see this clip of Jeff Goldblum explaining chaos theory to Laura Dern in the original Jurassic Park). For large scale, geographically dispersed organizations that rely on technology, there can be no practical expectation that their systems will not be penetrated from time to time. The number of applications and versions of applications any one enterprise may use that there can be no prediction about when or where a breach will occur, only that it will. The perimeters are exposed and intentionally porous, because enterprises want the frictionless electronic interaction with customers, vendors, and other partners. Just like a dike, every perimeter will, eventually, spring leaks and some of the content contained will escape.
This is not a gloom post, though, because the metaphor of a dike points out how these large retail perimeter breaches have to be managed. Approaches have to change to account for the inevitability of breaches while minimizing the damage any one breach event can cause. Two decades ago the data protection metaphor was a bagel -- hard on the outside, soft in the middle - make getting inside the logical perimeter hard but leave access data easy once in. This was fine before instant IP connectivity between systems was the expectation. That changed a decade or so ago, as interconnectivity increased quickly, changing the data protection metaphor to "Let the Right One In". [I really love that movie. OK, so there is a pop culture tone to this post. Sue me.] Focus has been on authentication and authorization of access to enterprise systems and we are seeing the inevitable result: one weak link in the chain, one third party vendor who uses a weak password or carelessly shares their credentials, can have huge effect. It's the whole Goldblum-Laura Dern thing, except it's not butterfly wings in China and rain in Central Park. Instead, it's one weak password and tens of millions of details compromised.
A new metaphor is needed for this new circumstance that anticipates the occurrence of breaches, by limiting the amount of compromise that any one can achieve. An approach that layers protection, much as the Dutch built interlocking dikes, drainage ditches, and water pumps that, together, had enough integrity to hold back all the implacable weight of the North Sea. (I tried, but came up completely blank on a pop culture reference here, outside of the 1950s travelogue films the social studies teachers showed at school. Anyone have a better one? Bueller? Bueller?)
One component of this strategy has to be the encryption of sensitive data away from the rest of the non-sensitive infrastructure, just as the Dutch dikes protected the lowlands while they left waterways open for shipping. Encryption can be an important part of a practical solution only so long as the decryption keys are completely protected, and isolated from the risk of any data breach. As the Dutch found, it is much easier to focus on protecting a small patch at a time -- in this case, a hardened decryption key repository -- instead trying to drain Zuiderzee all at once.
Click here for additional thoughts on why enterprise might need an enterprise cryptographic key management system.
To evaluate the EncryptRIGHT platform and its hardened enterprise cryptographic key protection capabilities, click on the button below.