- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
The CIO-level business angle on the latest tech
In my recent conversation with Dr. Eric Cole of the SANS Institute (see "New approaches to combat 'sources of evil' and other security issues"), Cole stressed the importance of data encryption, especially as organizations migrate data into the cloud. His advice: Encrypt the data and manage the keys in such a way that no one but you has access to the keys.
It's good advice that I'd like to expand on with a summary of best practices for data encryption. This week's list covers business objectives, cloud architectures, alternative obfuscation techniques and encryption algorithms. Tune in next week for best practices concerning key management, granular controls, logs and audit trails, portable devices and third-party integration.
Before you choose any encryption product or strategy, make sure you understand your enterprise's business and security objectives. This includes understanding any and all internal and external data governance policies (including data privacy and residency) and compliance mandates (e.g., PCI, HIPAA, GLBA, etc.).
Once upon a time, enterprises controlled all the physical aspects of their data. Quite the opposite is true in a cloud environment. Someone other than the enterprise physically controls the storage, the servers, the applications, etc., and it's this situation that's driving the need for strong encryption solutions where no one but the data owner has access to the encryption keys.
Cloud environments introduce all sorts of complexities to think through before selecting one or more encryption solutions. For example:
• If we encrypt data in a SaaS application, will we still have all the functionality of the application? (Sorts and searches don't work well on encrypted data.)
• If we use a "big data" application for business analytics and need to spread data across hundreds or thousands of servers, how will the keys be generated and where will they be stored?
• If we process customer data in the cloud and residency restrictions prohibit us from allowing data to cross physical borders, will encryption meet the compliance requirements? (Typically not.)
Encryption isn't the only method that can protect your data. Tokenization is an up-and-coming technique to remove sensitive data from applications and storage and replace it with placeholder characters called tokens. The benefit of tokens is that they are completely random and there is no algorithm that can turn them back into the real data they represent. This methodology works in some cases where encryption comes up short -- specifically in scenarios where data is restricted by residency requirements. See how in "Meeting data privacy, residency and security requirements in the cloud."
The encryption process involves putting your data characters through a mathematical algorithm or formula to transform them into ciphertext. While there are international standards for the basic algorithm, encryption vendors can take liberties with how they apply the standards, or they can develop their own algorithm. This can affect how easy (or not) it is to crack your encryption.
The National Institute of Standards and Technology (NIST) has a program for cryptographic module validation. This program validates that a vendor's encryption method meets the standards set for U.S. government applications. You can check the status of your vendor's products through the Cryptographic Module Validation Program. Note that it's quite expensive for vendors to certify their cryptographic module by NIST, so not every encryption vendor undergoes this process. That doesn't mean they have a bad solution, so it's important for you to ask your vendor questions about the specific modules they use. When choosing a solution, it's best to stick with an encryption module that adheres to industry standards.
Tune in next week for the rest of the list.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.
Read more about infrastructure management in Network World's Infrastructure Management section.