IT Focus Area: Security
January 15, 2015
7 Key Elements of a Successful Encryption Strategy
The world is run on codes and ciphers. From emails to ATMs, entertainment, and shopping online, cryptography inhabits our every waking moment. In fact, life as we know it would be practically impossible without it.
Cryptography is the science of secret communication. Its fundamental objective is to enable communications over an insecure channel in such a way that a potential adversary cannot understand what is being conveyed.
The global proliferation of cyber espionage has led one particular component of cryptography—encryption—to become critical in the effort to safeguard sensitive data and intellectual property (IP).
Data Breach Damage
Inadequate security and eager cyber attackers have led enterprise data breaches to increase at an alarming pace. Staggering numbers of affected customers—and financial losses—are sending shock waves through the business world, and creating a sense of urgency around identifying solutions.
Learn the 10 essential steps to securing your cloud data. Get your guide to creating and executing a successful cloud strategy.
Making matters worse, consumers are backing away from companies that have been breached.
Nearly half of people—45 percent—in a recent survey by CreditCards.com said they would “definitely not" or "probably not” shop at retailers that have acknowledged breaches.
Finding a way to ward off cyber intruders has become a critical challenge. When asked how to do this during a 2013 press conference, notorious former NSA contractor Edward Snowden said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
An intriguing example of the strength of encryption is “Kryptos”—a sculpture with a mysterious 865-character encrypted message on four large copper sheets. Kryptos has been on display at CIA headquarters in Langley, Virginia for 24 years and has become an obsession for would-be code-breakers. While it has received a lot of attention, nobody—not even the NSA—has been able to decrypt its entire message.
Encryption can be invaluable in the effort to combat advanced threats and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating, and companies haven’t been using it effectively.
According to security company SafeNet’s Breach Level Index, the second quarter of 2014 saw 237 data breaches that exposed more than 175 million customer records worldwide—almost 2 million stolen records per day. It is not surprising that sophisticated cyber attackers were able to access the records; what is surprising is that of all of the records that were stolen, only one percent were encrypted and therefore unusable.
So how can companies start using encryption to protect data?
Organizations can leverage encryption to provide persistent data protection by anchoring it with a comprehensive strategy that incorporates a complete lifecycle process along with the technology solution.
Encryption is a process based on a mathematical algorithm (known as a cipher) that makes information hidden or secret. Unencrypted data is called plain text; encrypted data is referred to as cipher text. In order for encryption to work, a code (or key) is required to make the information accessible to the intended recipients.
A Wake-Up Call
Edward Snowden had the keys to the data he leaked, which highlights the need to consider encryption as part of a broader data protection strategy, and focus on how encryption keys and digital certificates are used. Encrypted traffic and the use of encryption as an authentication mechanism within an organization's network is generally trusted, and direct access to keys and certificates allows anyone to gain elevated privileges. Snowden was a low-level SharePoint administrator who took advantage of the fact that keys and certificates are blindly trusted to elevate his privileges and enter areas where he should not have had access. In order to prevent this type of activity and “access creep”, organizations should implement solutions that create separation of duties. These controls—which include application and database security as well as identity and access management tools—will help to ensure that encryption keys and certificates cannot be accessed directly, and promote increased awareness and accountability of employees’ actions within the company.
Choosing What to Encrypt
Before enterprises decide how to encrypt, they have to determine what to encrypt.
Planning an encryption program should be part of an overall enterprise risk management and data governance planning process. A carefully planned, comprehensive approach that considers specifically which data sets—structured, or unstructured—should be encrypted, and how key management should work will generate greater efficiency and effectiveness for an IT organization.
There is no single universal standard for encrypting all data, on all systems, all the time. A successful approach will depend on the sensitivity and risk level of your organization’s information and its data storage methods. The first step is understanding the different types of encryption, and what encryption can and cannot do.
Three States of Data
In order for data to be secure, it must be protected throughout its lifecycle. It is therefore important to consider the state of the data you are trying to protect: data in motion (data being transmitted over a network), data at rest (in your data storage area or on desktops, laptops, mobile phones or tablets), or data in use (in the process of being generated, updated, erased, or viewed). Each presents unique challenges. And each may have different tools and methodologies that can be used to secure it.
Protecting data at rest is a critical issue as the network perimeter continues to dissolve.
Encryption types for data-at-rest include the following:
Full Disk Encryption (FDE) for endpoint protection
Full Disk Encryption with Pre-Boot Authentication (FDE w/ PBA) for endpoint protection
Hardware Security Module (HSM) for key management lifecycle protection
Encrypting File System (EFS) for storage protection
Virtual Encryption for storage protection
File and Folder Encryption (FFE) for unstructured data protection
Database Encryption for structured data protection
Encryption types for data-in-motion include (but are not limited to) the following:
Virtual Private Network (VPN) for remote access
Wi-Fi Protected Access (WPA/WPA2) for wireless access
Secured Sockets Layer (SSL) for Web browser to server communications
Secure Shell (SSH) for secure remote systems administration
The most common method of protecting data in motion is the use of a secure sockets layer virtual private network (SSL VPN). Technologies such as SSL VPN are critical in the effort to protect against man-in-the-middle attacks and packet sniffers.
The Data-in-Use Challenge
Cloud computing has created the need to secure data in use as third-party providers increasingly host and process data. But data-in-use is the hardest to protect, since it almost always has to be decrypted and therefore exposed in order to be used. This opens up servers to attack by a technique called RAM scraping, which examines the memory of the running web server and extracts data while it is in its processed, unencrypted state.
Because decryption keys and decrypted data must be completely unavailable to an attacker in order for encryption to provide security, alternate controls are usually provided in an environment where either the keys or the data are in use. Enterprises deploying cloud services should look for a distributed solution such as HSM to keep keys secure and out of the service provider’s control. Security companies are starting to address the data-in-use encryption security gap by introducing new products such as “fully homomorphic” encryption that could potentially enable unrestricted analysis of encrypted information, as well as full memory encryption, which limits clear text data to the CPU internal cache.
The most common type of encryption for protecting email is asymmetric or Public Key Infrastructure (PKI). PKI is widely deployed for handling key distribution and validation, and consists of the following:
A certificate authority (CA) that issues and verifies digital certificates. A certificate is an electronic document used to prove ownership of a public key
A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
One or more directories where the certificates (with their public keys) are held
A certificate management system
Building Your Strategy
It’s imperative to remember that your encryption project—and IT security in general—is a process, not a product. Effective encryption takes time; in addition to careful consideration of data states and encryption techniques, seven key elements can help you build a successful end-to-end approach:
Creating an encryption strategy requires a collaborative effort. It is best to approach it as a major initiative that includes members of management, IT and operations. Start by bringing together key data stakeholders and work to identify the regulations, laws, guidelines and external influences that will factor into purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, mobile devices, wireless networks and data backups.
2. Data classification
It is important to leverage encryption as part of your broader IT security efforts. Companies that don’t have an effective data classification and/or prioritization program in place tend to struggle with data encryption.
Separate valuable information that may be targeted from less valuable information by tracking data usage cycles and implementing appropriate encryption controls. Take into account:
Where this information is stored. Make sure you include all locations such as mobile devices, backup systems and cloud services.
Who has access to it; understand which employee roles and individuals must have access, as well as those that may have unwarranted access.
What your organization’s process is for provisioning and deprovisioning access.
Your partners’ valuable information and what your process is for evaluating your partners’ security.
The ultimate value to an attacker of combined information from your organization and that of a partner. For example, an insurer of critical infrastructure may provide valuable information to an attacker seeking to infiltrate the infrastructure that is being insured.
3. Key Management
Guard your keys. If keys and certificates are not properly secured the organization is open to attack, no matter what security controls are in place. Many organizations have tens of thousands of keys and certificates, with no clear understanding of their inventory. They do not know how keys and certificates are being used, what systems they provide access to, or who has control over them. It is imperative that organizations understand which keys and certificates are used in the network, who has access to them, and how and when they are being used. The first step in gathering this information is to gain a clear understanding of the organization’s inventory by centrally managing keys and certificates. This will enable you to detect anomalous behavior, such as rogue self-signed certificates. Critical aspects of key management include the following:
Encryption Key Lifecycle Management:
While encryption key lifecycle management can be overwhelming to organizations with a large number of keys, there is no way to validate the integrity of the keys and by extension, the integrity of the data itself, without it. Keys must be protected with a reliable key management solution from the moment they are created through their lifecycle of initiation, distribution, activation, deactivation and termination.
Heterogeneous Key Management:
A centralized key management platform allows for unified access to all of the encryption keys and a 360-degree "single pane of glass" view into the overall strategy. Requiring all keys to be managed from the same place, in the same way, allows for a granular understanding of how the keys are being used and more importantly, whether they are being accessed incorrectly. Without an overarching heterogeneous key management solution, the organization will be continuously chasing after rogue keys and struggling to ensure encrypted data is valid and able to be decrypted when necessary.
The deployment of HSMs can help to protect the key management lifecycle in complex environments.
4. Finding the Right Solution for Your Environment
Once you have established your key management needs it is time to evaluate and implement encryption solutions. There are many options and factors to consider. A “try-before-you-buy” approach is best because what works for one organization may not work for another. Companies should explore working with a vendor-independent partner who can help test potential solutions and find the best fit for their environment.
5. Access Control
Ensuring that only authorized users can access data is critical in the effort to prevent it from being tampered with by anyone inside or outside of the organization. A successful encryption strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
Prior to deployment, a written policy should be developed, endorsed by management and communicated to end-users, including business partners and third parties (including any cloud providers) that handle sensitive data. If they cannot meet your company’s policies, they don’t get your data. Otherwise, you risk running into a compliance problem. Encryption responsibility should be fixed and carry consequences for noncompliance.
7. SSL Decryption
While encryption is a great way to protect data, it is also a great way to hide threats. Most network security controls cannot decrypt and inspect HTTPS (SSL) traffic. As more applications turn to SSL encryption to help keep users secure—Facebook, Twitter, YouTube, Google Search and DropBox to name a few—they are inadvertently hampering the ability of enterprises to ensure malicious code isn’t making its way into network traffic. Cyber attackers are exploiting this vulnerability, so when choosing the right encryption solutions for your organization, it is necessary to also consider SSL decryption technology to ensure visibility into important data at points of ingress and egress.
There are no silver bullets in IT security, and encryption is no exception. Targeted attacks and advanced persistent threats have penetrated even the most secure and isolated computer systems over the past few years, forcing us to acknowledge the fact that it is virtually impossible to prevent attackers from breaching our networks and stealing our data. Encryption can add nearly 20 percent to an organization’s ROI in security and render data useless in the event of a breach, but only if it is part of a comprehensive strategy that incorporates encryption with key management, access control and SSL decryption. With careful planning and equal investments in people, process and technology, you can navigate the variety of enterprise encryption options at your disposal and stay ahead of threats while reducing complexity and compliance costs.
Find out how to secure your cloud data. Get your guide to building a secure cloud strategy.
View more presentations from Forsythe Technology