The potential of damage from an Insider threat can be estimated from the example of Edward Snowden who had worked at the NSA, and had authorized access to thousands of NSA's Secret Documents, networks and systems.
'According to a recent Verizon report, insider threats account for around 14% of data breaches in 2013."
Mostly, securing data involves just encryption in the cloud and keeping encryption keys out of the hands of rogue employees, but it is not enough where rogue employees should have access to encryption keys as part of their work. To prevent such risk of rogue employees misusing sensitive data, CloudFlare has released an open source encryption software "Red October," with "two-man rule" style file encryption and decryption.
"Two-man rule", a control mechanism designed to achieve a high level of security for especially critical information i.e. Military based technique, where decryption of the data will only work when two or more people provide keys.
"It comes from military history, where a nuclear missile couldn’t be launched unless two people agreed and turned their launch keys simultaneously. This requirement was introduced in order to prevent one individual from accidentally (or intentionally) starting World War III."
All communication with Red October is encrypted with TLS, ensuring that passwords are not sent in the clear.
Each user is assigned a unique, randomly-generated RSA key pair. The user's private key is then encrypted with a password key derived from the user’s password and salt using scrypt. To Encrypt data, Red October server generates a random 128-bit AES key.
To decrypt a file, the requesting user should be an administrator with the correct password. If two requesting users are in the list of valid users, having delegated their keys, only then decryption will occur.
To prevent unauthorized access to decrypting data, The Red October server will not decrypt user keys without their password.
The software is freely available as an open source application on GitHub.
Popular Deals From Our Store
Ethical Hacking Certification Training
Get Professional Ethical Hacking Certifications: CEH, CHFI, CISM, CISA, CISSP Trainings.
96% Off Get this Deal
Computer Hacking Forensic Investigation
Online Hands-on Training with Lifetime Access to Forensic Investigation Certification Classes.
98% Off Get this Deal