Figure 1: The 3 states of Data
Data exists in 3 states: In Use, At Rest, and In Transit. Currently, the information security industry focuses on protecting data in the latter 2 states, but neglects to protect data In Use. As a result, data is being protected in only two-thirds of the cases. Even the US National Security Agency’s Commercial Solutions for Classified (CSfC) guidelines neglect to protect data in use and only give guidance to protect data at rest [1] and in transit [2][3].
Data In Use is when it is being processed by a running application, and is loaded in memory, as shown on the left side of Figure 1. In Figure 1, there are various applications such as AutoCAD, Microsoft Office, PhotoShop, Acrobat, QuickBooks and Solid Works that are all running and have opened sensitive files of their respective file types. In this case, all open files are considered data In Use by various applications. The reason it is important to protect data In Use is because even if the file or disk was encrypted, the contents of the file must be decrypted in memory in order for the application to process it. Once the file is unencrypted in memory, it is vulnerable to being stolen or “scraped” by RAM-Scraping malware in user or kernel mode. This is the exact same attack that the RAM-scraping malware on Target’s Point Of Sale systems [4] used to breach credit card numbers in 2014. Since then, the payment card industry has evolved and used new techniques such as tokenization to avoid processing sensitive data, but tokenization just shifts the problem rather than solving it, because tokens still have to be detokenized at some point, resulting in sensitive data unprotected In Use. As mentioned in an earlier post, even techniques such as memory encryption or homomorphic encryption are not good enough to protect data In Use, because the sensitive data must be processed by an untrusted operating system environment in order to display human readable images on the screen, or take input from user devices such as a mouse and keyboard. In addition, these techniques require modifications to the applications that they are protecting. A1FILO uniquely protects data In Use as well as the input devices and the outputted human readable content on the screen. Also, A1FILO uniquely does not require knowledge of the file formats or modifications to the applications it protects; they run unmodified, and without any plugins or knowledge of A1FILO. As a result, customers can protect legacy applications, and future applications that are written without any dependence on A1FILO. Check out our coverage in the latest Markets and MarketsTM Data Exfiltration Market study [5]. They agree that A1FILO “is the ONLY security solution in the cybersecurity marketspace that enables protection from RAM scraping malware and prevents exploitation of data In-Use”.
Data At Rest is when the data is stored on a storage medium and is not being processed by an application, as can be seen in the middle of Figure 1. Examples of data At Rest include files on a hard drive, USB drive, file server, cloud or mobile devices. The information security industry has and still is focusing heavily on protecting At Rest through the use of file and full disk encryption. Protecting data At Rest is common these days and is done by A1FILO as well as many other DLP and IRM products in the market, by encrypting files.
Data In Transit is when it is being transferred over a medium that the adversary has access to, as can be seen on the right side of Figure 1. Examples of data In Transit include files that are email attachments, uploaded to the cloud, uploaded to FTP servers or being transferred over a USB drive that might come into the hands of the adversary. Some might argue that data transferred on a USB drive is only considered At Rest, not In Transit. However in our view, a USB drive can contain files that the adversary can capture if the USB drive is stolen, just like file upload traffic can contain files that the adversary can capture if network packets are being sniffed. Protecting data In Transit is also common these days, and is done by A1FILO and many DLP and IRM products that do file level encryption, which follows the file around, wherever it may be transferred.
“There isn’t any indication that they [the NSA] managed to break the mathematics [of encryption]…However it is the…endpoint security which is suffering”
-Adi Shamir, Co-Inventor of RSA Encryption Algorithm, RSA Conference 2014 Cryptographer’s Panel
According to Adi Shamir, one of the Fathers of the RSA encryption algorithm, the mathematics of encryption, which protects data At Rest and In Transit is not a very big problem. The larger problem is the endpoint security, since that is where the data is unprotected In Use to be processed by applications running on endpoints. A1FILO is the only product that protects data In Use, independently of the application or the filetype it is protecting.
[1] https://www.nsa.gov/resources/everyone/csfc/capability-packages/assets/files/dar-cp.pdf
[2] https://www.nsa.gov/resources/everyone/csfc/capability-packages/assets/files/msc-cp.pdf
[3] https://www.nsa.gov/resources/everyone/csfc/capability-packages/assets/files/mobile-access-cp.pdf
[5] https://www.marketsandmarkets.com/Market-Reports/data-exfiltration-market-100460691.html