Technology: Encryption 101By Larry Stevens | Posted 09-25-2006
Technology: Encryption 101
A slew of well-publicized security breaches has executives wondering: Could I be next?
For many Americans, the first shoe dropped on Feb. 15, 2005, when ChoicePoint Inc. announced that identity thieves had created 145,000 bogus accounts. Ten days later, the second shoe landed: Bank of America Corp. lost a backup tape containing 1.2 million customer records.
Suddenly it seemed as if security breaches were raining down like bombs, and corporations seemed powerless to stop them. From the ChoicePoint breach until now, the Privacy Rights Clearinghouse has documented dozens of serious breaches and hundreds of smaller ones, from the theft of a computer containing the personal records of 28.6 million U.S. veterans to the hacking of credit-card processing company CardSystems Solutions Inc., which potentially compromised data on 40 million consumers.
Consumers, business partners and legislators are outraged. And corporations are worried. Executives have little interest in finding themselves in the hot seat at a Congressional hearing, or worse, at the defense table at a civil or criminal trial. Meanwhile, legislators have proposed a variety of bills aimed at protecting citizens' privacy, though nothing has yet passed Congress. Among the bills still in committee is the Financial Data Protection Act (H.R. 3997), which would allow companies that encrypt their data to take that into consideration when determining if a breach should be publicized.
Despite the consumer uproar and congressional fulminations, corporations aren't rushing to encrypt their sensitive customer data. According to a survey of 227 North American-based security professionals from organizations with at least 1,000 employees, conducted in March 2005 by Jon Oltsik, an analyst at the Enterprise Strategy Group, only 36 percent use encryption. "By far, the two most important reasons companies have not yet implemented encryption are cost and worries about decreased performance," says Oltsik. Cost was cited by 64 percent of all respondents, and overall system performance by 60 percent.
Experts agree that encryption technology itself is pretty much foolproof. If the consumer data lost or stolen in the recent high-profile incidents had been encrypted, thieves would have ended up with nothing. The National Institute of Standards and Technology says a code-breaking super-computer would require 149 trillion years to decrypt a 128-bit encryption key. Who wouldn't want that kind of protection?
What privacy regulations govern our industry and those of our business partners?
How do you rate the negative effect on the organization of various types of data losses?
Encryption technology is a highly reliable tool. How best to fit it into your strategy?
Encryption is a very old process in which information is scrambled according to a mathematical formula or algorithm. In order to encrypt and decrypt data you need a key, which is a sequence of symbols, or, at the binary level, a string of bits. The key controls the algorithm. Says Paul Stamp, senior security analyst at Forrester Inc.: "Under the hood, encryption is pure math. But a more meaningful analogy for business is the lock and key." Encryption locks up files so you can authorize only certain people to access it by selecting who gets the key.
The problems CIOs must contend with have much less to do with encryption technology itself than with its implementation. The challenge? First you must decide what to encrypt, and then how to manage the process.
Benjamin Jun, vice president of technology at San Francisco-based Cryptography Research Inc., says that when applied to systems, encryption enables three broad functions:
What's the best way to fit those capabilities into your data processes and overall business strategy?
Joel Schwalbe is CIO and senior vice president at Orlando, Fla.-based CNL Financial Group Inc., which acquires and develops businesses in the financial and real estate industries. Schwalbe says his firm's emphasis on encryption comes directly from the executive suite. "The primary way we distinguish ourselves from our competitors," he says, "is through our reputation for integrity and protecting the interests and confidentiality of partners. Executives here are well aware that we'd have a much harder time raising capital if we had a serious data breach." CNL met that need through a hardware encryption product from Decru, a Network Appliance Inc. company, to encrypt their backup tapes.
Yet even organizations that do not need high-powered security are considering encryption in order to appease business partners. Loyalty Lab Inc., which helps organizations such as credit-card companies create and manage loyalty programs, doesn't normally deal with sensitive data. But, says Barak Engel, the San Francisco-based company's CSO, "It makes it a lot easier for us in our sales cycle if we can tell partners we are compliant with good security standards."
So while his company almost never has to access consumers' credit card account numbers, some clients find it easier to send the entire database, without deleting the private fields. They expect Loyalty Lab to protect any secure data fields, and they're increasingly demanding assurances to that effect. Loyalty Lab purchased SecureDB, encryption software from UK-based nCipher Corp. Ltd., which allows Engel to encrypt just one critical column in the database: the credit-card number.
What are our current data access policies and how are they enforced?
We need to look carefully at how our security policies align with overall corporate strategy.
In planning your implementation, consider end-user acceptance, key management, and which data or media to encrypt.
No implementation project goes perfectly smoothly. And security projects can be difficult, not least because of the potential disruption to business processes. Experts agree that thinking about encryption implementation in three parts can help the effort along.
First of all, organizations have to determine what they need to encrypt. In April 2005, online brokerage firm Ameritrade suffered a painful black eye: The company that handled its backup tapes had lost two of them. Ameritrade was obliged to inform 200,000 current and former customers about the loss. Not wanting a second shiner, the company embarked on what CIO Jerry Bartlett calls "a very aggressive four-month schedule" to encrypt backup tapes from both Ameritrade and the newly acquired TD Waterhouse Group Inc.
Bartlett says the $1 billion, Omaha-based company (now TD Ameritrade Holding Corp.) opted to encrypt only backup tapes because, while the brokerage has "a robust risk-management strategy," the tapes were the weakest link.
While Bartlett won't specify all the details of the firm's risk-management policy, he says that when deciding on new encryption projects, his team considers the nature of the data, the risk that other precautions (such as firewalls) could fail, and the maturity of the technology. For example, the company opted to delay database encryption implementation for a year or two because Bartlett is waiting for the technology to become more robust and standardized.
Then there's the issue of key managementthe need to make sure the right people have access to the right keys, and that the keys don't get into the wrong hands. Paul Kocher, president and chief scientist at Cryptography Research, points out that policies and technologies regarding keys represent the primary planning requirements in many encryption projects. "Encryption doesn't really completely solve any problem," he says. "It just turns a big problemhiding data from prying eyesinto a smaller problemkeeping the key from prying hands."
Lost keys can render restoration of data impossible, and can be as big a catastrophe for an organization as a major security breach. Indeed, weak key management can render an entire encryption scheme useless. Organizations must determine how many and which corporate employees need to enter keys before data can be unencrypted. The decision requires a consideration of each user's need to know, how critical the data is, and other policy or technology protections already in place.
And finally, how easily will end users accept data encryption? While CIOs must take end users into account, few see it as a major challenge to encryption. In fact, not one manager in the Enterprise Strategy Group's security survey mentioned end-user resistance as an impediment.
Some encryption projects, such as backup tape, are completely transparent to end-users. And while encrypting a database, application, server-file system or hard drive is a lot less transparent, most systems only require users to enter their username and password in order to receive a keynot an overly intrusive process. In this age of security concerns, end-user complaints are generally muted, not only by privacy laws and specific industry regulations, but also by a company's customer strategy, especially when mandated from the executive suite.
When Memphis-based Baptist Memorial Health Care Corp., a 14-hospital network in the Mid-South, decided to implement a combined port-protection and encryption solution from Safend and Kingston Technology Co. Inc., respectively, users only had to be read the HIPAA riot act in order to lower the decibel of their arguments. Still, Lenny Goodman, director of desktop management at Baptist, says he had to deal with some grumbling as well as legitimate concerns from both end users and managers.
The system prevents anyone from transferring data from any PC or laptop to any removable device except a USB flash memory product provided by Kingston. That means employees are no longer allowed to bring in "marginal" devices such as iPods, and they generally "knew intuitively not to complain," Goodman says.
What data needs to be secured?
Are proper policies in place to manage the security of our keys, and which employees get which keys?
The future of encryption lies not in improving the algorithms themselves, but in easing implementation and administration.
The future of encryption, say experts, lies in the potential for ultimately transparent, seamless, end-to-end encryption. That would allow CIOs to be as blasé about the process as they are about operating systems today. But the industry is still a number of years away from that model. Says Chris Parkerson, senior product manager at Bedford, Mass.-based RSA Security Inc.: "I think the primary focus of encryption-related products in the future will be on the management of encryption and associated keys, and security policies across the diverse IT systems of large enterprises."
Meanwhile, since encryption technology itself is already a virtual commodity, Parkerson believes that, over time, encryption capabilities will be built into every possible endpoint that touches data, including databases, storage systems, packaged applications, operating systems, laptops and PDAs.
He hopes to see more standards in encryption products so that managers will be able to administer encryption from a centralized console across all of these endpoints. "All of the value will be in simplifying the management of the security infrastructure that enforces security policies and rules across all of the endpoints," Parkerson says.
Cryptography Research's Kocher believes that the holes in encryptionprimarily around identity management, access management, authentication and fraud detection, will be patched. "Strong authentication technologies like smart card readers have become very inexpensive," he says. And while he isn't a big fan of biometricsbecause of false negatives as well as the fact that some people consider them intrusivehe believes they will become more accurate, less expensive, and more widely accepted by end users.
Finally, identity management for logical networks will become increasingly tied into physical security. Says Kocher: "The same smart card you use to unencrypt the database will get you into your parking space and your office."
How close are you to offering us a seamless security product?
How should we be thinking about melding together our data security and our physical security?