Read More >>

Encryption Confusion

Clarify Options to Avoid Missteps

Original Appearance:http://www.processor.com/editorial/article.asp?article=articles/p3227/38p27/38p27.asp&guid=&searchtype=&WordList=&bJumpTo=True

Written by: Elizabeth Millard

Encryption technologies and solutions are finding greater adoption as enterprises strive to secure their networks and information. But all the different options available can be confusing and lead to uncertainty over implementation. Here are some insights on what data center managers need to be aware of when it comes to encryption. 

 Understanding The Basics 

According to Ron LaPedis, director of product management and marketing at Spyrus (www.spyrus.com), a designer and manufacturer of USB encryption devices, there are two methods for im-plementing encryption: hardware and software. With the former, the encryption keys are stored in a device, and data is sent to the device for encryption or decryption. The key doesn't leave the device and is nearly impossible to steal, LaPedis says. With software, the encryption and decryption is done in the computer, and the key needs to come into memory, where it's at risk of being stolen by a hacker. In his opinion, hardware encryption tends to be more secure than software encryption. 

No matter which type of encryption is used, the primary step in any encryption strategy is to take a look at the data, notes LaPedis. First, you need to be aware that your data has several different phases, he says. These are data at rest, data in transit, and data in use. The next step is to determine why you want to encrypt your data and in what phases it needs to be encrypted. Are you trying to meet industry or government regulations, or do you want to prevent your organization from showing up on WikiLeaks? 

Not all data deserves protection, adds Jon-Louis Heimerl, director of strategic security at Solutionary (www.solutionary.com), a cloud-based security and compliance firm. He notes that enterprise data center managers should gauge the problem appropriately and make sure they are identifying the data that needs the highest level of protection and offering encryption for that data. He says, Part of this just requires enough analysis and knowledge of your environment that you have confidence you know where your valuable data resides and is being processed.

For the data that does require encryption, it should be encrypted anywhere it sits in an environment, Heimerl notes. The data should be encrypted as it is received, before being stored, and anywhere it's stored. 

 Key Management 

The foundation of any encryption technology is key lifecycle management, says Russ Dietz, vice president and CTO of information security firm SafeNet (www .safenet-inc.com). It ensures that one system can manage keys for all the technologies within an organization while protecting the access to each system. 

We're noticing an increase in information castling or siloing, in which organizations are essentially creating segregated information pockets instead of properly deploying enterprise encryption, he says. This causes potential problems in information sharing and is counter to the overall mobility trend, which can have a direct impact on the business. 

Managers should instead look at en-cryption from a holistic perspective and deploy the best key management sys-tem as the starting platform for their infor-mation security and encryption plans, Dietz believes. 

 Common Missteps 

There are a number of missteps that data center managers might make when try-ing to implement encryption, and Spyrus' LaPedis believes the most common is not using encryption that's strong enough to protect data for its lifetime. 

If the data is health information, he says, it must be protected for as long as the individual is living, plus a handful of additional years.That means an enterprise can't use algorithms or key sizes expected to be broken in 50 years. While it seems reasonable to re-encrypt data using new keys and algorithms, few people think about all the encrypted data using old keys that is sitting on backup tapes, PC hard drives, and other devices. 

Another misstep is to ignore key management, he says. If there are thousands of backup tapes offsite, each one with a different key, and an enterprise is changing application and database encryption keys on a regular basis, a manager would need some way of securely storing and retrieving keys when they're needed. 

It also bears mentioning that if you're approached by a company offering up a new-and-improved secret encryption algorithm, run the other way quickly, LaPedis adds. it is not the algorithm that must be secret, it's the key.By using a publicly vetted algorithm, an enterprise can be assured that many experts have evaluated it and proven it effective. In many cases, it's best to use a FIPS (Federal Information Pro-cessing Standard) 140-2 approved algorithm, he states. 

Also notable is a failure to extend encryption to mobile devices, adds Solutionary's Heimerl. He believes that extending encryption onto distributed laptops and smartphones could dramatically decrease the amount of data compromised through loss or theft. 

Most importantly, managers need to remember that encryption isn't the answer for everything, says Heimerl: Staff must still be trained in security awareness. Applications still need to be written well and tested. Encryption is just one more method to protect data within your environment. It is a very good method, but it is just another piece of the puzzle.