No Time to Rest
Encryption addresses issues of data at rest privacy, compliance and authentication
- By Andy Solterbeck
- Mar 05, 2007
PROVIDING a high level of protection for sensitive information is one of the most significant challenges faced by today’s enterprise network and security engineering groups. The traditional perimeter network security methods — passwords, firewalls and anti-virus — provide important protection, but cannot combat all threats present in today’s enterprise network environments. An organization’s most privileged data, such as trade secrets, source code, financial information, internal communications, contracts, and customer and employee information, must be 100-percent secure at all times.
Adding to the complexity of a secure environment is the increasing reality of a mobile workforce. Not only does sensitive data reside on various servers and workstations throughout an enterprise, but it has become transportable through the use of laptops and removable media devices such as flash drives, memory cards, floppy disks, CDs and external hard drives. Protecting critical data and ensuring only the appropriate people have access to that data should be a core requirement of every company’s security strategy.
Security breaches can have a far-reaching impact to not only a company’s finances, but to their reputation, as well. For government agencies, it may even be a matter of national security, with lives on the line. There is an expectation from customers, employees and partners—anyone that entrusts a company with their sensitive information—that this information will be protected. Organizations must consider the potential damage to their business if sensitive data is lost or stolen?lawsuits, negative publicity, loss of sales and customer confidence and permanently tarnished reputations.
It is a proven fact that only encryption can protect data, no matter where it is stored. Encrypting data at rest is vital so that only authenticated and authorized people can view and manipulate that data. If a person or process fails to prove identity or is not authorized, access to the data is denied. The data remains confidential, and the integrity of that data is achieved. And because of its performance, ease of implementation and management, depth of security, and cost effectiveness, encryption is an optimal solution for securing an organization’s data at rest.
With a strong encryption and authentication strategy at the foundation of an organization’s security plan, users can rest assured that their information assets are safe, that its security practices are compliant, and that the company’s reputation and brand equity will be protected.
Assessing Threats to Data
With rising threats to sensitive data and increasing requirements to protect that data, organizations must focus squarely on security infrastructure.
It is not only external threats that companies must be prepared for. According to Privacy Rights Clearinghouse, regarding data breaches and thefts, the greatest risk of exposure comes from employees or consultants who do not properly secure the data.
In the last year, there have been scores of reports of lost or stolen laptops that contained sensitive data. This, combined with inadequate security policies and lack of oversight, places companies in a precarious situation.
The most common form of theft or loss has grown to involve laptop computers and removable media. However, while outside intrusions from data thieves have been declining, they still remain a viable threat and should be accounted for when developing a security strategy.
Data Privacy Regulations
The challenge in data privacy is to protect data while, at the same time, allowing it to be shared. As chief compliance officers well know, organizations should make certain that data security is the foundation of networking policies and procedures. Today, enterprises are mandated to comply with a variety of regional, national, and/or international regulations. Compliance is often met for multiple regulations by simply encrypting data, reducing compliance costs.
Examples of Current Compliance Regulations
Regional:
- California Database Security Breach Act
National
- Federal Information Security Management Act
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act
- Sarbanes-Oxley
Global:
- EU Data Protection Directive
- SOX Japan
The growing risk of fines, heightened scrutiny, exclusion from programs, credit downgrading, legal prosecution and, possibly, imprisonment continues to compel companies to prove their compliance with data security regulations.
Encryption offers the best possible protection for data at rest or in motion, ensuring that the confidentiality and integrity of that data is achieved and allowing organizations to meet government regulations for protecting the privacy and security of shared information. Even if, through malice or accident, the data network is compromised, user/customer privacy and company reputation remains intact.
Developing a Security Framework
How do organizations develop a plan to address the vast array of individual requirements along with the persistent threats to data privacy? The answer is not by focusing on a single requirement or threat, but instead focusing on the single commonality shared among all—the protection of data.
An example of a security framework that takes this type of approach is ISO/IEC 17799. ISO/IEC 17799 is a standard for information security published by the International Organization for Standardization and the International Electrotechnical Commission and is based on the British Standard BS 7799. The ISO/IEC 17799 standard provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard as ensuring that information is accessible only to those authorized to have access; safeguarding the accuracy and completeness of information and processing methods; and ensuring that authorized users have access to information and associated assets when required.
What is defined in a company’s ISO/IEC 17799 is its security profile?the level of risk to take and the level of security to achieve. This also is the profile that any partner doing business with the company must match, as well. For example, in the United Kingdom, companies that want to do business with the government must have an ISO/IEC 17799 in place. This rule is swiftly being adopted by all large companies expecting to do business with a European company.
As a result of the risk assessment phase of the security framework, a company will have a complete list of items to put into place, such as disk encryption, firewalls, backup storage and processes for destroying information. The structure of the ISO/IEC 17799 standard allows a company to take a complete and broad approach to securing the enterprise.
Taking a Layered Approach
The use of encryption as the basis of any security framework provides a simple solution to many security challenges, allowing an enterprise to create a plan that provides complete data protection with a one-to-many effect.
To achieve this protection, a layered approach is best to ensure data remains secure in any circumstance. On its own, each layer of encryption is effective but cannot cover every event. However, by encrypting data at all layers, an organization maximizes the effectiveness of its security, no matter whose hands a lost or stolen laptop ends up in. Through implementation of proper solutions, protection at all layers can be achieved.
The more layers of security that are implemented, the stronger the protection. As with other seasoned forms of information security, such as software protection and identity management, the level of security has a direct and positive correlation to the granularity of the implementation.
Application-level encryption is the ability to encrypt data according to the various fields contained in the data. Mapping the encrypted fields to user privileges is done by an automated tool.
Database-level encryption is the ability to selectively encrypt information based on user access rights, even though the data is stored in multiple databases on multiple platforms. An organization may want to control access privileges to a human resources database that is distributed throughout regional centers.
File/folder-level workgroup encryption is the ability for end users to manage the access permissions and encryption of individual files or folders at a workgroup/user level. File/folder-level encryption is the ability to manage server and local user files/folders from a central console based on a set of corporate policies.
Pre-boot and server-level encryption provides the ability to encrypt data and require all users to produce proper authentication in order to boot up and gain authorization to access the data. This also is referred to as “whole-disk” encryption and is “all or nothing”—no selectivity or hierarchical privileges accompany this level of encryption.
A Multi-Layered Solution
Reaching the appropriate balance between enabling communication and providing adequate protection of sensitive information is one of the most significant challenges faced by today’s enterprise network and security engineering groups. With mounting regulatory considerations and an overall focus on securing data, it is more important for organizations to design and implement a comprehensive plan of protection to provide not only the enterprise, but their employees, associates and customers with the assurance that their data is secure.
Anyone with malicious intentions can gain access to data that is not properly protected. The challenge is to maintain the performance and simplicity of the network while ensuring the security and privacy of user data. The answer lies with encryption, which provides organizations with the assurance that all data is protected through the strongest algorithms.
Organizations often see the word “security” and think “expensive.” But this does not have to be the case. With data encryption, compliance is often met for multiple regulations.