10 encryption tips for the enterprise
Whether you’re protecting corporate data from internal leakers, hackers looking to steal money from you and your customers, foreign spies, your own government, or employees accidentally leaving their laptops in a taxi, encryption is today’s hot go-to tool.
But encryption done wrong can be worse than no encryption at all, since it gives you an unwarranted senses of security. Here are tips for doing encryption right.
TIP 1: Use the strongest encryption you can
If your data must absolutely, positively, be protected at all cost, use well-known, battle-tested algorithms and the longest keys you can practically manage. Use hardware-based encryption to take it up another notch. The NSA isn’t the only organization out there with supercomputers.
Intel is one of several companies working on expanding hardware-based encryption technologies. Moving these processes to the hardware level can increase speeds four-fold, says Jason Kennedy, Intel’s director of product management. “By accelerating this process four times, you’re allowing folks to be able to implement your corporate processes much more effectively.”
In addition, full drive encryption on laptops becomes less annoying for employees, who are then less likely to turn it off. “We’re trying to make sure that the security doesn’t get in your way,” says Kennedy.
TIP 2: Keep your keys safe
If your encryption is strong enough that not even a foreign government with a supercomputer can break it, then you’re in for a world of trouble if you lose your encryption keys.
“My first tip to anyone who starts to think about encryption is to think about the keys,” says Tsion Gonen, encryption expert and chief strategy officer at SafeNet. “Keys first, encryption second.”
That means planning ahead for how the keys will be generated, how they will be stored, who will be allowed access, how often the keys will be replaced, and when those keys will be deleted.
This usually requires the use of key management technology, since many of these tasks can be difficult to do manually, and mistakes can be fatal. And, as with passwords, you don’t want to be using the same keys everywhere.
“You should change your keys every two years, under some recommendations,” says Mike Fleck, CEO of CipherPoint Software, a Denver-based security company. And it’s not just for the obvious reason that you don’t want hackers who get their hands on a key to have access to all your data.
“The bigger the sample size of your encrypted data, the more opportunities a hacker has to find patterns in the data and brute-force the key,” he says.
TIP 3: Delete keys to permanently erase data in the cloud
If your company is using the cloud to share sensitive documents or to make convenient backups, are you sure that your files are really gone when you move them to the trash? (Also read a roundtable discussion on cloud security.)
“A customer of ours is an online legal company, and their clients put legal documents on their cloud service,” says SafeNet’s Gonen. “They were asking, ‘If we hit delete on a document, is it really deleted, or was it backed up 10 times somewhere on the cloud infrastructure and could still be around?’ One way to prove that something was deleted is to delete the key. Then it doesn’t matter if it’s still somewhere.”
TIP 4: Use encryption to keep data isolated in shared environments
Whether you’re using an internal system to store data that cannot be commingled, or sharing a public cloud with other tenants, encryption lets you keep the data logically separated.
“If you’re using shared infrastructure — say, consumer banking and corporate banking on an internal cloud — how do you create separation in an isolated matter? You can do that with encryption,” says SafeNet’s Gonen.
TIP 5: Don’t store your keys next to the data
Storing encryption keys right next to the encrypted data is like writing your PIN on your ATM card, like leaving the keys to your safe in the lock itself.
And this applies to both internal and cloud environments. If a hacker – or a privileged but traitorous user – has access to both the encrypted data and to the keys, then all the efforts have been wasted. If the data is stored with a third-party vendor then the risk of hackers and employees gone bad is compounded with that of an outside agency showing up and forcing the vendor to hand over the keys and the data. If you keep the keys in your own possession, government agents can still show up with a subpoena – but they’ll be knocking on your door, and you’ll know they’re looking.
One problem is what to do when, say, a database or system administrator is also in charge of maintaining the keys for the system. The answer, suggests Sol Cates, chief security officer at San Jose-based security firm Vormetric, is to have a different department in the company be responsible for the keys, which are stored in a secure Vormetric appliance.
“What our customers traditionally do is that key management will go to some part of the security organization,” Cates says. “And policy management is usually aligned between human resource management and security, or a collaboration between the business line owner and security.”
“The keys are transported down to the system and stay with the data while it’s being used, so it doesn’t have to go back to the appliance every time,” he says. “Even with heavy load systems like databases, you can still meet performance standards. We have very large enterprise customers, with deployments of thousands of systems that need to be protected. We’ve blinded the infrastructure from the data.”
TIP 6: Don’t give up your keys
Some customers use the Vormertric key management appliance in conjunction with applications running on public clouds as well, says Cates. “What this has done for a lot of our large enterprise customers is it makes the cloud a lot more attractive.” Smaller-scale systems are also available for other uses of public clouds.
If you’re using the cloud to store data you can encrypt the data when it goes out, and decrypt it when you load it back again. The storage vendor never has to see the encryption keys.
A VPN is another example of this approach – it creates an encrypted tunnel between two companies, or between a company or its employees, with the encryption and decryption taking place at the end points.
TIP 7: Function-preserving encryption can be handy, but can come at a price
It is possible to encrypt data in such a way that you’re still able to sort or search it without decrypting everything first. This can be a useful trick if, say, you’re using a cloud-based application like hosted email. You’ll be able to find the emails you need without ever giving the vendor the encryption keys, by encrypting and decrypting everything locally, via a proxy.
There are two potential problems with this approach, however. One is that the more functionality an encryption method preserves, the less secure it is. The additional risk may be minor, and may be fine for some types of data but inappropriate for really sensitive information.
The second problem is that no encryption method preserves all functionality. For example, a spell checker isn’t going to work. To address this issue, developers need to build that functionality into the proxy itself. This means that you’re losing out on one of the advantages of using a cloud-based application – easy and instant access to new features. Instead, when the cloud vendor rolls out a new feature, users have to wait for that feature to be added to the proxy. Plus, proxies have to be developed for each individual online application separately, which can quickly get very expensive.
As a result, only the biggest, most popular online apps – like Salesforce and Microsoft’s hosted Exchange product – have commercially available proxies.
New York-based Vaultive, for example, allows companies to use mailboxes, calendars, notes and tasks of Office 365’s Exchange online component while keeping the encryption keys in-house. Companies install and run Vaultive’s proxy software and all data that goes up into the cloud would be encrypted.
“They can tear down their entire Exchange infrastructure and save a lot of money,” says Ben Matzkel, the company’s co-founder and chief strategy officer. “The remote application would perform its functions against encrypted text, and the outcome would be the same outcome you’d expect if that data wasn’t encrypted. It works for indexing, sorting, creating reports, joining data from different sources and correlating them.”
Other functionality is handled in the proxy itself, including e-discovery, legal holds, filtering and data loss prevention, he says. Next, the company plans to get to work on other online tools available on the Microsoft cloud.
TIP 8: Consider encrypting more than just the data
If you’re using a public cloud to run virtual machines and a hacker gets access to it, they’ll have a leg up on breaking into your data.
“If the Allies had never gotten access to the Germans’ Enigma machine during World War II, they never would have been able to decrypt their messages,” says SafeNet’s Gonen. “You want to give the hackers as few things to work with as possible.”
TIP 9: Consider protection for employees on the go
Even if your company already has a VPN set up for traveling users, don’t forget that employees need protection when accessing personal sites on the Internet as well. Otherwise, when they’re using public Wi-Fi, sensitive corporate documents located on their laptops might be exposed. A number of providers offer services that encrypt Internet traffic when it’s in the public airwaves, decrypt it when it reaches their servers, then send it on the rest of the way through normal Internet channels. For extra security, check that the vendor doesn’t monitor or save the traffic, and can’t link the traffic with real-world user identities.
Similar services can be used for placing Skype calls from mobile devices, not only from public hotspots, but from within foreign countries where hostile governments may be listening in on local conversations.
Washington, D.C.-based Silent Circle, for example, has seen a five-fold spike in sales since the start of June and the NSA leaks.
When both parties subscribe to the same service, the conversation is encrypted end-to-end. When one of the end points is a regular phone, the conversation is encrypted all the way to a Silent Circle server, and goes the rest of the way as a normal call.
There are also companies that will encrypt regular cell phone voice and text traffic.
TIP 10: If you must store the keys with the data, lock up the keys tight
Many laptops are designed to be self-sufficient. After all, employees need to be able to access their documents even when they don’t have an Internet connection. As a result, the keys for decrypting the data have to be stored on the device itself.
You can have employees carry the encryption keys on a separate device, like a thumb drive, that can be used to unlock their laptops. Or you can hide the key on the laptop itself, but in a secure place.
“There’s a chip in laptops that handles encryption, but most applications don’t take advantage of it,” says Richard Moulds, vice president of product strategy at Thales e-Security. Thales e-Security is a business unit of Thales Group, a major French defense, aerospace and security company.
Microsoft BitLocker is one application that does use these chips, he says. “The hackers would literally have to break into the chip and it would be several orders of magnitude more difficult to get access to that key.”
Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com