We are so enthralled by our own brilliance in cryptography that we forget that most data at rest - tucked away inside databases - is unencrypted.
Case in point, a Skyhigh analysis of encryption controls found that 81.8% of cloud service providers encrypt data in transit using SSL or TLS but only 9.4% of providers encrypt data once it’s stored at rest in the cloud. That makes the growing number of organizations found to be offering unfettered access to cloud databases and AWS S3 storage buckets a nightmare waiting to happen.
Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems.
From <https://it.slashdot.org/story/18/12/05/2342226/quantum-computers-pose-a-security-threat-that-were-still-totally-unprepared-for>
This statement is inarguably true. The problem is that cryptography doesn't completely protect our data, computer networks, and other digital systems. It protects data in flight and, if we're lucky, at rest. It augments access control for critical systems. But the reality is that in order for the "networks" and the "systems" to process data and execute logic, it must be able to view data in plain, naked text. Organizations face a bigger risk from unprotected and unpatched applications than they do from digital peeping Toms.
This is ultimately why breaches continue to occur at increasing rates. Not because the data isn't encrypted in flight or at rest, but because applications and APIs can't process the data in its encrypted form. It must be unencrypted, at which point it is vulnerable to exposure. And vulnerabilities attract attackers.
The applications and APIs which interact and operate on that unencrypted data are a more significant threat to the security and privacy of data than that of cracking quantum-based cryptography. That's one of the reasons they are so frequently targeted. In F5 Labs analysis across a decade of breaches "applications were the initial targets in 53% of breaches." Not only are they the easiest route to data, they're one of the only places left in the increasingly encrypted data path where data is unencrypted and readily usable by those seeking it.
We are nearly numb to breaches today because they happen with such alarming frequency that it is normal to see news of millions of records ripped from some database through an application today. This is in spite of efforts to force us to use encryption - to use HTTPS instead of HTTP. This is in spite of browsers enforcing cryptographic standards on the algorithms and key lengths used to encrypt data from "prying" eyes.
If today's "cyberdefenses" truly do rely heavily on the strength of cryptography, then we are truly in trouble. Because it is not the strength of cryptography alone that prevents the breaches and exfiltration of data that plague our newsfeeds and clog our inboxes. It is the strength - and increasingly, the intelligence - with which we can recognize and prevent an attack that leads to the loss of data.
Encrypted malicious code is still malicious. Encrypted stolen credentials stuffed into application authentication systems are still stolen credentials. Eliminating middleboxes doesn't eliminate the threat of a vulnerable web or application server executing an exploit to gain access to valuable, naked data.
It isn't enough to gaze lovingly at our ability to strengthen encryption if it carries the attacks that threaten exploitation of applications and APIs straight into the heart of our digital economy. Protecting our digital assets (applications) and the channels through which they are accessed (APIs) requires a more holistic approach to application protection that combines intelligence, identity, and detection of attacks in addition to strong cryptography.
About the Author
Related Blog Posts
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.