Encryption: The Last Line of Defense
Encryption is probably the last barrier to prevent an attacker from gaining access to sensitive business information. Security practitioners must seriously review using encryption as an important component of the overall business security strategy.
Numerous factors are driving the urgency for businesses to encrypt data, including increases in the number of mobile users, storage of sensitive information on portable devices, compliance legislation, outsourcing, wireless transmission and the need to protect confidential, sensitive information.
In the area of legislation, the U.S. Health Insurance Portability and Accountability Act (HIPAA) establishes encryption as an addressable implementation specification for both data at rest and data in motion. The U.S. Sarbanes-Oxley legislation, Section 404, will result in technology solutions that provide assurance that tampering has not occurred. California Senate Bill (SB) 1386 requires companies to inform California customers of security breaches involving the compromise of their names in combination with their Social Security, driver’s license or credit card numbers. This legislation will result in encryption being seriously considered to secure sensitive customer or client information.
There are two basic types of cryptography: symmetric and asymmetric. Symmetric cryptography is an encryption system that uses the same key to encrypt and decrypt. The secrecy of encrypted data depends the secret key, or “private key.” The private key may be stored on a computer’s hard disk or a specialized cryptographic device. The message is encrypted and decrypted with the same key. Examples of symmetric key algorithms are Data Encryption Standard (DES), Triple DES (3DES), Blowfish and the Advanced Encryption Standard (AES). The challenge for symmetric key encryption is how to “secretly” distribute the “secret” key.
Asymmetric key encryption is an encryption system that uses a linked pair of keys. What one pair of keys encrypts, the other pair decrypts. The public key is publicly available and is usually embedded in digital certificates. The public and private keys are mathematically related but cannot be derived from each other. The challenge for asymmetric key encryption is performance—they tend to be much slower than symmetric key encryption. The advantage of asymmetric key encryption is that key distribution is not a challenge. Examples of asymmetric key algorithms are RSA, Elliptic Curve Cryptosystem (ECC) and Diffie-Hellman.
To address the challenge of data integrity, businesses should consider the application of message digests. A message digest takes a message of any size as input and outputs a short, fixed-length code. The message digest is unique to the message and depends on every bit of the message and its attachments. A message digest is like a fingerprint of the message, and it cannot be used to restore the original message. Message digests are also referred to as digital fingerprints, cryptographic hashes or cryptographic checksums. Commonly used message digests include MD4 and MD5 from RSA Security and SHA-1 (Secure Hash Algorithm) from the National Institute of Standards and Technology (NIST).
Don’t even start thinking about encryption products and technologies until you first develop your organization’s encryption policy. This policy provides the framework for the deployment of encryption.
Businesses need to formally review their requirements for securing data at rest and data in motion through a formal risk analysis. The objective is to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of sensitive information. The results will provide valuable information for the business to determine its encryption requirements.
For example, the encryption policy might state that the organization will deploy encryption solutions that support 2048 bits for asymmetric encryption and 128 bits for symmetric encryption. Further, the encryption policy could state that all mobile devices that store any sensitive business data must store all such data in encrypted files and directories. The encryption policy further addresses issues such as:
- Identification of sensitive data at rest or data in motion that needs to be encrypted.
- Identification of standards that guide the selection of safeguards to implement encryption requirements.
- Guidelines for key management and security.
Organizations should seriously consider the encryption of all critical files, directories or media on server systems as well as mobile devices, such as PDAs and laptops. Mobile devices typically hold sensitive business information and may be stolen. Software encryption solutions need to be strongly considered for all such mobile devices. For example, in the Microsoft Windows environment you can use the Encrypted File System (EFS) to store encrypted files and folders on NTFS file system volumes. When a folder is encrypted, all the folders and subfolders created in the encrypted folder are automatically encrypted. This may be something to consider for encryption of information at the operating system level on server systems.
To address the challenge of securing data in motion (transmission) you need to consider the application. For example, to secure Web server/browser communication you can use Secure Sockets Layer (SSL) to establish an encrypted tunnel for the transmission of sensitive data such as Web-based electronic transactions. To secure the transmission of data over a public network such as the Internet you must consider establishing a virtual private network (VPN). A VPN is the use of an encrypted tunnel over a public network to provide privacy on par with a private network—either site-to-site (router-to-router) or for secure remote access (client-to-server). The emerging standard for site-to-site tunneling is the IPSec protocol.
Organizations that need to encrypt a large volume of data may consider using a network appliance, which resides between the server or storage system and the network. The devices operate at LAN speeds. Thus, performance, which is typically an issue with encryption, is not an issue with encryption network devices. Vendors that specialize in this area include Decru, NeoScale Systems, nCipher, Ingerian Net-works and Vormetric.
Businesses must be serious about encrypting sensitive data. Encryption adds a critical layer of defense in an organization’s security strategy. The sensitive information stored in critical server systems as well as mobile devices must be secure so data isn’t compromised, even if the systems are. Further, sensitive information that is transmitted must be encrypted.
Security practitioners as well as the security officer must ensure the business has developed a formal encryption policy and must be familiar with practical encryption solution options. Follow the principal of defense-in-depth and selectively deploy encryption technologies, at a minimum, to secure sensitive data on critical server systems, mobile devices and data transmitted over the Internet. This last line of defense is often not deployed, and that is something security professionals need to seriously review to secure the electronic “crown jewels” of the enterprise.
Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com, consults extensively in the areas of enterprise security and HIPAA. Pabrai, author of the best-selling “Getting Started with HIPAA,”is the co-creator of the Security Certified Program (www.securitycertified.net). E-mail him at firstname.lastname@example.org.