Data at rest is data at risk--take steps to secure it.
The obvious candidate for a company who missed out on the benefits of encryption is discount retail giant TJX, whose recent tale of woe must have sent chills up the spines of many CIOs. It's a story that just keeps getting worse--we're learning that the retailers' network was apparently breached multiple times back in 2005, not just during May 2006-January 2007 as originally thought. Information concerning credit and debit card transactions dating from 2007 all the way back through 2003 may have been compromised. TJX has already taken a fourth-quarter charge of about $4.5 million for costs solely related to the hack--a figure that is likely to increase as the investigation and remediation continues.
Had TJX encrypted its stored data this would not be so serious an issue. While no one wants hackers rummaging around in their network, it's certainly less stressful to know that anyone who has managed to penetrate your network can't access any of your data. But rare is the case of lost backup tapes or a penetrated network where a company spokesperson can say--"the data was encrypted so it's quite safe, totally inaccessible to anyone but our authorised users." Instead we read the same sad lines again and again; an executive quoted as saying the whole situation is utterly unacceptable, totally not up to the company's high standards, but it's being addressed and the company will pay for six months of credit monitoring for customers whose personal data was exposed. (TJX didn't even offer to pay for monitoring).
Those blustering press releases may have been fine a few years ago. But customers are getting mad as hell and they aren't going to take much more of this nonsense. Lawmakers, sensing the shifting zeitgeist, are moving to pass legislation that will increase penalties for companies that expose personal data. Organisations who encrypt data only when it is in transit are also likely to be violating the data security regulations affecting their industry. They are also opening themselves to corporate espionage and a myriad of hack attacks, with the ensuing litigation, damaging publicity, financial penalties, and loss of customer trust. All it takes is one zero-day attack to ruin a corporation's good reputation.
Encryption of data at rest should be a given by now--it's not an extra layer of protection; it's a necessary layer of protection. Data at rest is data at risk--a moving target is much harder to hit so most criminals and snoops would rather pull information from a database than try to grab it while it's being transmitted or transported.
So why doesn't every corporation encrypt stored data? Some simply don't budget for in-depth security until their network has already been breached. Others worry about encryption having an adverse impact on network performance, backup speed and restore times, or are concerned that encrypted data won't be accessible when and as needed. While all of these concerns were once valid, virtually all have been addressed by new solutions that provide unified encryption across the entire distributed enterprise with no performance penalties or end user hassles. These aren't single-trick solutions either, the best ones dovetail encryption and decryption with user access policies, handle some of the trickier key management chores and make the entire encryption process transparent and seamless.
Evaluating Encryption Solutions
Until recently, data backup and archiving was a straightforward procedure. All data was captured on a regular basis and dumped onto a rotating set of back-up tapes, and then organised--or at least stored--in the data centre. About the only thing a company had to decide was where to house their off-site archives.
Things have changed--now many data centres are moving towards a mixed environment of disk-based archives for fast system restores plus tape for long-term archival storage.
New privacy and reporting laws (e.g. Payment Card Industry, Sarbenes-Oxley and the Data Protection Act) have also altered what sort of information companies opt to store, for how long and on what types of media they need to store it. Some regulations require certain types of critical records to be stored on archival media that cannot be altered or easily tampered with. The old "save everything" method of backing up is no longer viable, due to the sheer amount of data that most corporations generate and the legal liabilities inherent in keeping every scrap of information readily accessible in long-term archives. Instead companies must develop data retention and destruction policies that define what exactly needs to be saved and for how long. Even then, not every email and memo may need to be protected--only the most critical data such as customer records, financial information and the like needs to be encrypted. Companies that encrypt every single scrap of data are the ones that complain that their systems get bogged down.
Obviously a successful encryption plan doesn't centre on simply choosing a solution to use. First enterprises must identify what data needs to be encrypted and where it resides, and then choose the encryption technology that suits the company's needs. [Diag 1 Conduct a Data Protection Inventory]
Hardware versus software encryption
Organisations must also decide whether to deploy hardware or software-based encryption. In general hardware-based solutions are faster than software encryption, and don't drain the network's shared memory. The tradeoff is cost and sometimes lack of scalability. Software encryption is less expensive, but may take too much time and computing power when large backups from a busy network are being encrypted.
Happily newer, more advanced solutions now exist that offer the benefits of both hardware and software encryption, using the database server as the platform for encryption services. When the application calls for secure information, the encryption service requests the encrypted data from the database server, performs a local decryption, and returns clear-text information to the calling application. Network overhead is eliminated, performance is faster than that delivered by attached devices and there's no need to invest in a slew of separate devices to perform encryption.
Since much of the information that needs to be encrypted will obviously be stored in databases, enterprises might choose to focus on finding a solution developed with database encryption in mind. Look for solutions that allow encryption of data at the column level within a database table as this has proven to be the most effective and efficient way of encrypting data. Companies can chose the fields containing the most sensitive data and encrypt only those, further eliminating potential bottlenecks in database performance caused by searching for encrypted data.
Distributed enterprises will also want a solution that can be deployed across the organisation from one central location, minimising cost and effort to implement and maintain. This is especially important for organisations that have multiple databases in different physical locations. Businesses that need to support different software platforms and database applications should obviously look for a solution that supports all major relational databases and their operating system environments.
How strong should your encryption be?
The encryption should be as strong as technically possible and less capable solutions often lack in other areas as well. Look for a solution certified to meet the Federal Information Processing Standard (FIPS) 140-2, the most widely recognised benchmark for cryptographic security.
Last but not least no single technology is the magic bullet that can solve every security problem. Encryption technology should be partnered with a full-fledged data security solution that enforces role-based access controls and separation of duties between database administration and IT security. For instance, security officers set the policies, but may not access the sensitive data itself.
Understanding key management
One of the essential components of data encryption is key management--the way cryptographic keys are generated and managed throughout their lifecycle. Because cryptography is based on keys that encrypt and decrypt data, your data security solution is only as good as the protection offered by your keys. Real security depends on two factors: where are the keys stored and who has access to them?
Enterprises should look for solutions that provide the capability to centralise all key management tasks on a single platform and automate administrative key management tasks. This provides both operational efficiency and reduced management costs.
Other essential key management features include a secure mechanism for key rotation, replication and backup. Any encryption product that does not provide a secure means of recovering/replicating keys is a catastrophe waiting to happen, and one that's unfortunately likely to manifest in a disaster recovery situation where complete backups and necessary files may not be immediately accessible and keys need to be replicated quickly. Look for a solution that allows keys to be replicated when a quorum comprised of a pre-determined number of people authenticate themselves to the system.
Keys should also be securely backed up and rotated periodically to ensure absolute security. The back up benefits are obvious and key rotation is a process that automatically decrypts data using existing encryption keys and then re-encrypts it with new keys, at pre-selected intervals.
Depending on the sensitivity of data that is being encrypted and the government and industry regulations that effect a particular organisation, companies may want to look for a solution that supports Dual-Control implementation of encryption key management. This feature blocks one-party changes and requires two people to authenticate major changes, in the same way as particularly large bank checks require two signatures to be valid.
Encryption is rapidly becoming an essential and expected part of a company's obligation to protect sensitive information. It's an easy and cost effective way to avoid a slew of embarrassing and expensive security problems. I bet TJX's CIO wishes he'd used it.
About the author.
Ulf holds a degree in electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a master's degree in physics from Chalmers University of Technology
Ulf Mattsson, CTO for data security specialist, Protegrity.
RELATED ARTICLE: Sybase Survey
Sybase, Inc. has announced the results of an independent survey on business intelligence application implementations, conducted in conjunction with the National Computing Centre.
Dave Lawrence, Technical Sales Manager at Sybase, made the following observations on the survey results:
* As a software vendor with over twenty years of experience in providing data management solutions, we were keen to compare the results of this NCC survey with our understanding and experience of today's BI market. This survey underpins our analysis that initial BI implementations focus on supporting business decisions, performance management and business process control.
* Interestingly, the survey shows that only 13% of the surveyed systems have completely met their original business drivers. The ability for any BI system to provide answers quickly, on the right information, in an easy to use fashion, is a challenge for 29% of respondents. Our experience leads us to understand that it isn't easy to derive ongoing, tangible benefits from any BI system. It's a careful balancing act to provide sufficient BI capability, at a controllable total cost of ownership, without losing agility, insight, or competitive edge.
We've no doubt that BI will continue to grow as an increasingly important business tool, allowing senior management to predict changes to their target markets, and to assess the impact and profitability of their product and service offerings in near-real time. To support this activity, BI systems will need to support growing volumes of structured and unstructured information, with real-time access, by increasing numbers of users wanting to ask any question, on any subject. So the future for BI is bright--it's just a question of discovering how to best utilise its undoubted ability to provide that competitive advantage to your business.
"The research reveals that the deployment of BI might be a panacea of management decision-making, but like most process changes, cultural issues around deployment can be a significant barrier," said Stefan Foster, Managing Director, NCC Ltd. "To make BI effective means fully understanding what metrics are important to you and your business. Deployment problems occur when the wrong data is collected, when the wrong questions are asked, and when staff are unsure of what they want from the system, or are wary of using it. Getting the cultural issues right are just as important as choosing the right technology." For more information, visit: www.sybase.com
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Unlocking Encryption|
|Date:||Jul 1, 2007|
|Previous Article:||The application transformation imperative.|
|Next Article:||Storage Expo 2007: feature from exhibitor at Storage Expo 2007 the UK's largest event dedicated to data storage. Now in its 7th year, the show...|