As we near year’s end, I realize that the biggest change in data protection for 2009 has nothing to do with technology. Instead, it involves a shift in attitude.
The old attitude: “We have to put up all of the barriers to secure our data. We’ll throw on new intrusion detection, firewall, web filter, data loss prevention appliances, and put all-hands on deck to protect the perimeter!”
The new attitude: “Despite our best efforts, data gets out. We need to protect it from abuse.”
I think this new attitude reflects the reality that the threats to data security are ever more sophisticated, and the number of loss points has increased exponentially. The bad guys are amazingly successful at installing malware inside our networks and hiding their presence.
Cyber crooks don’t want to get noticed, they want to steal as much data as they can before we find them.
To make the situation more difficult, we are awash in new technologies that magnify the potential for loss. Social networks, instant messaging, smarter phones, SaaS, cloud computing, and on and on. There is just no way a self-respecting IT security organization can keep up with the pace of change. Innovation is fun, but it sure isn’t easy to secure.
Due to this challenge we are slowly coming to the realization that we have to encrypt sensitive data everywhere it lives and travels. This means encrypting data on laptops and other portable devices, on the wire as we transmit data on internal and external networks, on our backup tapes, and in our databases where we permanently store data. We’ve been slow coming to this realization because encryption is one of the harder technologies to deploy. It takes more work and more resources (hardware and human) to do it, and there is really no magic bullet we can shoot at the problem. So we are starting the hard slog to get encryption deployed on our systems.
I’m not suggesting that everyone unplug their firewalls, web filters and DLP appliances and deploy encryption. These solutions all have their place and are important in the security eco system. But we simply can’t be secure without encryption to protect the data. Now before you get fired up to tell me “encryption is not a panacea,” I’ll head those comments off by saying “I know that.” You have to do a lot of things to minimize the threat of data loss. (Please reread the first sentence of this paragraph). I’m just saying that we’re not going to mitigate that threat without encryption as a part of the plan.
The bad guys are really smart – we have to give them that. I fully expect that we will see attacks on encryption and key management solutions. In fact, we’ve already seen attacks on weak encryption and bad key management techniques. So I am not naïve about encryption being immune from these types of attack. But encryption done right provides a big barrier to jump over. I personally think that we have to make the leap and get busy implementing strong encryption of our sensitive data.
As you start to work on encryption projects, here are a few things to think about:
- Performance is really important. Be sure to test the performance of your encryption solution on a large set of data. Badly performing encryption is one of the hardest problems to fix.
- Cross platform compatibility is crucial. If you encrypt on one platform, you don’t want to have to decrypt data in order to transfer it to another platform. That just opens another door for loss. Be aware that not all AES encryption is done the same way.
- NIST certification is important. Regulations and best practices recommend independently certified encryption and key management solutions, so procuring certified solutions can help position you for the future. NIST certification also answers the question about cross platform compatibility.
I know encryption is not easy to implement. That’s why PTSS focuses on doing encryption right and easing your way into what should now be an integral part of your overall data security plan.
Patrick