What is file encryption, what does it do, what problem is it trying to solve?
Let’s begin with a hypothetical scenario: Person A makes use of a cloud storage provider for storing personal photos, work files (including files with PII) and personal financial statements. The cloud provider claims that the data is encrypted on their servers (and that is a perfectly valid and honest statement). If a cyber criminal had to gain access to the cloud storage server they would not be able to (at least easily) access Person A’s files. However, while Person A is working on their computer they can see their files in Windows Explorer and access any of those files as if they were not encrypted. In other words, Person A (and by extension any application running on Person A’s computer) has access to the unencrypted files. Applications running on Person A’s computer may be an office productivity tool, email, or malware. In other words, as far as an application running on Person A’s computer is concerned, none of the files are encrypted. Malware makes use of this fact to exfiltrate (steal) data. If you are relying on the encryption provided by a cloud storage provider to secure your files, and you have access to those files in an unencrypted state through Windows Explorer, then you really do not have encryption.
Explicit file encryption is any mechanism that secures a file in a format that it cannot be read by someone who does not have access to the decryption password (or decryption key or other mechanism). File encryption exists as a mechanism to prevent unauthorised persons from gaining access to confidential information. But remember – if the user can access the unencrypted file inside Windows Explorer, so can the malware!
Encrypted cloud storage is an example of what is called “Encryption at Rest”. This mechanism protects files when the attacker does not have access to the user’s credentials or where the media containing the files is stolen or lost. It does not protect files from exploit/exfiltration in the event that the user’s device is compromised via ransomware or malware and the (cloud) storage is mounted as a local drive. If the user can see the unencrypted files and work with the unencrypted files from within Windows Explorer then malware can also access those unencrypted files. The same is true for any dongle or USB-key that needs to be inserted into the device.
What is required is a wrapper application that decouples the file system (where files are encrypted) from the key vault (where the passwords are kept). The key vault should also be capable of being disabled in event of a breach so that the decryption keys are no longer accessible. This mechanism combines strong keys in a decentralised store, with unique keys per file, and the ability to suspend access to keys in the event of a breach (or suspected breach). Decryption should be ‘just in time” where the user gains access to the encrypted file only when they need it – and the means of decryption should be explicit (logging on to a session, typing in a password and so on). Any files not actively in use should remain encrypted within the file system. In this way any data exfiltration will at best be able to steal data currently in active use – all other files exfiltrated would be encrypted and unusable (and useless) to the attacker.
Creating and deploying this mechanism requires a cultural shift, a new way of doing business and a desire to improve security – all actions adversaries are taking everyday! It is truly an “adapt or die”.