In-Depth

Q&A: New Technology For Encrypting Sensitive, Stored Data

New approaches make it easier than ever to add network-wide transparent data encryption

• By Mathew Schwartz
• 06/23/2004

In the past, securing data at rest was a technological challenge, if not a nightmare. New approaches, however, make it easier to add network-wide data encryption, and to audit access, while keeping access transparent to end users. To talk about securing all sensitive corporate data, and the regulations driving many companies to consider it, Security Strategies spoke with Bill Schroeder, president and CEO of Vormetric; his company makes CoreGuard encryption appliances and software.

What does CoreGuard do?

Three things: encrypt sensitive files, … offer fine-grain access control to all the customers’ files that he has stored in network storage … [and] we protect the applications and hosts that can access those files. So … you load us to those servers that have applications that can access sensitive data that you want to protect, and we’ll protect the application from Trojans, tampering, worms—even zero-day worms, and we’ll protect the host from being compromised. We’ll prevent bad guys or bad code from getting at your data, and if people go around the access control, they’ll see encrypted data.

How is it end-runners will only see data in encrypted form?

We encrypt the data in such a way—what we call MetaClear—that we only encrypt the payload, the actual file. So the file system metadata is in the clear, which allows sys admins and [IT managers] to get access to the data without having to read it. [It’s very similar] to the way the post office can get access to your address information without reading your mail.

What’s the mandate to encrypt all stored, sensitive data?

Almost all data today is stored in the clear, and it’s increasingly being stored in an architecture that is networked—SANS, NAS, Sun Systems, EMC, etc.—so this is a broad problem. And some of the regulations, going in, are broadly applicable. The Gramm-Leach-Bliley Act is obviously aimed at financial companies, but Sarbanes-Oxley is aimed at all public companies. So we think that in the long run—and I’m not sure what that is, probably five years—this is a technical solution that most large companies are going to be adopting.

What have companies been doing before?

I ask companies that, [and] the CIOs [too], and the answer is, well we’re as naked as the next guy. There hasn’t been a solution. It’s like the good news is, we all have this disease. So it’s a best practices issue in a sense where, if there is a technical issue out there, and everyone suffers from the same Achilles Heel, it’s hard for you to say someone’s a bad guy because everyone’s a bad guy.

What do businesses get from encrypting sensitive, stored data?

The business benefits a company is going to get from being able to protect that data stem from two major fronts: [first] customer trust and brand integrity is going to be eroded if a company has its data either deleted or stolen. Heretofore, companies have been able to sweep this information under the carpet, because there was no forcing function that made them report attack.

[Second,] compliance with new regulations being promulgated by the government, such as Sarbanes-Oxley, HIPAA, the Gramm-Leach-Bliley Act, and so on. …. Companies are being forced to protect their customers from the kinds of attacks that can happen on their data where identity theft is one of the primary objectives these days.

Who are early users?

High-technology, semiconductor designs, companies with source code to protect, media companies, pharmaceuticals, biotech companies …

What about healthcare?

Our assessment of healthcare is that this is an issue that needs to be dealt with , but that HIPAA is probably two to three years away from being enforced …. Healthcare doesn’t tend to be one of the [leading edge adopters].

Many companies guard against outsider attacks; what about insiders?

Studies have shown that the majority of attacks that damage your data start inside your company. The numbers are that 50 to 80 percent of attacks are by insiders. Who knows for certain, but they’re dangerous because they know which information to go after.

So our thinking is, the way you need to solve security is from the inside out—the same way a bank solves security. It starts with safety deposit boxes on out. It doesn’t erect a huge fence then let the money float around inside. You start with a vault on the inside, then work your way out.

As a consequence, we’ve started the technology of our company based on protecting what people really want to protect, which is their data and their applications, which are the applications and hosts they want to sit on, then we work our way out.

How does CoreGuard control access?

We … integrate tightly with LDAP, Active Directory, and other schemas companies already have put in place for managing permissions. We basically mine that information so that you can easily set up policies so what kinds of people, which groups can have access to this kind of data. So you can set up security permissions for an employee that hasn’t been hired yet, for data that hasn’t been collected yet.

Who controls data access permissions for this approach?

Our fundamental assumption is you have to have people involved, and you have to assume malicious intent. When auditors come to a bank, you have to assume malicious intent by employees … In laymen’s terms, you don’t want the cop and the judge to be the same person … [security is] easily compromised.

So… sys admins who manage the data cannot have access to the appliance, where the policies are created and managed and keys held, and the security administrator who manages our appliance need not have sys admin privileges. So the architecture of our product … lends itself to separation of duties, which is how you set up a system that is auditable, and clear … [to] protect yourself from malicious employees.

What kinds of attacks do you watch for?

We’ve developed a way to make sure rogue processes are not being used to destroy or steal data. A benefit from that is that any Trojan or worm that pops up is not going to be allowed to run, so it even works against zero-day worms and Trojans, because it’s not about us having to detect a signature of a known malicious exploit. Any exploit will be blocked because it doesn’t conform to the cryptographic fingerprint of what’s allowed to run on the server.

How many appliances do customers need?

The minimum would be two, because they’re redundant, in an active/active mode. Across a standard-size enterprise, we think it might be up to 20 different appliances, and the reason is you’d want them in different parts of the network … [in the event of] a site outage—earthquake, tornado … Our recommendation is you have multiple clusters of appliances [and again in different geographic locations], so that you’re protected in the event of a site outage.

How does all this appear to end users?

We’re installed in a way that’s transparent, so the applications above us don’t know we’re there, because we look like a file system, and the storage doesn’t know [either] …

For you specifically, you would just go and get it and you wouldn’t even know that we’d checked you out … and [we’ve also] done it in a way that you wouldn’t see any degradation in system performance, unless you were trying to get at a file that you weren’t supposed to, or you were a Trojan or virus.