2018-08-28 Patrick Walsh
Originally published at blog.ironcorelabs.com.
DoD's Distributed Data Problem
Data is the currency of the modern age. For business, data is the fuel that propels decisions, competitive advantages, investments, and in some cases, it’s the company’s product. For these reasons, businesses guard their data closely. Yet for Governments, the stakes are much higher.
Information is arguably the most important resource in global power struggles, both military and economic. It’s the difference between a strong defense and a weak one. It’s the difference between being prepared and being caught unaware. It’s the difference between overwhelming advantage and a level playing field. Arguably, information, such as that uncovered by the Enigma program in World War II, has been the decisive factor in numerous conflicts.
When the information in question is military plans, strategy, espionage networks, or blueprints for differentiating technology, the stakes are highest.
If a rival country obtains this kind of information, it can rapidly become a more dangerous foe. Russia, China, Iran, and North Korea have all invested heavily in successful hacking campaigns that have paid dividends and made the world a more dangerous place.
Unfortunately, data is not easy to control. Strategic plans and weapons capabilities are shared between allies and with contractors and subcontractors. In the case of vehicles and weapons, manufacturers are in the loop as well.
Today, the protection of this data relies on up-front diligence regarding the ability of anyone who needs access to protect sensitive data. But this approach is flawed. With each new entity that gains access to sensitive data, the security risk surface grows exponentially.
The model isn’t sustainable.
In the last year, we learned that the NSA’s entire suite of offensive hacking tools was stolen, presumably by Russia. A Government subcontractor in Australia was hacked for over five months before noticing, and unclassified plans for the Joint Strike Fighter program, F-35 stealth fighter, C-130 transport plane, anti-submarine P-8 surveillance aircraft, and detailed designs of Australian Navy ships were all stolen, possibly by China. China also reportedly stole missile plans for submarine warfare. And U.S. and South Korea’s classified wartime plans regarding North Korea were stolen, presumably by North Korea.
Government and military breaches don’t generally require public disclosure unless personal data of citizens was compromised, such as when the Office of Personnel Management (OPM) was breached.
The Australian subcontractor that lost plans for all those planes and ships was an aerospace engineering firm that was “four levels of subcontracting down” from primary contractors like Boeing and Lockheed Martin, though we don’t know who the primary contractor was in this case.
Most of the time, the stolen data had first been copied to the home computer of an employee or to the network of a partner.
The idea that tightly controlled data is actually distributed across computers and networks all over the world is frightening. But in this day of mobile devices and cloud computing, distributed data is the norm.
Today, most people think about controlling data in terms of physical possession of the media on which it’s stored. If we hold the media and prevent access to it and copies of it, then the data is safe. But data that is completely locked away, while useless to adversaries, is also useless to the holders and their allies and partners. So here we are.
In this day of mobile devices and cloud computing, distributed data is the norm.
It’s time for data to have built-in access controls where the owner of the data can change who has access regardless of where the data is stored, even if it’s offline or in an immutable data store.
Using encryption, the owner should know indisputably who is able to decrypt that data, regardless of how many copies of the encrypted data are stored around the world. More importantly, the owner should be able to revoke that access at any time and for any reason, particularly when suspicious access patterns are detected.
Data protection techniques that use encryption have long been touted as a way to bring access controls down to the level of the data. Unfortunately, most of this has been hype. At best, we have key custodian models where a central server or service hands out shared-secret encryption keys on demand. This is more of an access control shell game than anything resembling cryptographic control of the data.
Public key encryption has long been seen as the holy grail of secure communications that don’t require a trusted third party to hold keys. But public key encryption suffers from some notable problems:
- Some approaches still require a trusted third party, as with SSL systems and trusted certificate hierarchies.
- Complexity of key management.
- Once data is encrypted to person X, there’s no way to change who can decrypt that data without touching the data itself (or, in some schemes, without touching the encrypted key that encrypts the data). So adding someone requires decrypting the data and then encrypting to the new person.
- Revocation requires access to all copies of the data and revocation requires editing all of those files.
A new type of public key encryption solves these problems. It’s based on a concept called Orthogonal Access Control, which separates the decision about how a file is encrypted from the decision about who can decrypt it, but provides the same security guarantees as data encrypted directly to specific users.
In this system, keys are handled automatically. Users own their keys, but don’t need to do anything special in order to manage them. Key rotation is built in, but transparent. Servers are zero-knowledge. Encryption and decryption happens client-side (or at point of use). But decryption is facilitated by a transformation service that tracks decryptions and flags or suspends access that is suspicious.
The implications of this new technology are big, because it has the potential to invert the trust model and to transform how data is controlled. Today, when signing up for a cloud service, a customer must trust that cloud service with their data, but really has no idea how it’s accessed, used, or who can view it. With this new system, the customer, the owner of the data, sees who has access, audits that usage, and revokes that access when necessary. The customer can even decide to prevent their vendor from accessing some of their data.
Let’s revisit the breaches of Government data imagining that the data was encrypted with this technology.
First and foremost, the Australian contractor with the foreign nation-state in their network would have presented an extra hurdle to the attackers. In addition to compromising the network and getting access to the stored data (now end-to-end encrypted), they'd have to also get access to the private key of an employee with the ability to decrypt that data. But even that is not enough to unlock the data since the attacker would also have to convince the transformation service to facilitate decryption. That means making the decryption requests at normal rates (for the compromised user) from usual locations, and without triggering suspicious activity flags. In the worst case, given an extremely patient attacker who well understands how to avoid these triggers, it would greatly slow the rate of data exfiltration.
The Australian attack stole at least 30gb of compressed data. The breach of a subcontractor where submarine warfare data was stolen involved 614 gigabytes of data. Neither company detected the attack, and the data owners (the Governments and primary contractors involved) had no way to monitor the security or use of their data. That job was fatefully delegated.
It’s plain common sense. If you own the data, then you should control its access and use, no matter where the data is stored or who gains access to that storage place. And Governments (and especially their militaries) should absolutely control and guard their data even after sharing it with contractors and allies.
If you own the data, then you should control its access and use, no matter where the data is stored or who gains access to that storage place.
Orthogonal Access Control transforms how we think about retaining ownership and control of data from a model of trust to a model of verification and revocation. It’s the difference between giving the keys to your car to a valet versus parking it yourself where you can see it while you eat.
It’s time to upgrade data protection best practices and to treat our critical information as our most treasured and controlled assets.
Please reach out if you'd like to learn more about cryptographic access controls to protect data even when it’s immutable, on other people’s servers, or even offline.
Image credit: shaineast