In all my years in the computing industry, I have seen a
number of technologies come, go, and resurface. Without a doubt, one of most
interesting is data encryption; yet, the general public still doesn’t seem to
have a firm grasp on it.
Part of the problem may be that many IT pros get their
information about data encryption from security vendors. None of the vendors at the security
seminars I have attended stress that data encryption is by no means a
substitute for a comprehensive corporate security architecture. For instance, sometimes
it only makes sense to use data encryption when no other alternatives exist;
sometimes you don’t need to use data encryption at all. You probably won’t hear
this in any security vendor seminar because they want to sell products—I just
want to educate you.
Know when to use data encryption
Data encryption is of little use unless you apply it to
specifically mitigate a risk or to address a legal requirement. In fact, if you
apply data encryption without consideration for how it will affect other IT
functions, it can actually increase risks in other areas of the enterprise.
A striking example of the misuse of data encryption is when
IT pros use encrypted file systems where this type of security is simply not
needed. Windows and almost all major operating systems can support data
encrypted file systems, but most corporations would be hard pressed to find a
general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is
keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant
when applying updates and patches. Also, backups are a must because, if you
lose the decryption keys, your data is lost.
There are specific cases where it makes sense to use data
encryption. However, many IT pros decide to use data encryption because they
assume this means they will have “improved” security. For example, a
company that implements a VPN system using IPSEC isn’t immune from a worm or
virus if its virus scanner only inspects e-mail at the firewall border. A
solution is to enforce virus and worm scanning at the e-mail server, as well as
at the network perimeter; this guarantees that internal e-mail messages are
properly scanned for malicious content.
Reconsider using SSL to pass sensitive data online
Many IT pros incorrectly assume their data are secure if
they submit information using SSL. These two points are true: SSL encryption
makes it much more difficult (perhaps with SSL V3 it may be close to impossible)
to make use of data if it’s intercepted; and SSL is more secure as a data
transmission method over clear text. However, once the data is received and
decrypted on the other side of the SSL connection, you no longer have any real
control over it. Or, if your Windows system is infected with a keylogging Trojan,
typing your credit card into a SSL session on a browser isn’t going to prevent
it from being stolen.
The general belief of SSL providing security is precisely
why many of the newer phishing scams that use SSL are tricking people into
giving up personal information. SSL does not provide more than simple data
transmission security. The real question is: What happens to the data
Encrypt e-mail using archivers
Secure e-mail is another area where corporations need some
education. Most corporations do not need the level of e-mail security provided
by PGP or built-in public key encryption in most e-mail systems.
When someone needs to send a Word document or Excel
spreadsheet securely, I usually suggest they use the data encryption features
of archivers such as WinZip or WinRAR, and send the secure data as an
attachment to a regular text e-mail. When the recipient gets the e-mail, they
decrypt the archive using a previously established decryption password. While
this is far from perfect, it’s generally secure enough to lower the risk to
I must stress that data encryption is only one of the tools
in a comprehensive Internet security setup. Regardless of the sales pitches, remember
that the lowest common denominator in Internet security is people not technology.
Miss an issue?
Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden’s column.
Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.