- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
The CIO-level business angle on the latest tech
In last week's article, I covered four basic best practices for data encryption:
No. 1: Understand your business and security objectives.
No. 2: Understand the impact of cloud architectures on encryption.
No. 3: Consider alternative obfuscation techniques.
No. 4: Ask your vendor about the encryption algorithm.
This week we'll add to the list.
CONSUMER TECH: Big security, small devices
Key management is at least as important as the cryptographic module in your solution. There's a range of considerations for how you will manage the keys that lock and unlock your data. You need to think about the following:
• Where will you store your keys? If you use more than one encryption/tokenization solution, will you centralize key/token management or use multiple management solutions? [Read about "Universal key management for the cloud"]
• Who will have access to the keys? Can you strictly control access according to your own policies and business logic? Ideally, only the data owner will have access, and third parties like your cloud provider cannot access keys in the clear.
• How will you do key rotation? Should you plan to decrypt data with old keys and re-encrypt it using new keys, or maintain both old and new keys?
Of course, keys should, themselves, be encrypted and never stored or transmitted in the clear. Back up the key server on a regular basis to prevent loss.
Think about how you protect your home from burglars. You have one key that unlocks the front door. Once someone gets past that lock, he has access to practically everything in your home. But what if you put locks on every drawer and cabinet in your home and every one of these locks had a unique key? Someone might get in the front door but still not be able to easily access the cabinet with your most precious possessions.
This is the difference between disk/volume encryption and file-level or even record/field-level encryption. The more granular you can get on what you encrypt, the better. Of course, the tradeoff is that you'll have many more keys to manage. Encrypting at the file or record/field level allows you to get more specific on access to data according to job roles. For example, if you have a company spreadsheet with budget information, you can allow a department manager to view her employees' salaries but not the executives' salaries.
The key management solution you develop or choose must log every detail about the encryption/decryption tasks. What person or application requested and/or used a key? What data did they access? When did this happen?
Restrict access to these logs to prevent tampering or deletion, and authenticate and sign them for non-repudiation. Reports from these logs will help validate compliance with company policies and business regulations.
One of the most common sources of data breaches is the loss or theft of a portable device -- a laptop, a USB stick, a smartphone -- that contains unencrypted data. It happened again just recently. MD Anderson Cancer Center reported a laptop stolen from a doctor's home. The PC contained unencrypted and highly sensitive records on 30,000 patients. With the wide availability of encryption tools for PCs and other personal devices, there's simply no excuse for this. Companies should require -- and enforce -- full disk encryption for all desktop and notebook computers and especially for removable storage devices like USB drives.