We all know that encryption is a good thing. We've heard, over and over, that it's the last line of data defence in a breached system, it protects data from nosey employees, and it's required for many data-protection government regulations and industry standards.
But frankly there's absolutely no point in encrypting data... unless encryption is part of a comprehensive plan that includes policy-based security with restricted access to keys, proper key rotation, separation of duties and protection of stored keys. Encryption alone is like carefully locking up a building and then giving everyone in the neighbourhood the keys.
The keys to your kingdom
One of the essential components of data encryption is key management - the way cryptographic keys are generated and managed throughout their life cycle. Because cryptography is based on keys that encrypt and decrypt data, your data security solution is only as good as the protection offered by your keys. Genuine security depends on two factors: Where are the keys stored and who has access to them?
Enterprises should look for key management solutions that provide the capability to centralise all key management tasks on a single platform and automate administrative key management tasks. This provides both operational efficiency and reduced management costs. Keys should also be securely backed up and rotated periodically to ensure absolute security - back up benefits are obvious, key rotation is a process that automatically decrypts data using existing encryption keys and then re-encrypts it with new keys, at pre-selected intervals.
Other essential key management features include a secure mechanism for replication. Any encryption product that does not provide a secure means of recovering/replicating keys is a catastrophe waiting to happen, and one that's unfortunately likely to manifest in a disaster recovery situation. Look for a solution that allows keys to be replicated when a quorum comprised of a pre-determined number of people authenticate themselves to the system.
A mature data security management programme must provide secure automated encryption management - including secure encryption key protection, ageing, and replacement - across all platforms hosting critical information.
Depending on the sensitivity of data that is being encrypted and the government and industry regulations that affect a particular organisation, companies may want to look for a solution that supports dual control implementation of encryption key management. This feature blocks one - party changes and requires two people to authenticate major changes, in the same way as particularly large bank cheques require two signatures to be valid.
One critical key management policy is regulating separation of duties. The key custodian should be a separate role and responsibility that is carried out outside your operations systems, away from your data management and database activities. Another best practice is defining different key classes.
Businesses should have different rules regulating the keys that lock down the most critical data. The type of data the key is protecting should make the difference between whether it should be generated in hardware or software, or if the key should be stored or cached on a local distributed system. It will also determine how often the key should be replaced.
To devise a workable security plan, the enterprise needs to know its own biggest vulnerabilities and risks. Step back and look at the entire key management security chain and determine the weakest links. Remember that Defcon Level 1 security is not necessary across the entire enterprise, unless the organisation has an exceptionally high inherent risk profile.
Be holistic and reasonable about what needs to be done; the best way to manage data security is grounded in a realistic risk-based analysis that informs the enterprise's security policies.
Don't get sidetracked by more esoteric security needs, such as protecting keys in memory. Instead, focus on comprehensively securing the most vulnerable points in the system. The best solutions will minimise performance impact by monitoring only the information that's critical from a security point of view instead of entire databases.
Privacy and security mandates and other business requirements will define which information requires this higher level of protection and audit. Focusing only on sensitive information optimises performance and maximises the usefulness of the protected security audit log.
Best intentions - policies, enforcement
Far too often companies, government agencies and departments establish good strong data security policies, everyone signs off on those policies... and then blithely they wander off and resume business as usual. Recent studies from Forrester, Ponemon and other research firms indicate blatant disregard for security policies is widespread - users either don't understand the policies or disregard policies that they believe are too strict and which interfere with getting the work done easily and quickly.
The Ponemon Institute, in a recent report 'Data Security Policies Are Not Enforced,' found that more than half of the survey's respondents had copied confidential company information onto portable devices, though more than 87 per cent also said that company policy forbids such practices. About 46 per cent said they routinely share passwords with colleagues, even though two-thirds of those respondents admitted that their company's security policies prohibit password sharing.
Businesses need to have comprehensive training programmes detailing the importance of protecting private data, and the reasons for the policies that are in place to do so, and real consequences for any and all attempts to thwart security policies. Then you need to enforce those policies using technologies like role-based access to ensure that no one accesses information that their job doesn't require them to see.
Automated enforcement
Furthermore you need automated enforcement of security policies to block forbidden activities and system auditing to see who is doing what with protected data. Managers can use this information to track trends, analyse potential threats, support future security planning and assess the effectiveness of the solutions, policies and procedures already in place.
Auditing shouldn't be a huge data dump of every possible bit of information; to be useful it should be selective. Selective and granular auditing saves time and reduces performance concerns by focusing on sensitive data only. Ideally, the logs should focus on the most useful information for security managers; that is, activity around protected information. Limiting the accumulation of audit logs in this way means more critical security events are highlighted and reviewed.
Strong database security policies and procedures must be in place to accommodate the regulatory compliance environment. To comply with most privacy regulations you must protect, audit and segregate duties for sensitive data in databases.
A mature encryption solution will offer automatic and enforced segregation of duties between DBAs and security officers. Thus enabling centralised management of security parameters as well as a system of integrity checks and self-protection of individual modules, user accounts, and database extensions in distributed environments and across the leading relational databases, including web and internet-enabled database applications.
Security tools play an important role in securing sensitive data from acquisition by the enterprise until its storage and deletion. However, it remains the task of management to make real-world assessments of risks to data, how those risks are best mitigated and how these assessment decisions are promulgated and enforced throughout the enterprise.
Establishing appropriate enterprise architecture key management, with policy-driven enforcement and auditing, maximises data security efforts. Neglecting to support security investments with sensible policies and practices results in wasted time, money and vulnerable systems.
For more information please visit: www.protegrity.com
