According to security vendor Symantec, 48% of enterprises increased their use of encryption over the past two years. This sharp increase mirrors the increase in data migration to the cloud. If your organization is now faced with setting an enterprise encryption strategy, take a gander at these best practices before generating your first ciphertext.
In my recent conversation with Dr. Eric Cole of the SANS Institute (see "New approaches to combat 'sources of evil' and other security issues"), Cole stressed the importance of data encryption, especially as organizations migrate data into the cloud. His advice: Encrypt the data and manage the keys in such a way that no one but you has access to the keys.
It's good advice that I'd like to expand on with a summary of best practices for data encryption. This week's list covers business objectives, cloud architectures, alternative obfuscation techniques and encryption algorithms. Tune in next week for best practices concerning key management, granular controls, logs and audit trails, portable devices and third-party integration.
Best Practice No. 1: Understand your business and security objectives
Before you choose any encryption product or strategy, make sure you understand your enterprise's business and security objectives. This includes understanding any and all internal and external data governance policies (including data privacy and residency) and compliance mandates (e.g., PCI, HIPAA, GLBA, etc.).
Best Practice No. 2: Understand the impact of cloud architectures on encryption
Once upon a time, enterprises controlled all the physical aspects of their data. Quite the opposite is true in a cloud environment. Someone other than the enterprise physically controls the storage, the servers, the applications, etc., and it's this situation that's driving the need for strong encryption solutions where no one but the data owner has access to the encryption keys.
Cloud environments introduce all sorts of complexities to think through before selecting one or more encryption solutions. For example:
• If we encrypt data in a SaaS application, will we still have all the functionality of the application? (Sorts and searches don't work well on encrypted data.)
• If we use a "big data" application for business analytics and need to spread data across hundreds or thousands of servers, how will the keys be generated and where will they be stored?
• If we process customer data in the cloud and residency restrictions prohibit us from allowing data to cross physical borders, will encryption meet the compliance requirements? (Typically not.)
Best Practice No. 3: Consider alternative obfuscation techniques
Encryption isn't the only method that can protect your data. Tokenization is an up-and-coming technique to remove sensitive data from applications and storage and replace it with placeholder characters called tokens. The benefit of tokens is that they are completely random and there is no algorithm that can turn them back into the real data they represent. This methodology works in some cases where encryption comes up short -- specifically in scenarios where data is restricted by residency requirements. See how in "Meeting data privacy, residency and security requirements in the cloud."
Best Practice No. 4: Ask your vendor about the encryption algorithm
The encryption process involves putting your data characters through a mathematical algorithm or formula to transform them into ciphertext. While there are international standards for the basic algorithm, encryption vendors can take liberties with how they apply the standards, or they can develop their own algorithm. This can affect how easy (or not) it is to crack your encryption.
The National Institute of Standards and Technology (NIST) has a program for cryptographic module validation. This program validates that a vendor's encryption method meets the standards set for U.S. government applications. You can check the status of your vendor's products through the Cryptographic Module Validation Program. Note that it's quite expensive for vendors to certify their cryptographic module by NIST, so not every encryption vendor undergoes this process. That doesn't mean they have a bad solution, so it's important for you to ask your vendor questions about the specific modules they use. When choosing a solution, it's best to stick with an encryption module that adheres to industry standards.
Tune in next week for the rest of the list.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.