IT Provider Deploys its Own Encryption Service to Further Secure Corporate Data
Cybercrime is big business, averaging a growing $4 million per breach according to the 2016 Ponemon Cost of Breach study. While traditional security measures, including firewalls and access controls, help keep intruders out, they are often not enough to keep data secure. Hackers are smart and determined to find new, more innovative ways to access proprietary business and consumer data, including credit card information, electronic health records (EHRs) and insurance information. These breaches can have a devastating impact on a business with the consequences extending well beyond the financial effect to threaten a business’ reputation and customers’ trust. Of course, businesses want to put safeguards in place to protect themselves. This is where encryption comes in.
Breaches are bad for business. EaaS can help
In early 2016, Peak 10, a hybrid IT infrastructure provider, conducted an encryption study to gain insight into its customers’ views, expectations and use of encryption. The results were telling with over 60 percent of respondents viewing encryption as important or extremely important, and 70 percent planning to increase or maintain their encryption budgets in the coming year.
Well versed in technology and security controls, Peak 10 recognized the need to supplement its extensive security portfolio with an encryption as a service (EaaS) product to tackle this pervasive issue. Later that year, the company launched its EaaS offering to provide a holistic, reliable and scalable last line of defense to protect essential data. Offering file-level encryption of structured and unstructured data at rest, EaaS provides an opportunity for businesses to mitigate data theft and strengthen their security posture by rendering data unreadable to anyone without appropriate access. Even if the system is accessed – whether maliciously or inadvertently – making it highly improbable for the data to be deciphered.
Peak 10 equates encryption to the safe within a bank. While a bank has stringent security measures in place – locked doors, security cameras and alarms – it still stores its cash in a locked safe within this building. This is the secondary layer of security that encryption provides.
Granular control and powerful functionality drive data security
Shortly after launching EaaS, Peak 10 implemented the solution internally, encrypting its payroll, legal documents, financials, and large contracts.
“When we rolled out our EaaS offering, we wanted to take advantage of that added layer of security for our own critical data,” says Lamont Greene, corporate IT manager at Peak 10. “We also want our customers to know how strongly we believe in our service. We want them to know we use it ourselves.”
For Peak 10, the encryption process began with a series of important conversations around what data should be encrypted and who would need to access it. This step engaged corporate executives and was fundamental in flushing out crucial expectations and defining encryption keys and policies. A custodian of the encryption keys was also assigned to ensure the security of this critical information.
Once this information was identified, Peak 10 created a domain on its Data Security Manager (DSM). This hardware device centralizes key and policy management, enabling the designated administrator to efficiently manage policies.
Next, an encryption agent was downloaded from the portal and installed on each of the servers designated to hold the encrypted data. Encryption policies and keys were then created to align with Peak 10’s requirements, applying explicit permission for only select users, applications and processes to access the data. This granular level of control heightens security to optimally protect the data. With keys and policies in place, Peak 10 migrated the data from its existing locations into the specific policy-controlled files, encrypting the data on the way in. Quick and seamless, this process resembles copying a file from one location to another.
Paramount to the security of Peak 10 EaaS are its selfmanaged keys, which provide access to the policies and enable the holder to assign new polices and control user accessibility. Just like Peak 10 has a custodian for its own keys, each customer is the sole custodian of its own keys, ensuring it retains complete control of its encryption policies. This guarantees that Peak 10 does not have access to its customers’ keys, policies or critical information and decreases the risk associated with outside exposure to critical data – an essential factor from an auditing perspective.
For ease of management, Peak 10 EaaS features a centralized management control that allows keys, policies and audit logs to be configured and controls to be created or managed from a central location. Policies can also be written to lock down data during certain times of the day. This is particularly helpful for businesses that operate during specific hours and do not need their data available outside of those hours. Using transparent encryption to scramble the data but not the metadata attached to it, Peak 10 EaaS allows technicians without key access to continue to manage the IT environment without viewing or compromising the integrity of the data. As an added support, the EaaS encryption agent features a Learning Mode that can help recommend policies or identify data access patterns to help create intelligent, data-driven policies that save time, and boost efficiency and security.
Peak 10’s built-in redundancy also guarantees that during an outage, its data remains encrypted and secure thanks to the geo-diversity of its EaaS solution. By employing multiple DSMs, this high-availability service enables the primary DSM to fail over to a secondary DSM at a different Peak 10 data center during an outage. This level of reliability offers SLA-backed 99.999% DSM uptime and ensures ongoing operations and the continued encryption of the data.
For heightened visibility of the data, Peak 10 EaaS offers continuous activity logging to view how, when and by whom data is being accessed – and whether the attempt was allowed or denied. These analytics provide detail-rich insight into potential data anomalies allowing Peak 10 – or an EaaS customer – to detect potential threats. These detailed logs also support audits and help tailor future access policies. Additionally, logs can be easily integrated with security information and event management systems (SIEM) and various log management tools, such as Alert Logic, Splunk, HP ArcSight, and IBM QRadar.
Peace of mind thrives through efficiency and compliance
Using EaaS to protect its own data has provided Peak 10 with valuable and direct insight into its EaaS product, allowing the provider to continually improve the service to keep pace with evolving security risks and market demands. This experience has also allowed Peak 10 to quantify the effectiveness and speed of the service, noting only a 4 percent reduction in accessibility speed of the encrypted data versus plain text data – a minimal delay to contend with for such an intense level of security. Most importantly, the service provides Peak 10 with the vital knowledge that if its systems are compromised, its data would still be safe.
“EaaS offers peace of mind to administrators,” explains David Lewis, systems and tools administrator at Peak 10. “When you have sensitive data, you want to know that even if someone were able to get to it, they wouldn’t be able to read it, and that data would not be compromised.”
From a regulatory standpoint, encryption also helps Peak 10 meet critical compliance requirements around data security for itself, which translates to increased confidence and easeof-audit for its customers. With over 60 percent of customers subject to some kind of regulatory requirement , including HIPAA, PCI DSS and more, compliance can be a driving factor in implementing encryption services.
Not surprisingly, this added layer of security requires a slightly more involved process for the designated administrator – a necessary element for such a robust layer of security. “This complexity is a good thing because you know your data is more secure with it than it was without it,” notes Greene. “However, as a customer, if you find you need some assistance, you always have Peak 10 there to help.”
In fact, Peak 10 offers its customers a range of services to support their encryption efforts. This support can be as handson or as limited as needed. For those that lack the internal expertise to undertake encryption on their own, Peak 10 offers implementation support as part of its Advanced Client Services (ACS). This level of service engages a Peak 10 Service Delivery Engineer to assist in gathering information, documenting processes and other information, and assisting with the basic installation of the service. For those comfortable handling the process on their own, Peak 10 experts are available 24/7/365 to answer questions and provide support. Additionally, Peak 10 is always available to discuss specific security practices with customers – whether they are considering adopting encryption services or looking to modifying their existing strategy. Regardless of the level of support needed, Peak 10 will never have access to a customer’s keys, policies or data. The bottom line is that Peak 10’s customer-centric approach will not disappoint.
“We’re here to offer support if a customer needs it, but generally speaking our EaaS offering is designed to be as hands-off as possible,” adds Kevin Swartzlander, critical response engineer at Peak 10. “It’s maximum separation of duties. We don’t have access to customers’ encrypted data or even to view their individualized configuration so that we’re not part of whatever compliance or security reasons they have for enacting that.”
While EaaS is always a great addition to a security program, Peak 10 warns that conducting regular security health checks on your encryption program is crucial. Continuing to identify potential vulnerabilities within your environment should be an ongoing initiative. Peak 10 knows firsthand how important this initiative is and is ready to assist customers every step of the way.