ExecTech Understanding the
encryption options
When it comes to protecting data, it’s rarely as simple as “encrypt it all, all the time”
BY MARIA KOROLOV
Encryption works. So why aren’t all agencies encrypting everything, everywhere, all the time?
The short answer: Although it might be effective, encryp- tion is not that simple. It can be costly and time-consuming.
tion keys are long. The smallest recommended key, AES-128, is the equivalent of a 39-digit number. RSA-2048 is equivalent to a 617-digit number. And each file and message require separate keys. Losing the key is the same as losing the data.
And failing to protect the keys creates a fatal security flaw, said Tammy Moskites, CIO and chief information security offi- cer at Venafi. “If you don’t know where the keys are, it helps the bad guys circumvent controls,” she added. “Then there’s a huge
security gap.”
A particular challenge for gov-
ernment agencies is encrypting legacy systems. Encrypting a database and sticking it on a shelf somewhere is simple enough. But encrypting a database that is constantly being used is some- thing else entirely. The encryption must be built in from the start or added afterward to the database itself and all the applications that access it — at significant cost.
“The Office of Personnel Man- agement was [using] an old, lega- cy mainframe system that did not have the capability to do encryp- tion,” said Jerry Irvine, CIO at Pre- scient Solutions. “And there are still lots of old systems out there.”
In fact, according to a report OPM issued shortly after last year’s breach, “Full encryption of the databases that were accessed
It can also be sabotaged by users with legacy applications.
So to make smart decisions about where and how to encrypt, it’s essential to understand the dif- ferent approaches.
Protecting data stored on servers
Data encryption addresses four major areas: data in motion, data stored on user devices, data stored on servers and data that is cur- rently being used.
Today, most encryption efforts focus on data stored on servers because that is where the majority of big breaches take place.
“There are lots of different chal- lenges,” said Sol Cates, chief secu- rity officer at Vormetric. “How do Idothisatscale?AndhowdoI do it across multiple application stacks, architectures, cloud ser- vices and legacy applications?”
Part of that complexity is the challenge of managing encryption keys. There is typically no more than one password per user per application, and users generally get to choose them. But encryp-
and difficult to integrate
Some encryption options
• Full-disk encryption. Fully encrypting every- thing on a particular device, such as a laptop,
is useless unless the device is protected with a secure password. It is also ineffective if the device is compromised while it is being used or if the user turns off the password protection. But when implemented correctly, not even the FBI can breach full-disk encryption.
According to the Aberdeen Group, 70 percent of all breaches of endpoint devices involve loss or theft, and full-disk encryption would be useful in blocking them.
• File-level encryption. If hackers get into a particular file on a server, they would not be able to access others because the files are locked with different keys. However, if hackers compromise
a privileged user’s account, they might be able
to access a large number of files. For maximum effectiveness, agencies should keep the number of privileged accounts to a minimum and use multifactor authentication to reduce the risk of outside access.
Aberdeen Group research shows that 93 per- cent of breaches involving servers are caused by hacking, malware, misuse and error, which file- level encryption would be useful in preventing.
May 30, 2016 FCW.COM 31