Encryption is as good as it is going to get, but problems arise when it's poorly implemented, reports Chuck Miller.Unauthorized copying or removal of confidential information from organizations worldwide continues to trend upward, despite enormous effort and expenditure to address the problem.
In the first half of this year, the total number of data breaches recorded by the Identity Theft Resource Center (ITRC) was 342, more than 69 percent greater than the same time period in 2007. Although the relative number of incidents seems low, the magnitude and impact of each incident can be huge. And according to the FTC, only about five percent of cybercriminals are ever brought to justice.
One of the classic defenses against this rising tide is encryption. In fact, of all the ways to secure information, one of the most important is encryption. It can be particularly effective at the file level.
“Data protection at the file level is the last line of defense,” says Richard Gorman, CEO of Vormetric (left). “With it, if every other defense fails – for instance, the network firewall, or a system administrator has a password stolen – the intruder is still prevented from getting at the data.”
Encryption is particularly important when data is being transported, particularly when over the internet. Because of the way the internet is designed, it's often difficult to know where data is being routed. In addition, it's possible for people to eavesdrop on the traffic, or worse, take over some part of the switching fabric to gain access to transmitted data.
Data cryptology draws an abundance of inspiration from aviation. It's impossible to make airplanes crash-proof, but they can be made safer. If something goes wrong, authorities can study the root causes of what went wrong, and fix it.
Technologists do something similar with data security systems, discovering after the fact what works well and what requires caution.
Fortunately, today's encryption technology is highly advanced – algorithms are extremely unlikely to fail, thanks to key sizes that are impervious to any head-on assault. But some of the problems of building secure systems from this framework remain unresolved.
“The encryption algorithms we have today are 100 percent totally strong bricks, but that does not tell you how to build a good building,” says Paul Kocher, president and chief scientist at Cryptography Research.
The problem lies in how encryption technology is constructed and deployed, and especially in how end-users function. Central to effective use of encryption is user awareness. For example, because users are susceptible to trickery and social engineering, it's safe to assume that someone will try to trick encryption keyholders into revealing their secrets.
The ideal system would be one in which the user has no direct involvement in the security process, and the security just happens.
“It comes down to trying to architect the system so that users cannot foul up security easily,” says Kocher.
One formative step in that direction was SSL. When a user logs into a session through SSL, the process of negotiating the session is hidden. If a user logs into a retailer site, say, and the lock icon at the bottom of their browser shows up, strong encryption comes into play – unless the browser is badly configured, or there is an attack that compromises the system security in some way.
“Data theft and encryption is a complex topic, considering all the various ways and places to prevent the problem,” says Todd Thiemann, director of device security marketing at Trend Micro. “Some of the complexity comes from having to administer the systems without increasing the overhead on your users.”
He adds, “There's that old IT saying about people, processes and technology: ‘The technology is the easy part. The people and processes are challenging.' You have to make sure that the people are trained and processes are in place to address the overall problem.”
To meet this test, training is key. “With our users, training is where we get the most bang for our buck,” says Chris Letterman, CISO, Alaska Department of Health & Social Services (left). “Training is more expensive than even the technology sometimes, but the payoff is greater.”
But, even after training is put in place, and even though strong encryption algorithms are available, more challenges lurk on the horizon. The countervailing problem is that implementations are becoming more complicated over time. Applications are growing in scope and the code in them is expanding, so the consequences of making mistakes with implementations also develop rapidly.
Moreover, there is always a tradeoff between functionality and security. The tradeoff is in deciding where to put restrictions or stronger levels of security, which almost inherently induce user hassles.
“Users want to be able to easily access their data at any place and any time,” says Adam Swidler, product marketing manager for Google Apps Security and Compliance.
Meeting new demands
The marketplace is driven by compliance – organizations must continually demonstrate that they are in compliance with mandated standards and applicable laws.
“We are actively under attack every minute of the day, and as a result, in part, we now have legislation that requires encryption,” says Letterman. “Thus, from now on it will be a huge issue in procurement, specifying and acquiring technology statewide.”
Matthew Prough, system administrator for the Wisconsin cities of Fitchburg, Middleton and Sun Prairie (right), agrees.
“Wisconsin mandates that we meet certain requirements. If we do not, we are not allowed to connect. Inspectors from the state come out to do an in-person audit. They verify how the network is set up, how it's designed and how you are meeting the encryption requirement.”
In addition to compliance, there's the rise of the mobile worker population.
As more of the population employs mobile devices, there's an accompanying increase of occasion to lose devices, along with the information they contain.
Laptops in organizations of all sizes disappear periodically, and if they are not encrypted, it potentially raises the possibility of an exposure that could be very expensive to correct, if not embarrassing to the organization. Any large remediation process could be a major hit to the bottom line.
There are, however, a number of inexpensive measures to counteract the problem, and that can yield a huge ROI. At the top of the list is encryption for laptops. If a laptop is encrypted properly, the potential costs associated with loss or data leakage are greatly reduced.
In the cloud
But the loss of physical devices is not the only issue. Many tech-savvy users ask why not eliminate some of the costs and bother of security, and run applications in the cloud? These folks argue that the cost benefit could be substantial, and performance would not be an issue.
“Our architecture is a pass-through architecture,” says Google's Swidler. “It acts like an email proxy. We're able to send massive amounts of data securely without performance degradation noticeable to end-users.”
Cost justification can be expedient in the cloud, too. When people take a look at spending for an on-premise solution, they may only take into account the cost of the software or some small part of the larger constellation of security. Often, what's more important is looking beyond the cost of just encryption, and overlooking costs for security hardware, software and infrastructure. This comes on top of the care and feeding of the security beast, such as patches, maintenance fees and upgrades.
Those costs are multiplied by key protection, mainly because encryption shifts the financial focus. After data is encrypted, it is no longer vulnerable. The encryption keys become the sensitive data, and the problem moves to management and protection of the encryption keys.
“One of the earliest stumbling blocks in security was key management – if you couldn't locate a user's key, you were lost,” says John Dasher (left), director of product management at PGP Corporation, a global security software company.
Another problem is the lifecycle management of keys – those that are issued when a new employee is hired or when an employee leaves. It's also important to pay attention to standards. It becomes problematic to maintain different infrastructures as new device types are added to a network. The costs go up, and it creates an obligation to maintain varying infrastructure silos.
In the past few years, better ways to build secure systems have mushroomed, but much of the gains are eaten up by greater complexity – making systems harder to secure.
“The people who get the best security are the ones that simplify their systems to a large degree,” says Cryptography Research's Kocher. “Simplifying networks, reducing the amount of code in applications, educating users. It's the unnecessary bells and whistles that create most of the security risks.”
Encryption: Dos and don'tsThis simple list of encryption dos and don'ts can help you sort through the hype and protect your organizations' identities and information.
Make sure the solution is “idiot proof”: 83 percent of data leakage is accidental, according to Osterman Research. If users are required to have an active role to make the encryption work — chances are that they won't — then what's the point of encryption that doesn't get used?
Ensure it works with different email platforms: Communicating externally means that users could have any number of email platforms. Ensure the solution works with Microsoft Outlook, Lotus Notes and even Web-based email clients like Hotmail, Yahoo and Gmail.
Leave no co-worker behind. Employees often copy groups of files to take with them when they leave — in most cases an innocent practice. Make sure you can and do revoke access for former employees, even on files that may have been copied before their departure (yes, this is possible).
Rely on “border security” to protect you. Many organizations think because they have a firewall or IPS system, they are secure. Well, just ask the folks at MTV, TJ Maxx and Harvard University. They were hacked and, because they didn't encrypt the information on their servers, had to report a data breach.
Get a point solution: Look for solutions that will help you implement encryption across different applications. Does it integrate with your content filter? What about sharing files between user groups?
Don't rule out a PKI: With so many applications that are “PKI aware,” this valuable technology has come of age and is more manageable and efficient than it was in its infancy in the late 1990s. It also comes in a managed service from a few leading vendors, making it even easier to deploy and manage.