The PreVeil Manifesto
A new approach to information security
Most business communication contains sensitive information, yet despite massive losses to cyber-thieves, very little of this communication is secured because current approaches aren’t good enough.
A new paradigm is needed, based on 3 key principles:
- End-to-end encryption with no compromises
- No central point of attack
- Ease of use
Security today isn’t good enough. Despite significant investments in security technology and processes, attackers still gain access to protected data on a regular basis. In response IT has built higher and higher walls around the places where data lives – whether in a data center or in the cloud, but attacks persist.
The cloud is great, but it’s also a target. Mass migration to cloud computing has improved scalability, lowered costs, and freed IT from having to manage the application environment. However, the more data is stored on the cloud, the more the cloud becomes a target for attackers, and the more risky it becomes to store sensitive data there.
BYOD makes users’ devices a target as well. Users need their data to be available on all of their devices at any given moment because the pace of business today requires it. But from a security standpoint, the greater number of devices there are to manage, the greater the risk of attack.
A Better Approach
Uncompromising end-to-end encryption. You can’t hack gibberish. Every message, chat, and document should be encrypted with its own unique key and only decrypted on the intended user’s device. This way, an attacker focusing on a data center or cloud services provider will get nothing but encrypted data, which looks like gibberish when viewed.
Data is never decrypted in the cloud. Cloud Providers trumpet two security solutions: “encryption-in-transit,” in which data is encrypted in a secure tunnel between the device and the server; and “encryption-at-rest”, in which data is encrypted on the server’s disk. But Cloud Providers do not address the hole in between: encryption-in-use. In all of their services, the server has the ability to see unencrypted user data. If the server can see the raw data, then an attack on the server has the potential to expose everything the server contains.
Centralization creates exposure. If an attack on a single server or network device yields vast quantities of valuable information, one can be sure the attackers will target this central point of failure. Additionally, administrators can become an attractive target because of their privileged access credentials. If an attacker can breach just one administrator, everything in the enterprise can be compromised.
A better approach is to distribute trust amongst the administrative team instead of entrusting a single administrator with privileged access. Some organizations require specific approval processes before a single administrator can access sensitive information. The key is to use cryptographic techniques to validate this trust, rather than relying on business logic on the server which can be attacked.
If it’s not easy to use, it shouldn’t be deployed. Security versus ease-of-use is a false dichotomy. If security is difficult to use, it simply won’t be used and this defeats security objectives in the first place. To be effective security must be as frictionless as possible.
No more passwords. Better security shouldn’t impose an additional burden of managing and updating passwords on the user. User passwords are often too easy to guess, or impossible to remember. A better approach is to rely on strong cryptographic keys that are automatically created and managed on the user’s device. It would take all the supercomputers on earth billions of years to guess a user’s key.
Logs should be as secure as the underlying data. Most business systems capture logs of activity. That way, any issues can be identified, traced, and diagnosed. But simply logging activities isn’t enough. Attackers can glean useful information from reading logs, and so they must also be encrypted end-to-end without hindering their search-ability. Logs should also be tamper-proof so that an attacker can’t fabricate entries or delete them to hide his tracks.