Entity-Level Encryption: The Only Defense Against Ransomware

By Brian Greenberg and Cameron Laghaeian
Originally appearing at Forbes on 6/23/2021.

Ransomware is one of the fastest-growing forms of cybercrime. It begins when ransomware criminals gain access to a company’s network and, like a virus, spread their malware, infecting all the company’s computers. From there, the malware encrypts all the company’s data, making the information unreadable, shutting down the business until a ransom is paid, often in the millions of dollars. Since 1989, cybercriminals have been holding data ransom for financial gain. Ransomware results in system-wide downtime for the victims and financial loss from the impact on the business and the ransom payment itself. While well-architected hardened defenses against would-be hackers are necessary to reduce the likelihood of a breach, there are no guarantees of thwarting an attack. When an attack occurs, the only way to recover data encrypted by ransomware is to restore the data from backups stored offline and isolated from the threat.

The Threat Of Extortion

As if encrypting your data for ransom wasn’t enough, an even more nefarious development has increased the impact of ransomware events on businesses. Cybercriminals have been copying and downloading data to their own servers before encrypting the data on the victims’ computers. This gives the hackers two methods for financial gain:

  1. They demand a ransom payment for the key to decrypt the victims’ data.
  2. They can extort more money by threatening to publish the company’s data on the dark web, thereby exposing all manner of confidential information.

This second threat can have an even more devastating impact on businesses. Essentially, hackers could publish all the information about a business’s operations and its clients on the dark web for other criminals and even competitors to use. The damage this would cause to businesses, especially for regulated organizations such as healthcare providers, can be far worse than a simple ransom paid to unlock encrypted data. Moreover, even if a company does pay extortion money, there’s no guarantee that the criminals wouldn’t publish the confidential data regardless.

A Complex Problem

From daily news headlines, the severity and frequency of these breaches suffered by private companies and governmental agencies seem ubiquitous and unending. It’s impossible to harden any IT system enough to guarantee that no hacker would ever have access to any company’s internal systems.

IT systems are just too complex. They’re a combination of personal computers, smart devices and servers, all connected via networks. The configuration of various computer and technology components involved in any given company is in a constant state of flux. They are constantly added to, updated and replaced, occasionally introducing undetected vulnerabilities resulting in zero-day attacks. Effectively, cybercriminals will always find a way to break into any given system, thereby gaining access to the company’s data. Therefore, the only effective remedy to even further reduce the likelihood of data loss is to encrypt the data at rest, making it unreadable to hackers.

Despite the many advantages of data encryption, we don’t use it everywhere. The whole encryption process presents many challenging complexities, including:

  • Encryption key management.
  • Computational cost.
  • Speed.
  • Data storage.
  • The need to share data with various internal and external systems.

Any encryption scheme requires at least one key. This key has to be complex enough to prevent the data from being decrypted using brute force methods, causing it to be hard to remember and impractical to enter on-demand as authorized users try to interact with the data.

Fortunately, there are various solutions to help organizations manage the encryption keys offered by multiple solutions providers. These solutions can provide numerous encryption schemes, including application-level encryption, which means that only an authorized application can read the encrypted data in the database. The drawback to this method is that if a hacker gains access to the application, they will have access to the data.

A Solution

A more robust solution would leverage entity-level encryption with unique keys for various entities based on each business’s definition of what constitutes sensitive data and tie the authorization to the users. In cybersecurity, this is considered akin to the “principle of least privilege,” where systems’ or users’ access rights are limited to only what’s strictly required to complete a function or required to do their jobs.

For example, a healthcare provider could have a unique encryption key for each patient and authorize each patient to access their data. This method will guarantee that patients can only see their own records since they will not have the keys for any other patient’s information stored within the same database. Leveraging this level of encryption can only be done if the encryption logic can manage all the keys and patient authorizations and still allow authorized employees’ access to any patient’s records. This method would only expose a single patient’s data if the patient’s device, pc or smartphone, is compromised.

With a secure key management scheme, cybercriminals will not have any way to decrypt the sensitive information even if they obtain a copy of the entire database. While this level of encryption will not prevent hackers from further encrypting the data and demanding a ransom for the decryption key, it will prevent them from attempting to publish the data on the dark web.

The Ultimate Defense

Ransomware is a grave threat to any business. It’s an incredibly complicated problem that traditional IT defenses have been unable to stop, and a single strategy cannot fix it. The ultimate defense is a multifaceted approach depriving cybercriminals of their prize. First, companies need to employ frequent and automated backups securely maintained offline to recover data encrypted by ransomware. Secondly, companies need to begin leveraging entity-level encryption making data unreadable by unauthorized actors. In combination, these two approaches can seriously cripple a cybercriminal’s power to impact businesses and their clients.

Leave a Reply

About Brian Greenberg

Brian Greenberg is a technology and product leader, Forbes contributor, and is a member of the Forbes Technology Council. He lives in Chicago and has been working at companies of all sizes from the Fortune 100 to startups for over 30 years including international experience as an expatriate in Japan and Europe. In addition to being part of the Adjunct Faculty in the College of Computing and Digital Media at DePaul University, Brian Greenberg is an award winning CIO & CTO, considered a dynamic, entrepreneurial, and visionary leader, accomplished at strategic planning, process improvement, product development, and reengineering of key business processes. Highly successful in achieving financial results through strong customer loyalty and long term relationships with suppliers and vendors. Ability to achieve business results through strategic application of technology to business challenges. Readily pursues "stretch goals", not afraid to take risks, and is grounded in a strong teamwork approach. Regarded as a skilled communicator, team builder and negotiator who maximizes efficiencies and productivity through boosting employee morale and performance. Brian Greenberg has expertise in digital transformation, automation, turnaround management, security, data storage, and data protection. He is also a storyteller and an improvisor in Chicago’s comedy community.