When encrypting, simplicity is essential. Creating a balance between data availability and strong data security can be done without a complex web of encryption products, horrific key management challenges, or compromising application and system performance.
In this article, we'll review 10 steps to simplify encryption, drawn from the collective success of hundreds of encryption programs.
1) Rethink encryption
A typical IT professional is likely to describe encryption as slow, invasive or just plain scary. Ten years ago, they would have probably been right. Today, haunted by experiences with invasive encryption approaches, many IT managers still assume the technology remains a nightmare to install and manage. Fortunately, encryption approaches and management solutions have come a long way in the new millennium. Encryption today doesn't have to hurt.
With the right approach and the right solution, encryption can offer enterprises strong data security with low management overhead, top-notch performance and the ability to pass that audit – all the while maintaining your application performance requirements.
2) Get a strategy
Stop complexity before it starts. Avoid serious encryption and key management problems later by adopting a clear strategy now. Enterprises can simply encrypt on a vast scale with a low total cost of ownership (TCO) by standardizing on centrally managed encryption solutions that cover the broadest areas of need. Fewer encryption solutions mean fewer points of management and less key management complexity, with the added benefit of simplifying the audit process.
3) Understand the state of enterprise key management
When determining an encryption strategy, ensuring that keys can be effectively managed is paramount to the security of the system and the availability of the data. A common pitfall with enterprise encryption planning is the misconception that true “enterprise key management” solutions exist – this is, systems that integrate with every encryption product to centrally generate, store and backup keys. Yes, products called enterprise key managers (EKM) exist. However, these products are typically focused on supporting a limited group of encryption products (e.g., LT04 drives only). The lack of a commonly accepted and supported key management standard is at the root cause of this issue. In addition, products that manage third-party keys cannot guarantee the security of the keys if they are exposed to administrators within the encryption solution without the addition of hardware security modules (HSMs) or storing the keys centrally and introducing network latency issues.
4) Choose good key management
Avoid the enterprise key management need that arises due to the adoption of a large number of encryption products. Too many encryption points leads to fragmented key generation, backup and recovery, which puts your data at risk. This problem is further aggravated when an encryption system handles keys insecurely, which increases the number of audit points, requiring additional infrastructure in the form of expensive hardware security modules (HSMs).
To avoid key management problems, choose extensible encryption products with stellar built-in key management systems. The better the encryption solution centrally manages and secures its keys, the less a third-party management product is required – and the lower your TCO.
5) Go transparent
SSL is the most broadly used encryption method on the planet because it is transparent and simple. Applying these same transparency principles to encrypting databases, storage systems and heterogeneous, distributed servers eliminates the invasive encryption concerns of the past. Transparent encryption drastically simplifies integration, ensures that system management is not interrupted and ensures top-notch performance.
6) Broaden your view
Looking at encryption solutions in silos, such as a column, a file or a data-type leads to complexity. When embarking on encryption projects, avoid tunnel vision to ensure sensitive data is protected at all points.
Gain an understanding of sensitive data flow. Chances are you'll find regulated information in surprising locations, such as application logs, VoIP archives, image files and a variety of other systems, as well as the database. Ensuring you can protect both structured and unstructured data will allow your encryption program to grow with your needs and make future decisions easy.
7) Protect your image
With the rapidly growing adoption of virtualization in production environments, operating environments and the data they contain are far more portable. These changes to the traditional security model to protect the data center increase the importance of data-centric controls to maintain separation of duties and address the increased risk of virtual machine theft. The need for data-centric protection further increases in cloud-based infrastructure-as-a-service environments where your information is not only portable, you also don't know where it is and who has access to it. Using encryption to address these new risks to data security will ensure sensitive data is always protected no matter where the virtual machine goes – allowing your enterprise to confidently leverage these cost-saving technologies.
8) Make it smart
If encryption is only preventing data from physical theft, it is only living up to a fraction of its potential. Look for encryption products that intelligently combine policy into the decryption process. Encryption systems with intelligent policy go beyond “simple switch” encryption to provide strong separation of duties and role-based, user-based and process-based access control. Intelligent policy means fewer audit points, a lower risk profile and better data security.
9) Look for leadership
Be wary of encryption that was built as a feature. These solutions are burdened with sloppy separation of duties models and a lack of centralized management that puts the availability of data at risk and increases audit points, which require expensive hardware security modules and difficult-to-integrate key managers.
If your enterprise is going to encrypt stored data in any significant way, ensure you are working with vendors who have a strong focus on enterprise-level encryption and key management. These experts place specific emphasis on centralized management, secure handling of keys and are heterogeneous – providing you with an elegant system for current and future encryption needs.
10) Enable your business
Now that you know how to simplify encryption, start thinking about how it can enable your business. IT projects that are blocked by security concerns can quickly become realities when encryption is applied.