Code of conduct

Data encryption is crucial to protecting the integrity of enterprise information. Organisations investing in encryption have to understand their requirements, and implement solutions across the company to get the most from them.
Code of conduct
By Sathya Mithra Ashok
Wed 03 Sep 2008 03:00 AM

Data encryption is crucial to protecting the integrity of enterprise information. Organisations investing in encryption have to understand their requirements, and implement solutions across the company to get the most from them.

Encrypting data is not a new idea. Coding information to ensure that it is sufficiently protected from people with malicious intent is a pretty old technique. The logic is simple - codify your information so that it cannot be easily read or understood by parties who are not supposed to have access to the data.

However, as any concept, it has evolved over the past decade to reflect the changing needs of enterprises worldwide. This is immediately visible with the standards of encryption.

The facts remain that the data that is being worked on every day, on every person’s system, is sensitive and it can be anywhere and used by anyone.

"There are two main methods which have distinct advantages: - the quicker symmetric key method and the harder to crack asymmetric key method. Early attempts to use asymmetric methods to encrypt user hard drives required the deployment of public key infrastructure (PKI).

There are firms who use this. However, there is little widespread adoption due to both the logistical issues with distributing and managing personal digital certificates for every user and the slow encrypt and decrypt times for files. Symmetric key mechanisms are seen as the way to go for bulk encryption: files, file systems, databases," says Naveed Moeed, technical consultant (MEA) for RSA.

Guy Bunker, distinguished engineer at Symantec EMEA, states: "Most people have heard of DES (Data Encryption Standard), or Triple DES. However, those have been replaced with AES (Advanced Encryption Standard) - this can have a key length of up to 256 bits - and is secure enough for the US government to allow it for classified data, so it is probably good enough for most organisations.

There are a number of implementations, and you need to check that the one you choose is FIPS (Federal Information Processing Standard) 197 or FIPS 140 approved."

Encryption is based on key length, and the longer the key the more difficult it is to break the code. Vendors warn that state-of-the-art encryption solutions from 20 years ago can now be cracked in a few minutes, so enterprises need to invest in the best available today to guard themselves.

Coding the region

In spite of a largely established standard in AES, and the fact that data encryption by itself can prove to be an easy task, many enterprises still shy away from deploying enterprise-wide encryption solutions.

"Major banks and financial institutions have adopted data encryption. They are very aware of its benefits, simply because almost everything that they deal in is crucial information. They are the leader in deploying encryption solutions. Most other companies are still considering their options," says Samir Kirouani, technical manager at Trend Micro, MENA.

One of the reasons for this is the complexity of key management.

"I think there are some core challenges that organisations face with encryption systems, primarily from the way keys are handled. It is one of the biggest challenges they face - how to reduce the complexity of key management," states Guru Prasad, general manager for networking at FVC.

There are public keys and private ones. Public key encryption is a lot more susceptible to risk. As encryption levels need to be higher, and the data is more critical, organisations tend to go towards private key encryption.

This brings along the need to manage as many private keys as there are people who have access to encrypt or decrypt.

"The first challenge is in creating these keys, since that takes time and effort and the second is the storing of these keys. Until recently, these keys were stored in open text by some organisations.

The third problem involves actual management of these keys - who will access it, how it will be backed-up, how to make it secure and such," explains Prasad.

To avoid some of these problems, companies largely used keys across organisational divisions, rather than individuals. However, new solutions in the market enable organisations to manage keys better and in a more minute manner.

"There are tools which actually take care of encryption for types of data and there are also specific tools to manage keys, which are based on, or inherit, security from the systems themselves.

For example, functional encryption basically says x person has got access to xyz on the network, or xyz modules on an app, and that can be inherited from the app itself.

And all that information is stored in another database which is completely encrypted. So it is becoming easier for organisations to actually manage, and they can now use policy based encryption when it comes to creating and managing keys. That's the whole difference," says Prasad.

Many enterprises, however, remain unaware of these advances in technology which make encryption easier. This is complicated by the latency levels that encryption solutions enforce on enterprise data.

"The most glaring challenge is the impact of encryption on performance. One really needs to understand what impact encryption will have on performance and actually rebuild some of the architecture to ensure that it does not become a limiting factor for applying encryption to that particular area.

The second is safeguarding against accidents and omissions, especially when it comes to key management. I have seen many instances when, although the data was encrypted, the keys were not managed properly. They were lost or became corrupted and thus the core data was lost," says Prasad.

"The final challenge is justifying the cost of implementing encryption. That has always been a challenge for an organisation. If it is not for regulatory purposes, it is just to ensure the integrity of data, and justifying that cost is a big challenge for enterprises today," he adds.

One of the few exceptions to this is corporate outgoing e-mail, which is the easiest to encrypt and enforces very little latency for the organisation. This is also the reason that most organisations start with e-mail when they begin encrypting information

For the rest of corporate information however, companies need to invest a lot more effort and time.

Encryption levels

The level of encryption on any piece of information depends largely on how critical the information is to the organisation and where it resides on the corporate network.

"The differentiator is the data. Whether it is travelling the corporate network, on a hard drive, in a USB or on the internet, if the data is not financially sensitive or critical then it can travel openly.

But if the data is important, then it will need to be encrypted," says Faisal Khan, senior security consultant at McAfee Middle East.

Some others believe data needs to be differentiated based on where it resides."Depending on where the data is, it might need to be encrypted. So on a laptop all customer sensitive and company confidential data should be encrypted.

Inside the corporate network you may not need any encryption - and just use standard access control lists (ACLs). When data is copied onto removable media such as USB sticks, then it might need to be encrypted, just in case it is lost," points out Bunker.

To ensure this, organisations will need to be careful when selecting and working with solutions.

One really needs to understand what impact encryption will have on performance and rebuild some architecture to ensure that it does not become a limiting factor.

"Data classification is where the answer lies. Modern DLP solutions which have decent data discovery modules will allow you to define, in plain English and Boolean logic, policies regarding your data such that the data which is discovered as sensitive is pegged as information of high relevance to your institution," says Moeed.

"There are too many encryption solutions in the market. Encryption can be done for all data on a disk or just one file. It can be managed centrally or by the individual.

It can work on removable media or on mobile phones as well as laptops, desktops, servers and other devices. It can be internal only, or can also be used with third parties (eDRM) and it can encrypt data ‘over the wire' so it cannot be snooped.

Unfortunately, there is not a simple ‘choose this one solution and it will all be ok'. Organisations need to understand what it is they are trying to protect and where it is," points out Bunker.

Moreover, even with a solution in place, enterprises need to ensure that details on the different kinds of data and the encryption levels that need to be enforced on each bit of them will be included and implemented through an enterprise's security policy.

"If the organisational data's end-users are not IT aware, they do not usually have the judgement or information to actually decide how to protect the data, what they need to protect and what the right procedure would be.

If you would go to a finance person and ask him, he will tell you this folder is important and that is it. But if you leave it up to them to actually decide upon these things, eventually there will be human errors. That defeats the whole purpose of encryption, because there will be loopholes somewhere.

Therefore, a solution needs to be in place where by it can be centrally managed helped by a comprehensive organisation-wide policy," says Khan.

Finally, enterprises with encryption will have to try to put in practices and processes to ensure that their effort works for them the way it should.

"As ever the holy mantra of security states that good policies lead to good security. More and more security software, and in particular key management software lies at the core of any good encryption solution, and is designed to provide real-life policy implementation," says Moeed.

"End-users need to know why encryption is being done - so educate them. Data on an encrypted laptop is just as much at risk if the users are allowed to write their passwords on a yellow-sticky and attach it to the bottom of the machine. Education is critical," says Bunker.

"This is a key point. Users need to be educated on the security policy and how important the data is. Second, organisations need to train them in using personal encryption systems because one of the challenges again that organisations face from a security policy perspective is the ongoing compliance to processes and procedures," says Prasad.

Khan also recommends that organisations work to cut out dependence on the end-user when using any encryption package to ensure that there are less loopholes in the process.

"Today, data storage is easy. Higher capacities on USBs are easily available. If you expect your users to encrypt their USBs, it will never happen. Instead, build hardware encryptors into USBs. Data remains safe and users need not even know that encryption is happening," says Khan.

He emphasises that encryption needs to be seamless to the end-user and simple. The users need not be aware that encryption is happening in the background at every stage of data storage or sharing, but they will need to know how to react during specific situations or when there is a crisis.

The final cut

Encryption is becoming an increasing necessity for enterprises worldwide, as data integrity becomes crucial to increasing profitability in a highly competitive environment. The new solutions in the market enable enterprises to implement and use data encryption - across stored and travelling data - in a much easier fashion.

Nevertheless, they will need to handle them with care and implement them organisation-wide (across networks, stored data and data in remote devices using hardware appliances and software where necessary) to get the most out of them.

"Organisations always target the top executives, tend to have a very limited approach and go for a short procedure. I have not yet seen an enterprise which has the sense to implement encryption enterprise-wide.

The facts remain that the data that is being worked on every day, on every person's system, is sensitive and it can be anywhere and can be used by anyone. Enterprises need to look beyond the current scenario and consider the wider picture to get the most from encryption," concludes Khan.

Tips to better encryption1. Choose the data to be encrypted - not all information needs to be encrypted. Ensure you know exactly what information actually needs to be encrypted.

2. Enforce different levels of encryption - the more critical the data, the higher the level of encryption.

3. Integrate with security policy - ensure that all coding is done in accordance with the demands of the organisation's security policy.

4. Pick the right solution - take your time with running tests and understanding the features of the solutions available in the market, and invest in the one that fits your criteria and passes your assessment test.

5. Centralise management - knowing how difficult things can get with key management, ensure that your solution is able to handle keys in a centralised fashion.

6. Count in latency - understand that any encryption solution will affect performance and architecture might need to be redesigned to account for this.

7. Hardware or software - pick a hardware appliance more often and choose software only if there is no other option. 8. Cut out the individual - don't let your users do their own thing. The IT department must be in control and have the keys. The organisation needs to be in control of its data all the time.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.