Technology: Encryption 101 - ' Strategy '
(
Page 3 of 5 )
Encryption technology is a highly reliable tool. How best to fit it into your strategy?
Encryption is a very old process in which information is scrambled according to a mathematical formula or algorithm. In order to encrypt and decrypt data you need a key, which is a sequence of symbols, or, at the binary level, a string of bits. The key controls the algorithm. Says Paul Stamp, senior security analyst at Forrester Inc.: "Under the hood, encryption is pure math. But a more meaningful analogy for business is the lock and key." Encryption locks up files so you can authorize only certain people to access it by selecting who gets the key.
The problems CIOs must contend with have much less to do with encryption technology itself than with its implementation. The challenge? First you must decide what to encrypt, and then how to manage the process.
Benjamin Jun, vice president of technology
at San Francisco-based Cryptography Research Inc., says that when applied to systems, encryption enables three broad functions:
Policy enforcement. Most organizations have policies detailing which users are authorized
to access which data. Many companies depend on voluntary compliance on the part of employees, sometimes enforced with audit trails. But encryption ensures that such policies are enforced before the fact, not after.
Pushing the trusted boundaries out beyond the corporation. No matter how secure your network, "it won't protect backup data buried in a vault, or a laptop left in a cab," Jun says. Encrypting data in backup media such as laptop hard drives and removable media such as USB flash drives keeps thieves from the data wherever they steal it.
Point-to-point protection. Encryption protects data as it travels over the Internet, enabling secure VPNs.
What's the best way to fit those capabilities into your data processes and overall business strategy?
Joel Schwalbe is CIO and senior vice president at Orlando, Fla.-based CNL Financial Group Inc., which acquires and develops businesses in the financial and real estate industries. Schwalbe says his firm's emphasis on encryption comes directly from the executive suite. "The primary way we distinguish ourselves from our competitors," he says, "is through our reputation for integrity and protecting the interests and confidentiality of partners. Executives here are well aware that we'd have a much harder time raising capital if we had a serious data breach." CNL met that need through
a hardware encryption product from Decru,
a Network Appliance Inc. company, to encrypt their backup tapes.
Yet even organizations that do not need high-powered security are considering encryption in order to appease business partners.
Loyalty Lab Inc., which helps organizations
such as credit-card companies create and
manage loyalty programs, doesn't normally
deal with sensitive data. But, says Barak Engel, the San Francisco-based company's CSO, "It makes it a lot easier for us in our sales cycle if we can tell partners we are compliant with good security standards."
So while his company almost never has to access consumers' credit card account numbers, some clients find it easier to send the entire database, without deleting the private fields. They expect Loyalty Lab to protect any secure data fields, and they're increasingly demanding assurances to that effect. Loyalty Lab purchased SecureDB, encryption software from UK-based nCipher Corp. Ltd., which allows Engel to encrypt just one critical column in the database: the credit-card number.
Ask your security manager:
What are our current data access policies and how are they enforced?
Tell your top business executives:
We need to look carefully at how our security policies align with overall corporate strategy.
Story Guide:
Part one: Problem
Part two: Strategy
Part three: Implementation
Part four: Future
Next page: Implementation
test
