Insecure Data Storage: Don’t Just Encrypt … Control!

Kevin Fox | Jun 11, 2018

Schedule a demo to see how Blue Cedar protects against Insecure Data Storage 

We promised, in our last post on the benefits of edge computing, to explore the accompanying risks (and how Blue Cedar addresses them). Today we’ll examine Number 2 on the OWASP Mobile Risk list: Insecure Data Storage.

While processing on the edge can, itself, be a more secure and efficient way of getting things done—at least, there’s less data in transit to worry about—it also means we store and process more data on mobile and other edge devices, and that introduces other, substantial risks:

  • More and more edge devices aren’t owned or controlled by the enterprise or organization who has responsibility for the security of the software that runs on these devices, so it’s difficult to control the state of security at the device processor, firmware or operating system level.
  • Some apps may store various kinds of data—as database rows, log files, cookies, or XML and other formats—without proper encryption. This potentially exposes the data to unauthorized access, either because a device falls into the wrong hands, or because malware accesses the stored data and exfiltrates it for misuse.

Imagine a financial services app that stores transaction data in a SQL database row—as plain text—on the device. This data is vulnerable, and, if stolen, might be used to gain unauthorized access to high-value enterprise resources. And, even when the mobile device encrypts data before storing, the data is typically not controllable by the enterprise.

Mitigating risk for edge computing

To mitigate these risks, app developers must assume their app will run in an unmanaged, or at least, a dynamic environment, and so must encrypt all data stored locally, on a device. This raises a range of issues:

  • Proper encryption is complex, time-consuming and subject to human error. Different data types require different encryption methods and tools. App developers may be tempted to take shortcuts, especially when pressured for quick app delivery.
  • Even when encryption is properly achieved, the method chosen to generate and store encryption keys can handcuff the enterprise. To ensure future enterprise access to (and therefore control of) data, encryption keys must be stored somewhere under enterprise control—not, for example, on a mobile device that might disappear or become inaccessible.
So the issue isn’t just whether we encrypt—it’s also how we manage encryption keys. This is more complexity for app developers who would likely prefer to focus on core app functionality.

Blue Cedar's unique approach to Mobile App Security

Blue Cedar addresses all these issues, by eliminating the distraction and risk of writing and managing security code, expertly handling encryption for any data type, and managing encryption keys in a way that preserves access to those keys—and, therefore, to the underlying data—for the enterprise.

Once administrators select security policies for an app—including those for encryption key management. Examples? Certainly, authentication rules for accessing the keys, but also usage restrictions, expiration periods and other rules.

Next, the Blue Cedar security injection process scans the app’s code for data I/O and sets up military-grade encryption for each data type, without coding. Meanwhile, the cloud-based Blue Cedar key management service allocates and provides access to encryption keys, based on enterprise policies—enabling organizations to retain complete control over the data used locally by a Blue Cedar-hardened app.

Finally, the now-secured app, complete with encryption functionality, is distributed to mobile and edge devices, which have no choice but to execute the app’s policies. Sensitive data? Encrypted. Available data? Yes—to the enterprise, which, alone, has access to the encryption keys.

Meanwhile, the app developers saved days, even weeks of time, excused from the chores of writing encryption-related code. They can focus on the app’s core functionality, because Blue Cedar took care of securing the app. Learn more by signing up for a personalized demo of Blue Cedar today. Now that we’ve prevented insecure data storage, well move on. Tune in next time and we’ll cover another Top 10 OWASP mobile security risk: Insecure Communication.   

Let’s Stay In Touch

All our latest content delivered to your inbox a few times a month.