Data Encryption: Rationale, Practices and Tools
Network computing is a constantly evolving field. Changing standards, practices and technologies require a constant effort to stay ahead of the curve and maintain security and operability. Encryption management is a particular challenge in network computing. Encryption, or protection of data so that only those authorized to use it have access, is a necessity for any organization, particularly in those areas that deal with personal information or company data assets. Encryption utilities are constantly changing as older ciphers are broken and new ones are designed. Designing, maintaining and enforcing a coherent, organization-wide data encryption policy is a major challenge. Factors such as scalability, cost and robustness of the encryption algorithm and which data needs to be protected must be taken into account, and the constantly changing landscape of an organization’s data must be routinely inspected to insure compliance and examine new requirements for encryption protection. The costs of failing to protect an organization’s vulnerable data can be enormous, as evidenced by recent news of security breaches involving unencrypted personal data at organizations like the FTC, the Department of Veteran’s Affairs and ING Bank.
The impetus for data encryption ranges across a number of different motivating factors. According to Wiens (2007, 42), 40% of organizations use data encryption to protect their brand or reputation from the harmful press coverage surrounding a data leak, particularly one which involves the unencrypted personal information (PI) of employees or customers. This coverage has become more common over the past five years, and high-profile data leaks from banks, government organizations and businesses are discussed in the mainstream media and have become common knowledge among the American public. A Google News search reveals dozens of reports of data leaks from companies and organizations such as ING, the Department of Veteran’s Affairs, the Bank of Scotland, TJMaxx/TKMaxx, the Federal Trade Commission and others. According to Wiens (2007, 46), 46 million Americans a month have their personally identifiable information compromised each month through data loss. These reports are often sensationalized in the press, leading to an atmosphere of distrust for an organization that has suffered a publicly reported data breach. A report of an unencrypted data leak through either a network breach or physical means such as theft of a laptop can significantly damage a firm’s reputation.
A second motivating factor for the use of data encryption is compliance with state and federal laws. A number of federal laws have been passed in the last decade that control the use, storage and dissemination of personal data. Federal laws which may impact an organization’s data protection policies include the Graham-Leach-Bliley Financial Services Modernization Act, that allowed for the controlled consolidation of the banking industry; the Sarbanes-Oxley Act, passed in response to the WorldCom, Enron and Tyco accounting scandals, which mandates tighter accounting and auditing procedures for publicly held companies; and the Health Insurance Portability and Accountability Act, or HIPPA, which increases privacy regulation for health records and patient information (Wiens, 2007, 42).
Although the effect of these laws on a company’s data encryption requirements is not clear, many organizations have taken a “better safe than sorry” approach and implemented data encryption on the basis of the laws. In addition to federal laws, Wiens (2007, 42) stated that at least 30 states also have laws on the books mandating personal information protection and disclosure – companies which do business in these states must observe both state and federal regulations regarding privacy protection of their employees and customers.
A third impetus for data encryption implementation is the Payment Card Industry Data Security Standard, or PCI DSS (Wiens, 2007, 42). This standard, set by the PCI Security Standards Council, representing all major issuers of payment cards including American Express, Visa, MasterCard, JCB and Discover, regulates the data protection requirements for organizations that are involved in credit card processing. It specifically addresses requirements for encryption of customer data before it is transmitted across the network for payment processing. The standard, which is technically detailed and specific, applies to all payment card handlers, meaning that most corporations must comply with it (Wiens, 2007, 42). This is a factor few organizations can afford to ignore.
A final factor in the use of data encryption is the potential for company data to be lost to competitors or others. As Macvittie (2006, 57) notes, a company’s information reserves are one of its greatest assets, and one of the hardest of its assets to protect. A data leak can take place quickly and typically involves a huge amount of information. Data encryption decreases the risk of data loss and makes it easier for organizations to protect their information resources.
There are a number of ways in which a company can choose to implement data encryption. These range from extremely secure (boot-level encryption on all machines, use of encrypted drives and file systems, and mandatory encryption on email communications and other data transfer) to minimally secure (encryption on outgoing email and known repositories of sensitive personal information). MacVittie (2006, 57) noted that there is a delicate balance between security and usability, and that in many organizations attention is paid not to whether a user is authorized to view a given piece of information, but whether they are authorized for system access as a whole. Determining the proper balance between access for authorized users and protection from unauthorized users is essential for designing an encryption strategy.
MacVittie (2006) identified a number of points where data protection is required within an organization and recommended strategies for protecting this information. The first weak point identified was database encryption. MacVittie noted (60) that the entire database does not need to be encrypted, and that attempting to do so can consume system resources at a high rate. While modern multicore CPUs are often underutilized and can easily handle the load of partial database encryption without seriously impacting server performance, full database encryption may overwhelm the CPUs and decrease server performance unacceptably (MacVittie, 2006, 60). Rather than full database encryption, MacVittie recommended encrypting only tables containing sensitive data, such as credit card information or Social Security numbers, and that one encryption key per table be used. While it is possible to encrypt only the columns containing this information, he noted, encryption of a single column impedes indexing on the column and can impact system performance if the database query engine is forced to perform a full table scan on the table rather than using an indexing strategy. MacVittie noted that while some encryption solutions will allow for the use of an encrypted row as a primary key, these solutions are very slow.
MacVittie’s second point of data protection is database logging. As MacVittie noted, very few organizations have a complete handle on their database landscape, and data may exist at numerous points within the organization, everywhere from enterprise databases to Excel spreadsheets on employee’s desktops. This creates an atmosphere of uncertainty about where information is stored and leaves an organization vulnerable to data loss through unanticipated means, such as the theft of an employee laptop with unencrypted company data on its hard drive. Understanding where company data is located is a basic step in creating and enforcing a data protection policy. MacVittie (2006, 60) noted that database logging is functionality included in all major database implementations; enabling this functionality and using a log analysis tool to examine the logs will create an overview of where data is going. Additionally, MacVittie noted, there are rogue database detection tools that can root out unauthorized database installations and allow for examination of the database to ensure that it does not require further protection. A final class of database protection tools, database extrusion detection tools, allow system administrators to set policies on user accounts which restrict access to information and alert administrators when there is abnormal database activity occurring. These tools can be used to enforce internal data access policies and to prevent unauthorized extraction of data.
MacVittie’s third weak point in data protection was the company’s network and data access policies. Both network IDS (intrusion detection system) and host IDS indirectly aid in data protection by detecting and in some cases intercepting malicious connections before company data is exposed. However, IDS is only the first step in protecting data against network intrusion. As MacVittie noted (61), it won’t prevent malicious damage by an authorized user, nor will it prevent inappropriate access by someone who gains the authorization information of an authorized user. MacVittie particularly noted the danger of employee siphoning information for their personal use (although not always their financial gain). This is a very obvious weak point in data security. In February, 2006, Denver-based Colorado College reported the loss of personal information, including names, academic information, dates of birth and social security numbers, from 93,000 present and former students (neohapsis.com, 2006). The unencrypted information was stored on a laptop that was reported stolen; the college employee who used the laptop had downloaded the information for use in writing their master’s thesis. Unfortunately, there is no easy answer either to the problem of unauthorized use of company data by an authorized user or to unauthorized access by someone who gains the access credentials of an authorized user. These vulnerabilities, as MacVittie noted, must be addressed by policy and human resources means rather than technical means at this time. Information leak prevention, or ILP, tools can alleviate some of these data control problems by examining network traffic to insure that no proscribed information, such as company intellectual property or customer data, is passing out of the network (MacVittie, 2006, 64). These tools typically operate in detection mode and prevention mode. Detection mode examines network traffic and determines points at which this proscribed information is leaving the network, and notifies the administrator of when and where leaks are occurring; prevention mode stops the data from leaving the network (MacVittie, 2006, 64). While MacVittie noted that these tools are effective against deliberate passing of company data by employees and Trojans that target IP and customer data, they are less useful against transmittal of usernames and passwords or other authorization credentials.
The final weak point in company data protection discussed by MacVittie is backups. Most company data is backed up to tape at some point, and it is often not protected; network incursions are considered to be a greater risk for data loss than the physical loss of backup tapes. However, backup tapes and tapes used for mass data transfer are often lost, and the information stored on them can place a company in a position where it may suffer serious data loss. In June 2005, Citigroup reported that UPS had lost a shipment of data tapes containing financial data of almost 4 million customers; the tapes were on their way to a credit bureau when they were lost (Manor, 2005). Other notable data tape losses which involved breach of company or personal information include Bank of America’s loss of financial data on 1.2 million customers in early 2005 when the tapes were lost en route to their offsite storage facility, Time-Warner’s loss of backup tapes containing employee information on 600,000 employees and Ameritrade Holding Corporation’s loss of personal data on 200,000 customers (Manor, 2005). All of these backup tapes were unencrypted and contained a large amount of personal information and company data. Interception or loss of unencrypted data tapes, either during shipment to a business partner or to an offsite backup facility, is a big risk in terms of potential data loss, and is a special concern for companies that deal in financial or personal data of their customers.
MacVittie (2006, 64) recommended several steps to avoid the loss of data during tape backup and shipment. For short-term storage of a few months or less, using replication (direct backup to the storage facility’s machines) rather than tapes eliminates the possibility of tape loss by a courier service or interception or misdirection during shipment. It also means that data is more up to date and can be accessed more readily if required. MacVittie noted that if replication is used, the replication stream and/or the data must be encrypted in order to prevent interception as the data is leaving the network.
Long-term storage presents different challenges than short-term storage. Tape backup is required for long-term storage, as few backup facilities have the disk space to keep more than a few months worth of data online. In order to protect these data tapes, they must be encrypted. As MacVittie noted, encryption of this data is simple and can be done at any level – it is offered by backup applications, tape drives and network appliances, and can also be done manually before backups take place. The main challenge is in key management; while encryption keys must be retained in order to be able to retrieve the data, storing the keys on the tape (the most obvious solution) is extremely insecure and can lead to data loss if the tapes are intercepted or loss. MacVittie recommended using a key management solution such as RSA Key Manager to keep track of encryption keys for long-term tape backups.
Backup tapes and databases are not the only weak points in a company’s data landscape. Disk drives often have information scattered on them in places even IT won’t think to look; this is a particular problem with laptops and other mobile devices where normal means of data protection may not be feasible. However, data protection for mobile devices is particularly important, since these devices are also highly vulnerable to theft. In this case, full-disk encryption may be the best solution to preventing data loss. Wabiszczewicz (2007, 1) discussed full-disk encryption for mobile data protection.
Wabiszczewicz noted that file-level and folder-level encryption only worked for known personal data; files auto-generated by Outlook, web browsers or other applications may contain unencrypted personal data and be stored in unobvious places. While Wabiszczewicz allowed that full-disk encryption does have the potential to disrupt business operations if not done carefully (for example, if a master key or key escrow is not used, a terminated employee’s data may not be able to be retrieved from the disk); however, it is the most robust solution to for ensuring that all data on the disk is encrypted without regard to where it is located (2007, 2).
Current full-disk encryption solutions are expensive (Wiens noted a cost of $70 per seat even at 1,000 seats for the least expensive solution examined). However, for Windows users, there is a less expensive solution called BitLocker, which provides full-disk encryption for Vista using a combination of software and a USB dongle (Wiens, 2007, 2). Considerations to be taken into account when choosing a full-disk encryption solution include: whether the encryption is pre or post boot (pre-boot encryption means that only authenticated users can boot the machine); whether the encryption supports hibernation or suspend, allowing the user to save state between working sessions; the method users use to reset password and PINs; how administrators can reset passwords and PINs and how an administrator retrieves the master password or key (Wiens, 2007, 5). Careful choice of full-disk encryption can provide protection for company data when it is outside the company firewall as well as on the inside.
Although encryption and system protection are a large part of the data protection landscape, they are not necessarily well integrated or coherent. One method of managing sensitive data is using a privacy compliance system, or PCS. These systems cover all aspects of privacy compliance, including legal requirements and database management, allowing for a single policy across the organization. As Mueller (2007, 74) remarked,
“PII [personally identifiable information] has seeped into the fabric of enterprise business processes and systems. Protecting it thus far meant drowning in point products that attack the problem in narrowly focused ways, without hope of integration. It’s an expensive and time-consuming response to a situation created, in large part, by expensive and poorly designed OSs and applications that play fast and loose with sensitive data.”
This confusion of solutions that solve only narrowly defined parts of the data protection issue makes data management complicated and expensive. Mueller described the ideal solution for this dilemma: enterprise-level privacy compliance solutions (PCS) that integrate with other security measures and provide multiple data-vector coverage (2007, 74). The PCS is intended to enforce both regulatory and technical aspects of privacy compliance and data protection, including both personally identifiable information and company intellectual property. PCS are still in the development stage, with only a few offerings on the market for enterprise use. However, development of these products is increasing and they are expected to become more robust quickly as their use becomes more common.
PCS must be able to recognize a number of different rule sets, including regulatory, policy and technical requirements. Regulatory requirements include legal obligations, such as Sarbanes-Oxley, HIPAA and state laws. As Mueller noted, PCS must be able to analyze data in order to apply regulatory requirements in order to ensure compliance; for example, if regulatory requirements state that Social Security numbers must be protected, the PCS must be able to analyze data and detect the presence of the Social Security numbers (2007, 78). Internal policy compliance must also be integrated. Many organizations have their own internal privacy and data protection policies, such as HR policies and access to intellectual property. The PCS must be able to analyze and interpret data in terms of these business rules. The third category of policy enforcement a PCS must be able to perform is technical policy enforcement, for example encrypting outgoing data (Mueller, 2007, 78).
Encryption is an important aspect of PCS monitoring and enforcement. Both HPCS and NHPCS should be able to enforce encryption policies, either by disallowing the transaction in the case of unencrypted data or by forcibly encrypting data before allowing the transaction to continue. While many email applications provide this automatic encryption service, a PCS can enforce encryption policies across all network communications protocols, including HTTP, FTP and other transfer protocols (Mueller, 2007, 80).
According to Wiens, 66% of information technology specialists surveyed understand the importance of encryption key management, but only 16% have driven an enterprise-wide management strategy (2007, 40). Reasons cited for not following an enterprise-wide strategy include the complexity and cost of regulatory and internal policies regarding encryption key management. However, as Wiens noted, the cost of not having an enterprise-wide encryption key management system are even greater; data that is lost or damaged due to a lost encryption key often cannot be recovered, and use of an outdated encryption key can compromise data security.
The current model for key management is that each application manages its own keys. There are currently no cross-application key managers that provide all applications with a common key repository or a common key strength policy, although Windows Rights Management Services provides this facility for Windows Server 2003 and applications (Wiens, 2007, 44). Wiens noted that consistent policy application and combined overhead for encryption key management are the two biggest advantages to a key management system.
Wiens laid out requirements for an effective key management system, stating that at a minimum the system must address secure key creation; key revocation, key aging and re-encryption of data previously encrypted with an expired key; automatic integration with identity management systems to provide keys to new accounts and revoke keys automatically on account suspension; key escrow (where a third party holds keys securely to avoid data loss in the event of employee termination or other key loss); and split keys, which divides master keys between several members of an organization in order to force a given number of members to be present for master key recovery (Wiens, 2007, 46). Wiens noted that while there are a number of key management systems on the market, none of them currently addressed all the above requirements, and that lack of encryption standards impeded the development of these tools.
Mueller, P. (January 22, 2007). Umbrella Coverage. Network Computing, pp 72-80.
MacVittie, D. (December 7, 2006). Security Computing: It’s All About the Data. Network Computing, pp 57-64.
Manor, Robert (June 7, 2005). “UPS loses tapes holding financial data for millions of Citi Group customers”. Chicago Tribune.
Wabiszczewicz, Tom. (November 3, 2006). Full Disk Encryption Suites. Network Computing, pp 1-8.,
Wiens, J. & Hill, S. (April 30, 2007). Encryption Key Overload. Network Computing, pp
(March, 2006). “[Data Loss] Colorado College Warns 93,000 after Laptop Theft.” Retrieved June 15, 2007 from http://archives.neohapsis.com/archives/dataloss/2006-03/0011.html