In working with a customer on their security program, they asked us about encryption best practices. We determined that the customer wanted to know what to encrypt and when to apply encryption. As we batted the question around our CTO, Ricardo, asked an interesting question. “Does the reward balance the effort?”
Most of this customer’s workloads are already in the cloud. On-premises workloads require a VPN for access. So, that is all good. But what about laptops?
An encryption best practice would say that all customer data should be encrypted. Makes sense. But we can peel back the layers to the question and decide if encrypting the laptops is a worthwhile project.
Is the Data on the Laptop?
Our first stop in this peeling back is to confirm that there is customer data stored on the laptop. Not many years ago, we would have concluded that there would absolutely be customer data stored on the laptop. However, the more recent trend has been to steer users toward storing data in the cloud. For instance, many organizations have transitioned from mapped drives on a local file server to drives mapped to OneDrive. So, it is worth confirming that users are storing any organizational content on their laptops. (I find it ironic that over time, as computer hard drives have become ever larger for ever less cost, we seem to be storing less and less on them. If it were not for photos of my dog, I am not sure what I would have on my laptop hard drive.)
Is the Laptop Already Compromised?
I was originally in favor of encrypting the laptops as a defense against ransomware. However, we must understand the ransomware attack chain (thought I would throw in a fancy term there) to decide if this would be a good encryption best practice or not. Here are some ransomware scenarios to consider.
- The ransomware attacker compromises the laptop and steals the content. Or (and this is not ransomware) someone steals the laptop and tries to access the computer’s drive. They just get an encrypted drive, right? And if it was a ransomware hacker that obtained the drive, encryption renders useless the threat to release your data into the public realm unless you pay a ransom, right? Well… maybe. Read on.
- The ransomware attacker obtains the user’s account credentials (username and password). They use these credentials to access your laptop and its data. Does encryption help here? Probably not. After all, unless authentication includes something biometric (fingerprint, retina scan) how would the computer know that this is not the legitimate user? It would think the user is legitimate and unlock the drive.
To put a fine point on this, you cannot presume that if the laptop has not been hit with a ransomware attack, then it must be secure. Remember that hackers can deposit their ransomware payload and let it sit there undisturbed for a long time.
So, a better encryption best practice might be to encrypt the laptop when you first purchase it. Presumably, the laptop has not ventured into “the wild” yet and is still secure.
Start with Identity and Access Management
What our exploration has so far pointed out is that focusing on encryption before identity and access management would be misguided. Microsoft has reported that they see 50 million Azure AD password attacks daily. The hackers must know something, right? I am not saying you do not need to protect your organization’s devices. I am saying that your first priority is to get your identity and access management security in order.
- Implement MFA! Make the second factor security option the authorization app and not an SMS.
- Implement some conditional access policies. Put in some basic policies (for instance, warn people before they store content in an unauthorized location). Test some more restrictive policies and implement them if the policies do not create false positives.
Yes, follow encryption best practices. Just recall that the Zero Trust security model describes security practices at each layer. Encryption is one of the practices, but there are others as well.
Remember also, if I need to say it again, that there is no one tool or practice you need to apply to achieve a desired level of security. There are many. More work, for sure. But also, more control over the level of security you implement for your organization.
What, then, would I say is an encryption best practice? To get your identity and access management security in place.