Data encryption (2006)

Encryption is one of those words that is guaranteed to conjure up a variety of mental pictures, according to the interest and understanding of the individual concerned.

Some will think of espionage and spies, of James Bond hacking into Dr. No’s supercomputer to save the world, or the more prosaic work of the Enigma machine busters during World War 2. Some will think of complex algorithms and their relative strength. Some will think of public key infrastructures (PKIs) and messaging. Some will think of encryption in relation to portable tokens.

But one thread common to all these is the concept of taking some piece of visible information and obscuring it in such a way that only authorized individuals may be able to understand it via a mechanism of decryption.

What IT security professionals are particularly interested in, however, is the storage and transmission of such information and its protection from unauthorized access and usage.

Conventional access control mechanisms provide some protection against unauthorized access. But once such measures are defeated, the data itself is typically open to inspection. This is particularly worrying with respect to the physical theft of mobile computing devices, such as laptop computers and PDAs, and also the sort of portable data storage devices which are now becoming increasingly efficient and affordable.

It is similarly worrying with respect to data stored within databases and networks and the possibility of such data being stolen or otherwise misused.

In order to respond to such challenges, various data encryption methodologies have been developed, from simple file-based symmetrical encryption to comprehensive PKIs and a host of ideas and techniques in between. In parallel, encryption algorithms have also developed to offer greater "strength" as regards the possibility of them being defeated.

Currently, one of the more popular algorithms is AES (Advanced Encryption Standard), as articulated in FIPS 197 (NIST), and used by many government agencies, among others. As a result, it is not unusual to find AES featured in contemporary encryption products, although DES, 3DES and others are still often supported.

However, the question remains: what exactly do we wish to encrypt and why? What is the risk associated with non-encrypted data residing on hard drives, network storage systems or portable media? This will be the starting place for most of us.

Clearly, those who deploy a significant number of portable computing devices within the enterprise will have a concern about the fate of data if one of these devices is stolen.

Similarly, the pervasive use of removable storage – including Zip drives, USB flash devices and others — raises questions around the relative security of data. In many cases, such concerns may be adequately addressed by simple, file-based encryption techniques. In other cases, organizations might be more interested in the broader infrastructural picture and the protection of data across applications, databases and communications channels.

We might also like to consider the first level access control mechanisms associated with data encryption and decryption – can we rely on passwords? Or perhaps biometrics? Or smart cards and tokens? Or perhaps a combination under a two- or three-factor authentication model?

Much might depend on our perception of risk, as well as regulatory compliance obligations (such as password complexity). We must also consider the OS file systems in use (FAT, NTFS and so on) and other utilities, such as disk defragmentation systems, disk imaging, anti-virus scanning and so on. There may be compatibility or performance issues to take into consideration in this respect.

Similarly, we will need to consider our use of directories and security policies, and precisely how data encryption fits into the broader scenario.

There are also distinctions to consider between hardware-based and software-based encryption, pre-boot or post-boot implementation, Unicode compatibility and other factors. Fortunately, there is no shortage of choice in products. This group test offers an overview of some of the popular packages currently available.

When contemplating deploying such a system, whether on a standalone computing device or across a network, one of the more important parameters to consider will be ease of use and ease of recovery, should the authorized user find themselves locked out of their own data. However, the attentive supplier will no doubt have thought this through.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.