Product Group Tests
Encryption at restOctober 01, 2010
We always talked about defense-in-depth and it always has been at the core of our security architecture design. But never before in the history of computing has it been more urgently required.
Today, there are more types of creative malware than we could imagine even three years ago. The game has changed a lot. We always talked about defense-in-depth and it always has been at the core of our security architecture design. But never before in the history of computing has it been more urgently required.
Over the years, we have talked about achieving defense-in-depth and the risks in combining too many security platforms into a single box. But with time, we hope, comes maturity. As network architectures become more and more distributed, so too must security architectures. That is happening with the various combinations of UTMs, multipurpose gateways and endpoint protection. But no matter how good these protections are, they will fail.
They may fail because an attacker has an as-yet-unknown technology. Or they may fail because a user - wittingly or unwittingly - undermines them. But they will fail. And when they do fail, then what? If there is no fall-back strategy, data will be compromised.
An interesting point here is that this requirement always has existed, but most organizations found a fallback strategy too expensive or too difficult to use or to deploy. The obvious fallback is encryption, but encryption programs have been notorious in the past for being difficult for average users and for not being scalable enough. With the advent of PKI, developers began to think about how to manage raw encryption (i.e., disk, file or folder encryption as opposed to the use of encryption for digital certificates).
The idea is that organizations of all sizes have data and information that is their life's blood and it is not necessary to be a secret government agency to need to protect those company jewels. Today, more than in the past, there is a need to have a solid encryption scheme, regardless of the organization's size. Privacy-related information, for example, needs to be protected. Regulatory requirements have evolved considerably in the past few years and the safest, surest way to comply with privacy requirements is to encrypt.
That said, we are concerned with encrypting both data at rest and in motion. The issues are very different for the two requirements and, at the same time, share similarities. This first Group Test looks at encrypting data at rest. That, it turns out, can be a bigger challenge in many ways than encrypting data in motion. Issues such as deployment, recovery of encrypted data when an employee leaves or loses their key, and ease of use to a very broad audience where there is no consistency in skill levels, are critically important. Predictably, these operational issues are far more difficult than the simple fact of strong encryption itself.
An important part of encryption - and this is a critical issue whether we are encrypting data at rest or in motion - is key management. This is where lessons learned with PKI have been helpful. With the data at rest reviews, we saw two types of deployment: installers and full enterprise server-based.
The installer type pushes out installer packages to users, and these tools can encrypt folders, whole disks or files. The enterprise server approach generally is policy driven and deploys across the enterprise. In all cases, there are recovery methods, and virtually all vendors object to the use of the term "back door." They insist that recovery is through an administrator-based procedure ranging in complexity from a universal administrator key/password to a more complicated procedure.
What to look for
When buying encryption for the enterprise, the procedure is roughly the same as evaluating any enterprise-wide tool. First, what are you trying to accomplish. Many organizations simply want to encrypt the whole disk and let it go at that. Rather than depending on the user to select the appropriate files or folders to encrypt, these organizations simply encrypt the entire disk. Some prefer to leave the user in control. This choice usually depends on the types of data being protected.
How we tested
We fired up the virtual systems for this one. We created an exemplar enterprise consisting of a domain controller, a SQL Server deployment, an application server and a user client. We deployed using defaults and analyzed the results, testing to make sure that if we removed the encryption from the client nothing stored there was damaged.
Encryption no longer is an option. The only options you have involve how you select the encryption product and deploy it. In that regard, this month's products offer some useful choices.