{"id":37589,"date":"2022-08-16T12:04:13","date_gmt":"2022-08-16T16:04:13","guid":{"rendered":"https:\/\/centricconsulting.com\/?p=37589"},"modified":"2022-10-14T08:41:51","modified_gmt":"2022-10-14T12:41:51","slug":"end-to-end-encryption-and-its-role-in-zero-trust-architecture","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/end-to-end-encryption-and-its-role-in-zero-trust-architecture\/","title":{"rendered":"End-to-End Encryption and Its Role in Zero-Trust Architecture"},"content":{"rendered":"
People love their Ring doorbells, and with good reason \u2014 the popular internet of things (IoT) device allows you to see who is on your porch and communicate with them in real time from your phone or other devices.<\/p>\n
But until recently, Ring systems had a vulnerability. Bad actors could physically break into the device mounted outside the home with two screws and steal your home\u2019s network password. That gave them the keys to your virtual kingdom. In fact, data thieves could even access your network password without breaking into the device itself.<\/strong><\/p>\n That\u2019s because when the doorbell first connected to your home Wi-Fi, the connection provided an access point that did not rely on an HTTP address. In addition to stealing your network key, stories have circulated of troublemakers stealing videos from people\u2019s Rings, inserting false people into their Ring videos, and other mischief.<\/p>\n What went wrong? While the Ring system and its predecessor, DoorBot, encrypted the video collected by the doorbell\u2019s camera (is data), its storage location and when it moved within your secure home network, it had not encrypted the data while in use (watching the video).<\/p>\n Ring solved the problem by locking down data from start to finish with end-to-end encryption (E2EE).<\/strong> However, criminals exploit similar open doors every day.<\/p>\n Think of data flow like your mail: Your friend drops a sealed letter into a mailbox, which only the postal service can access. Then you both trust the postal service to carry that mail securely to its destination \u2013 your mailbox. But what happens once it\u2019s in your mailbox ready for you to read? Unless your mailbox requires a key, it\u2019s vulnerable to theft or abuse.<\/p>\n Data, like your mail, needs protection at every point, whether at rest (in the post office box), in transit (on the truck), or in use (while you are reading it). Like protecting online identities<\/a>, endpoints<\/a> and apps<\/a>, E2EE is essential for protecting your or your company\u2019s data.<\/strong><\/p>\n The good news? There are tools available to help at all three stages. The bad news? Most people only think of data security in terms of storage (at rest) or moving within a network (in transit), forgetting about the vulnerabilities that can exist when data is in use.<\/p>\n This post in our Zero-Trust Architecture series will look at the products and techniques that can protect your data at all times, wherever it is.<\/p>\n <\/a><\/p>\n Various technologies can act like a secure envelope around your data. Typically, they use a form of transparent data encryption (TDE). TDE relies on a database encryption key (DEK) to protect data and log files. An additional layer of protection, known as a certificate, secures the DEK. Microsoft 365 Purview<\/a> provides this level of protection for your data at rest.<\/strong><\/p>\n You can apply even more security for personal identification information (PII) and personal\/protected health information (PHI). You can base this additional protection on other factors, such as the endpoint you\u2019re using or its geographic location.<\/p>\n Most people are familiar with in-transit data protection. Tools such as transit layer security (TLS), TLS handshakes, one-time passwords (OTP), secure sockets layer (SSL) certificates, the advanced encryption standard (AES) and secure file transport protocol (SFTP) have been around for a while. In addition, Microsoft<\/a> Outlook users may recognize Outlook Mail Encryption (OME).<\/p>\n Despite the flurry of abbreviations, these tools perform a similar task: acting like that secure mail truck when data is moving from one place to another. However, they all rely on solid identity and data governance<\/a>.<\/strong> For example, you should require users to enable expiration dates on OTPs or external links to ensure they only access that data for the time needed.<\/p>\n Protecting data when in use, residing in RAM or being used to perform computations is the final point of end-to-end encryption. One tool is trusted execution environment (TEE) security. The TEE is an already secure portion of your computer\u2019s main processor that protects data in use, but you can strengthen the TEE\u2019s security with software that allows you to case the code on an individual user or at higher levels of privilege.<\/strong><\/p>\n Other in-use protections available in the world of \u201cconfidential computing\u201d are still emerging. One is homomorphic encryption (HE). It allows a user to use encrypted data without decrypting it first. HE has promise in fields such as healthcare, where PHI requires protection moving between a healthcare provider and an insurer.<\/p>\n For users of the Azure cloud, multiple TEE-based protections are available while others confidential computing tools are still in development. The AWS cloud\u2019s Nitro System offers similar protections, but no matter the cloud, all these tools are committed to securing data as you are retrieving and using it \u2014 not just when it is in storage or moving within your system.<\/p>\n\n Thinking Beyond Data at Rest and Data in Transit to Data in Use<\/h2>\n
Data at Rest<\/h3>\n
Data in Transit<\/h3>\n
Data in Use<\/h3>\n