The use of encryption has largely been the stuff of military history. The recent movie The Imitation Game tells a silver-screen version of the famous WWII Nazi Enigma Machine and how British mathematician Alan Turing and his colleagues were able to crack its code.
But because of the jarringly bad news about high-profile data breaches, and the increase of privacy regulations and compliance requirements, the use of encryption technologies is on the rise. In the enterprise, the purpose of encryption is to ensure the security and confidentiality of information and data stored on proprietary or cloud-based systems and sent via digital communications.
A Ponemon Institute global survey on encryption trends (also cited below) shows a steady, if not dramatic, increase in enterprise-wide use of encryption: up from 16% in 2005 to 30% in 2013.
In this briefing, we look at the essentials and basics of encryption technology, what data needs to be protected, encryption trends, the relevant features of planning, strategies, best practices, and risks in encryption.
According to Techopedia, “Encryption is the process of using an algorithm to transform information to make it unreadable for unauthorized users. This cryptographic method protects sensitive data by encoding and transforming information into unreadable cipher text. This encoded data may only be decrypted or made readable with a key.”
The two main types of encryption are symmetric-key and asymmetric-key. As Techopedia explains:
“Symmetric-key encryption uses two secret, often identical keys or codes for computers involved in message transmission. Each secret key’s data packet is self-encrypted. The first symmetric encryption algorithm is the Data Encryption Standard (DES), which uses a 56-bit key and is not considered attack-proof. The Advanced Encryption Standard (AES) is considered more reliable because it uses a 128-bit, a 192-bit or a 256-bit key.”
It likewise explains asymmetric-key encryption:
“Asymmetric-key encryption, also known as public-key encryption, uses private and public keys in tandem. The public key is shared with computers attempting to communicate securely with the user’s computer. This key handles encryption, rendering the message indecipherable in transit. The private matching key remains private on the user’s computer. It decrypts the message and makes it readable. Pretty good privacy (PGP) is a commonly used public-key encryption system.”
Symmetric-key encryption is faster than asymmetric. However, the sender and/or owner of the data has to exchange the key with a recipient before the cipher text can be decrypted (i.e., un-encrypted). Most users of encryption solutions therefore use a symmetric algorithm to encrypt data and an asymmetric algorithm to securely distribute secret keys to manage the whole cryptographic process.
With public-key, or asymmetric cryptography, the RSA algorithm is the most common. RSA enables both the private and public keys to encrypt a message; the opposite key to the one being used for sending can decrypt the transmission. SearchSecurity says, “This attribute provides a method of assuring not only confidentiality, but also the integrity, authenticity and non-reputability of electronic communications and data-at-rest through the use of digital signatures.”
That refers to the two main uses of encryption: protecting data-in-motion — communications — and protecting data-at-rest — storage.
Vormetric is a provider of enterprise encryption and key management services. In a TechRepublic Q&A in December 2014, I asked its VP of Cloud, C.J. Radford, about the importance of protecting data-at-rest in enterprise use of the cloud:
“Data-at-rest protection is absolutely imperative for enterprise cloud deployment, due to the rising tide of data breaches at high profile institutions, multiplying national privacy regulations, and increasingly strict compliance requirements. Enterprises that fall behind on any of these fronts will risk losing business opportunities, or worse. There are very clear business and economic benefits that come from leveraging cloud environments, but those benefits are moot if enterprises don’t have proper precautions in place.”
The final component of this mini-briefing is cryptographic hash functions. Used for digital signatures, data security checks, and other security purposes, hash functions take a file, message, or data source and generate a “digital fingerprint” that is shorter than the original. This is called a “message digest” or “hash value.” It’s used to check the integrity of a message and the identity of its sender. A main element of a hash value is that the input can’t be determined from the output; the output serves only as a check.
The goods: What to encrypt, how to steal it
Regarding what to encrypt, information services firm Iron Mountain sums it up cogently: “It’s simple — protect any data that would pose a serious problem if it was disclosed.” Here’s its checklist:
- Customers’ account and transaction information
- Financial, legal or other data subject to regulatory guidelines or audits
- Employment files
- Personal information regarding clients or customers
- Strategic business documents
- Any/all other confidential and proprietary materials
Iron Mountain adds that companies building an encryption plan should “take time to solicit input from business unit managers and the IT department as to which information is high, medium and low security,” and then start with the high-security data and files.
The use of data encryption is on the rise because a whole cast of characters want to steal proprietary information. Once encryption is in place, however, there are three main ways to break a cipher:
- Brute force: Trying each possible key through computational power until a match is found. The chances of this attack succeeding depend on the length of the key; encryption strength is proportional to key size, which thus drives the resources necessary to break the cipher.
- Side-channel attacks: Attacking the implementation of the cipher rather than the cipher itself. Flaws in either the design or the execution of encryption can produce exploitable chinks in the armor.
- Cryptanalysis: finding a weakness in the cipher that can be exploited. This becomes more feasible when the cipher is itself flawed. And here is where the National Security Agency (NSA) makes its entrance in our story — the allegations that the NSA purposefully weakened the DES algorithm have refused to go away.
In the wake of the revelations from former IT consultant Edward Snowden in 2013, many (including this author) contend that the NSA’s agenda is to weaken encryption solutions and infiltrate cryptography standards. What the end game will be is anyone’s guess, but the range of possible outcomes is no cause for comfort. Yet a sense of fatalism is not in order here: You still have to protect your data from corporate espionage, insider threats, and hacking, even if the spooks have a secret keyhole to look through.
Along with side-channel attacks, IT decision makers need to be aware that hackers are often seeking to steal encryption keys from their targets — which is highly efficient, once you pull it off. Another reason to have well-defined processes and a comprehensive encryption and security strategy, which we will look at in a moment.
Get an in-depth look at these related topics:
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- Hacking the Nazis: The secret story of the women who broke Hitler’s codes
Encryption trends survey
Last year, the Ponemon Institute released the 2013 Global Encryption Trends Study. Sponsored by Thales e-Security, Ponemon has conducted the annual survey since 2005. The survey, which polled more than 4,800 individuals across eight countries, was intended to “examine how the use of encryption has evolved over the past nine years and the impact of this technology on the security posture of organizations.” Although the survey is a year old, we can still gain useful insights from its key findings:
- Organizations are increasingly adopting formal encryption plans or strategies. Since the first survey in 2005, more enterprises are reporting a systemic approach to encryption. From 2005 to 2013, the figure has gone up from 16% to 35%.
- Encryption is an element of a strong security posture. Enterprises that have a wider deployment of encryption, apart from those narrowly focused, tend to be more aware of threats to data loss and spend more on cybersecurity. Also in the survey, organizations rated with a strong security posture are three times more likely to use an encryption plan, compared to those with a less robust posture.
- The bad news about data breaches is driving adoption of encryption. This is good news both for encryption firms and information security pros. In the past, brand reputation was the stronger driver. Keep in mind, this survey preceded 2014, the “year of the breach.”
- The main encryption challenges are discovering data at risk and the actual deployment. The Ponemon Institute survey also uncovered that the least challenging elements are budget allocations, selecting a solution, and measurement.
- Encryption usage is growing in all categories. The areas most likely to be encrypted are external public networks, databases, and backup files. Encryption in cloud environments remains “low” according to the survey. Per C.J. Radford’s comments noted above, this should be a red flag. 70% of respondents listed five or more types of encryption.
- The financial services vertical is the most likely to have wide encryption deployments. The strongest growth is in financial services and the hospitality industry. The verticals least likely to have extensive deployments of encryption are manufacturing and retail. As noted, since these data are over a year old, I would expect a change in the retail sector in the next survey.
- The main features of encryption solutions are system performance, automated key management, and automated policy enforcement. Encryption functionality takes on more significance as the adoption of encryption increases, and its conformity to security standards is growing more and more important.
- Ouch — key management is painful. On a 10-point scale, more than half the respondents rated the difficulty of key management at a seven or higher. A mismatch, perhaps: 75% said that key management is well-defined in their enterprises, but less than a quarter (23%) indicated that it has dedicated resources.
Encryption planning, strategies, and best practices
As the Ponemon survey reports, enterprise adoption of formal encryption strategies is increasing. But encryption is not easy. In this final section we look at what researchers and encryption solution providers consider to be necessary elements of planning, strategy, and risk management.
Three essentials of an encryption plan
In addition to the list of what data to encrypt cited above, Iron Mountain lists what it considers the three essentials of an encryption plan:
- Data assessment. Assess your firm’s data, determine what should be encrypted, and decide on priority levels based on your overall encryption needs.
- Encryption solutions. Encryption is not easy — consider partnering with a top solution provider for both encryption and key management.
- Costs and performance. Assess the cost of implementing and running the encryption system. Along with a long-term encryption plan, determine how your processes and tools affect network overhead.
Elements of an enterprise encryption strategy
In April 2014, ESG released a white paper commissioned by Hitachi Data Systems (HDS) titled “Meeting Enterprise Encryption Requirements.” In the white paper, ESG writes that an enterprise encryption strategy should include:
- Central key management. As adoption of encryption proceeds within an organization, the security group will need the means to centrally administer key management policies and reporting. Larger enterprises might also need to federate encryption roles and responsibilities to business units and company locations, while preserving centralized management.
- Enterprise-class key management. As adoption of encryption continues, the security team will need to implement a system that centralizes cryptographic key lifecycle management on an enterprise level. Separate encryption technologies often have built-in key management. They also have different levels of functionality and often require teams to use separate key managers. In addition, centralized control of of key management provides visibility into essential processes like backup, archiving, and destruction.
- Flexible deployment options. IT and security teams need deployment options that support different encryption use cases, applications, locations, and performance requirements. In the past organizations had to choose data management and storage solutions first and deal with encryption as a product feature. To mitigate the potential chaos, security teams need encryption services that can align with all kinds of use cases across a wide variety of technologies. Companies also have to consider business continuity/disaster recovery (BC/DR) requirements as part of any data encryption project to make sure that data can be properly encrypted and decrypted for BC/DR activities, such as data mirroring, failover, and restoration.
- Secure administration and logging. Encryption and key management administration should be delegated to a specific team with clearly defined skills and responsibilities. Having such a team requires systems in place with strong account security and role-based access controls. All tasks performed by the team, moreover, should be continuously logged and regularly reviewed.
Encryption strategy risks
Ugh! The devil is in the details, as they say. But you may not be the first to have made the mistakes, and this useful checklist from Thales might help you avoid them. Here is its list of risks associated with encryption strategies:
- Encryption is not a “silver bullet.” Encryption can be applied in numerous ways to protect different types of data, as well as applying it in layers, with each layer having a specific role. The lack of a strategic approach, on the other hand, can increase costs, complexity, and business risk.
- Don’t overlook key management and security. Hackers are not likely to try to break encryption algorithms; instead they will target encryption keys and their management processes.
- Regulators and auditors are paying attention to key management. Enterprises have to be prepared to show how they are following encryption best practices and other relevant standards.
- The risk of losing keys, not theft, is greater. Loss of keys means losing the data that they protect, and that can be painful. This can happen when those charged with key management have to rely on manual processes, bad documentation, and poor training.
- Encryption can drain computing resources. Enterprises need to seek optimal deployments; otherwise, encryption can limit capacity, increase costs, and negatively affect user experiences.
- Security and Privacy: New Challenges (ZDNet special feature)
- IT Security in the Snowden Era (ZDNet special feature)
- Executive’s guide to the next wave of security challenges (free ebook)