As the daily stories about recurrent losses of consumer data continue to raise public ire, security managers are being pressured from the very tops of their organizations to ensure that consumer data is safeguarded from exposure.
"It’s hard to go a day without seeing in the news the name of some very recognizable company that has had thousands of records compromised," says John Dasher, director of product management for PGP Corporation. "The brand damage is obvious — companies don’t want their names in the papers for this reason."
Today’s thieves and organized crime rings have a slew of weak points they can hit. Readable backup tapes fall off of trucks, laptops get stolen, internet-facing databases are misconfigured, systems are left unpatched, or Joe User sometimes doesn’t think before sending sensitive information via email. Such slips tend to be the major causes of many breaches.
Consequently, a growing minority of businesses aren’t willing to chance becoming exposed to such occurrences. They’re encrypting key data categories to keep sensitive information protected should some sort of breach occur. Enlisting such technology has long been advocated by many experts and professionals — such as Joe Nackashi at Fidelity Information Services (FIS) — as a strong move in the right direction given certain provisions in data breach laws, like California’s SB1386. Many such mandates give businesses a pass on notifying customers if key private data affected by a breach is suitably encrypted and thus not usable to would-be thieves.
As a result, not only does the organization avoid the enormous cost of notifying customers and protecting their identities, they also keep their company name out of the papers.
"There are now 27 states that have some form of legislation that basically says, ‘Look, if you handle customer data, you’re responsible for protecting it,’" Dasher says. "Your only safe harbor is if you’ve encrypted it."
Many security managers believe that encryption is critical in moving beyond perimeter-based security. In their minds, no matter how tough the fortress surrounding the data, if it is stored or transmitted in the clear, it is still at risk.
Fidelity’s Nackashi counts himself among this crowd. As chief technology officer of the FIS mortgage division, Nackashi is responsible for a mammoth operation that handles 50 percent of all the home loans that are processed in the U.S. FIS deals with over 80 major mortgage banks, storing much of the sensitive consumer information for these customers. It also shares information with over 200 other financial partners. Over the course of a month, FIS transmits over two terabytes of sensitive information to its customers and partners over its private networks.
"Fidelity takes the need to safeguard customer data very seriously," Nackashi says, "and we’ve done that historically through every single bit of software that you can imagine from an infrastructure perspective — intrusion detection, routers, firewalls and all the other various layers of security."
In spite of this, Nackashi and his team believed the data was still at risk without encryption. In 2004 FIS decided to tackle the problem.
"We took it a step further in identifying data elements that we felt needed to be encrypted [and] we’ve organized a holistic program that addresses encryption in three different themes," he says.
The first "theme," or category, is data in-flight. This includes transmissions FIS sends out to business partners each night, media data transfer and backup tapes that leave the facility. The second category is email. And the third is data at rest, including mainframe storage and database storage. The goal has been to protect those identified sensitive data elements — items such as Social Security and credit card numbers — with encryption solutions that target each of the three data modes.
"We organized based on what we felt was the greatest risk," Nackashi says.
While the FIS program requires the encryption of a lot of data, the organization is able to save time and resources by focusing only on the sensitive elements most at risk. Targeting resources like this is critical to encryption deployment success, says Jeff Cherrington of PKWare, which provides data in-flight solutions for FIS.
"The first impulse every organization has is to encrypt everything [on the tapes]. From an operational standpoint that is virtually impossible. The recommendation is as you look at your encryption needs in regard to backup think first about data classification," he says. "Use classification to identify data that must be encrypted and apply your time and energy to that and not to a wholesale approach."
At FIS this approach yielded a comprehensive program because of the massive amounts of sensitive data stored and transmitted in its operations and the regulatory penalties if these stores are compromised. But other organizations may need less — sometimes a thoughtful risk assessment might show the need for encryption in one or two areas.
For example, Papa Gino’s corporate office in Dedham, Mass., only needs a limited amount of encryption. It is in a loosely regulated vertical, but with 400 restaurants and over 8,000 employees it still has a sizable amount of customer and employee information that needs safeguarding. So network manager Chris Cahalin leverages trusted computing chips in his systems’ hardware to deploy encryption technology from Wave Systems. The technology enables employees to encrypt documents that include sensitive data.
"Our initial interest was specifically surrounding what the folks in our finance department are doing," he says. "They were finding ways to protect their files, whether using passwords or third-party encryption, but that led to a huge problem because they would either forget the password or lose the key."
Papa Gino’s was fortunate in that it could find one encryption solution that suited its needs and fit within the existing infrastructure. Often, organizations will find that their encryption wishes are greater than their situation allows. In these cases, it may be necessary to prioritize and implement based on the most immediate needs.
This is the case for DeKalb Medical Center in Georgia, which encrypts backup tapes as well as email and other data transmissions, says Sharon Finney, information security administrator for the hospital. Eventually the organization hopes to do data at rest, but doesn’t have the infrastructure for it now.
"We performed a rather intensive risk assessment and we identified a couple areas of risk," she says.
Biggest on the list was email and other moving data. Data at rest could wait until the hospital moved to a storage area network (SAN) environment in a couple of years.
Finney says that she chose PGP for encrypting email and transmissions because the solution would be able to scale to DeKalb Medical’s needs once it was ready to take on data at rest. This kind of scalability can be a real boon when it comes to managing keys and decrypting data throughout its lifecycle.
Decryption is the real issue
No matter what encryption option a business chooses, encryption is never the problem.
"Decryption is the problem, especially decryption when things go wrong," says Eric Skinner, vice president of business development for Entrust. "What we really recommend is that customers think about how transparent things are going to be for their end-users, and how manageable the situation will be when users forget their passwords or during other data recovery situations."
Key management has gotten more transparent over the years, and vendors are constantly improving ease of use. But the difficulty lies in the fragmented nature of the encryption market.
"The unfortunate thing is that there is no one vendor that provides an end-to-end solution," Nackashi says.
This can be a good thing as each provider excels in their area of encryption expertise, he says. But it does pose a challenge to enterprises worried about interoperability and key management.
Nackashi suggests to those who plan to manage multiple encryption solutions to execute as unified an approach to key management as resources will allow.
Creating a roadmap ahead of time will help ensure that your organization avoids choosing encryption products that conflict as little as possible and can minimize the complexity of key management, he says.
Another decryption issue is the challenge of working with partners and customers that will need access to data, but may not have invested in the same encryption technology.
Technology is key
Many of today’s vendors have accounted for these needs by developing special technology for their customers to provide to their business partners who will need access to the encrypted data. In fact, for both FIS and DeKalb Medical this was a major factor in choosing their encryption providers.
Minimizing customer and partner needs for investment can be critical to improving their buy-in, which can be daunting at first.
"Early on there wasn’t the same sense of urgency with some of our business partners in that they didn’t necessarily see the need to encrypt file transmissions over a private network," Nackashi says. "So there were some exchanges in terms of why Fidelity felt it was important to make sure that any data leaving our facility will, in fact, be encrypted."
In addition to using solutions that make it easier on these partners, Nackashi says the increasing public furor over corporate data breaches also has gone a long way toward changing their attitudes.
"When you interface with some of the mortgage servicing managers, you know it’s important when they want to talk about it in our executive meetings," Nackashi says of encryption.
Fortunately, FIS was able to foresee customer security needs before they even became a priority to many of the customers themselves. According to Nackashi, customer retention is now one of the most important returns on the FIS encryption investment, which has totaled "in the millions" over the past two years.
Gartner analyst Rich Mogull says that encryption is definitely not for every business.
"There frequently are better ways to manage that security," Mogull says. "Basically, it depends where that information is stored and what you’re trying to encrypt. I only recommend encryption under three circumstances. I like to call them the Three Laws of Encryption."
- Encryption is called for if data moves physically or virtually;
- Encryption is called for in the separation of duties beyond what you can get through normal access control;
- Encryption is called for if somebody tells you that you have to encrypt.