IT Focus Area: Security
March 23, 2015
7 Keys to Building an Encryption Strategy
Life as we know it would be practically impossible without cryptography, the science of secret communication. From banking, to entertainment and online shopping, codes and ciphers are integral to modern daily life. Cryptography is the science of secret communication. Its fundamental objective is to enable communications over an insecure channel in such a way that a potential adversary cannot understand what is being conveyed.
The global proliferation of cyber espionage has led one particular component of cryptography—encryption—to become critical in the effort to safeguard sensitive data and intellectual property (IP).
Encryption can be invaluable in the effort to combat advanced threats and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating, and companies haven’t been using it effectively.
What is Encryption?
Encryption is a process based on a mathematical algorithm (known as a cipher) that makes information hidden or secret. Unencrypted data is called plain text; encrypted data is referred to as cipher text. In order for encryption to work, a code (or key) is required to make the information accessible to the intended recipients.
Three States of Data
In order for data to be secure, it must be protected throughout its lifecycle. It is therefore important to consider the state of the data you are trying to protect: data in motion (data being transmitted over a network), data at rest (in your data storage area or on desktops, laptops, mobile phones or tablets), or data in use (in the process of being generated, updated, erased, or viewed). Each presents unique challenges. And each may have different tools and methodologies that can be used to secure it.
7 Steps to Build Your Encryption Strategy
It’s imperative to remember that your encryption project—and IT security in general—is a process, not a product. Effective encryption takes time; in addition to careful consideration of data states and encryption techniques, seven key elements can help you build a successful end-to-end approach:
Creating an encryption strategy requires a collaborative effort. It is best to approach it as a major initiative that includes members of management, IT and operations. Start by bringing together key data stakeholders and work to identify the regulations, laws, guidelines and external influences that will factor into purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, mobile devices, wireless networks and data backups.
2. Data classification
It is important to leverage encryption as part of your broader IT security efforts. Companies that don’t have an effective data classification and/or prioritization program in place tend to struggle with data encryption.
Separate valuable information that may be targeted from less valuable information by tracking data usage cycles and implementing appropriate encryption controls. Take into account:
- Where this information is stored. Make sure you include all locations such as mobile devices, backup systems and cloud services.
- Who has access to it; understand which employee roles and individuals must have access, as well as those that may have unwarranted access.
- What your organization’s process is for provisioning and deprovisioning access.
- Your partners’ valuable information and what your process is for evaluating your partners’ security.
- The ultimate value to an attacker of combined information from your organization and that of a partner. For example, an insurer of critical infrastructure may provide valuable information to an attacker seeking to infiltrate the infrastructure that is being insured.
3. Key Management
Guard your keys. If keys and certificates are not properly secured the organization is open to attack, no matter what security controls are in place. Many organizations have tens of thousands of keys and certificates, with no clear understanding of their inventory. They do not know how keys and certificates are being used, what systems they provide access to, or who has control over them. It is imperative that organizations understand which keys and certificates are used in the network, who has access to them, and how and when they are being used. The first step in gathering this information is to gain a clear understanding of the organization’s inventory by centrally managing keys and certificates. This will enable you to detect anomalous behavior, such as rogue self-signed certificates. Critical aspects of key management include the following:
- Encryption Key Lifecycle Management:
While encryption key lifecycle management can be overwhelming to organizations with a large number of keys, there is no way to validate the integrity of the keys and by extension, the integrity of the data itself, without it. Keys must be protected with a reliable key management solution from the moment they are created through their lifecycle of initiation, distribution, activation, deactivation and termination.
- Heterogeneous Key Management:
A centralized key management platform allows for unified access to all of the encryption keys and a 360-degree "single pane of glass" view into the overall strategy. Requiring Hall keys to be managed from the same place, in the same way, allows for a granular understanding of how the keys are being used and more importantly, whether they are being accessed incorrectly. Without an overarching heterogeneous key management solution, the organization will be continuously chasing after rogue keys and struggling to ensure encrypted data is valid and able to be decrypted when necessary.
The deployment of hardware security modules (HSMs) can help to protect the key management lifecycle in complex environments.
4. Finding the Right Solution for Your Environment
Once you have established your key management needs, it is time to evaluate and implement encryption solutions. There are many options and factors to consider. A “try-before-you-buy” approach is best because what works for one organization may not work for another. Companies should explore working with a vendor-independent partner who can help test potential solutions and find the best fit for their environment.
5. Access Control
Ensuring that only authorized users can access data is critical in the effort to prevent it from being tampered with by anyone inside or outside of the organization. A successful encryption strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
Prior to deployment, a written policy should be developed, endorsed by management and communicated to end-users, including business partners and third parties (including any cloud providers) that handle sensitive data. If they cannot meet your company’s policies, they don’t get your data. Otherwise, you risk running into a compliance problem. Encryption responsibility should be fixed and carry consequences for noncompliance.
7. SSL Decryption
While encryption is a great way to protect data, it is also a great way to hide threats. Most network security controls cannot decrypt and inspect HTTPS (SSL) traffic. As more applications turn to SSL encryption to help keep users secure—Facebook, Twitter, YouTube, Google Search and DropBox to name a few—they are inadvertently hampering the ability of enterprises to ensure malicious code isn’t making its way into network traffic. Cyber attackers are exploiting this vulnerability, so when choosing the right encryption solutions for your organization, it is necessary to also consider SSL decryption technology to ensure visibility into important data at points of ingress and egress.
There are no silver bullets in IT security, and encryption is no exception. Targeted attacks and advanced persistent threats have penetrated even the most secure and isolated computer systems over the past few years, forcing us to acknowledge the fact that it is virtually impossible to prevent attackers from breaching our networks and stealing our data. Encryption can add nearly 20 percent to an organization’s ROI in security and render data useless in the event of a breach, but only if it is part of a comprehensive strategy that incorporates encryption with key management, access control and SSL decryption. With careful planning and equal investments in people, process and technology, you can navigate the variety of enterprise encryption options at your disposal and stay ahead of threats while reducing complexity and compliance costs.
A previous version of this article appeared on Forsythe FOCUS Magazine online.
View more presentations from Forsythe Technology