Is your enterprise looking at increasing its use of data encryption? Check out these best practices before setting your enterprise strategy.
In last week's article, I covered four basic best practices for data encryption:
No. 1: Understand your business and security objectives.
No. 2: Understand the impact of cloud architectures on encryption.
No. 3: Consider alternative obfuscation techniques.
No. 4: Ask your vendor about the encryption algorithm.
This week we'll add to the list.
CONSUMER TECH: Big security, small devices
Best Practice No. 5: Plan for all aspects of key management
Key management is at least as important as the cryptographic module in your solution. There's a range of considerations for how you will manage the keys that lock and unlock your data. You need to think about the following:
• Where will you store your keys? If you use more than one encryption/tokenization solution, will you centralize key/token management or use multiple management solutions? [Read about "Universal key management for the cloud"]
• Who will have access to the keys? Can you strictly control access according to your own policies and business logic? Ideally, only the data owner will have access, and third parties like your cloud provider cannot access keys in the clear.
• How will you do key rotation? Should you plan to decrypt data with old keys and re-encrypt it using new keys, or maintain both old and new keys?
Of course, keys should, themselves, be encrypted and never stored or transmitted in the clear. Back up the key server on a regular basis to prevent loss.
Best Practice No. 6: Implement controls with as much granularity as possible
Think about how you protect your home from burglars. You have one key that unlocks the front door. Once someone gets past that lock, he has access to practically everything in your home. But what if you put locks on every drawer and cabinet in your home and every one of these locks had a unique key? Someone might get in the front door but still not be able to easily access the cabinet with your most precious possessions.
This is the difference between disk/volume encryption and file-level or even record/field-level encryption. The more granular you can get on what you encrypt, the better. Of course, the tradeoff is that you'll have many more keys to manage. Encrypting at the file or record/field level allows you to get more specific on access to data according to job roles. For example, if you have a company spreadsheet with budget information, you can allow a department manager to view her employees' salaries but not the executives' salaries.
Best Practice No. 7: Keep comprehensive logs and audit trails
The key management solution you develop or choose must log every detail about the encryption/decryption tasks. What person or application requested and/or used a key? What data did they access? When did this happen?
Restrict access to these logs to prevent tampering or deletion, and authenticate and sign them for non-repudiation. Reports from these logs will help validate compliance with company policies and business regulations.
Best Practice No. 8: Encrypt data on portable devices, including privately owned smartphones and tablets
One of the most common sources of data breaches is the loss or theft of a portable device -- a laptop, a USB stick, a smartphone -- that contains unencrypted data. It happened again just recently. MD Anderson Cancer Center reported a laptop stolen from a doctor's home. The PC contained unencrypted and highly sensitive records on 30,000 patients. With the wide availability of encryption tools for PCs and other personal devices, there's simply no excuse for this. Companies should require -- and enforce -- full disk encryption for all desktop and notebook computers and especially for removable storage devices like USB drives.
Encryption can be a sticky wicket for personally owned smartphones and tablets. However, every company needs a policy that requires encryption on any company-owned data that makes its way onto a personal device. Implement and enforce the policy centrally through your mobile device management platform. Look for an encryption solution that works on multiple smartphone platforms.
A good complement to data encryption for portable devices is a data wipe utility. In the event that a device containing corporate data is lost or stolen, you can completely wipe the data off before it can be breached.
Best Practice No. 9: Look for a solution that supports third-party integration
Encryption solutions are often separate from the applications you need to use them with. Perhaps you want to use one solution with multiple types of applications. You may need to use APIs to integrate the encryption solution with your applications, so look for a solution that facilitates the integration.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.