Data encryption is getting a lot of press these days. It seems like a host of businesses are running to encryption vendors to see how fast they can scramble their sensitive information in the face of well-publicized data breaches. Much of this excitement (or hysteria) is fueled by journalists and bloggers who frequently portray data encryption as some kind of security panacea. Security and IT managers need to step back and take a more objective look at how encryption fits into an overall set of data security solutions that provide practical, immediate and efficient protection. TJX appears to have skipped that step.
According to a recent article at Physorg.com, there are two primary reasons why data encryption didn’t work for the giant retailer--even though data at rest was encrypted (“Why Encryption Didn’t Save TJX”). First, credit card approval information was exchanged unencrypted with card approval processors. Second, the attacker had obtained the tools and information necessary to retrieve data that was encrypted. In other words, it appears that interfaces over which sensitive data flowed were not protected and encryption key management was lax.
Encrypting all data at rest or in transit might sound like a good idea, but it will require a major infrastructure overhaul for many organizations. Implementation of encryption can mandate taking costly steps to keep performance at reasonable levels. Further, there is the issue of key management. Key management is a huge risk if an organization hasn’t sufficiently focused on security fundamentals, including,
- Segment the network to provide restricted access to sensitive systems
- Encrypt ALL data passing out of restricted data segments
- Ensure database server security best practices are implemented: replace default passwords with strong passwords, continuously monitor direct database access activities, and use a single account to provide application access to the database; never configure a database to allow all application users (except database administrators) to have direct read or write access outside of the application
- Enforce least-privilege when designing user and system access controls
- Continuously monitor the movement of sensitive data within the confines of the internal network, including passing to and from mobile storage devices
This list is just a start. There are many more steps that can be taken to protect data before an organization aggressively pursues an enterprise encryption solution. I’m not saying that encryption isn’t useful. I am saying that it’s just one control out of a host of others that must be working effectively to truly secure information assets.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.