19 March 2014
When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.
On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:
“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”
Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.
But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.
In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.