Recipe for Foolproof EncryptionBy Jeffrey Rothfeder
To create a virtually foolproof encryption program, begin with desktop computers and the network to which they are connected. First, sensitive and confidential information on corporate servers and databases must be identified and marked for encoding; then, encryption software automatically encodes and decodes this information as it moves among different PCs on the network, thus rendering the files unreadable to hackers.
But that's the easy part. Data in transit is far more vulnerable to information thieves than data that resides within the corporate network. Unless it is encrypted, information downloaded onto laptops or PDAs, sent via e-mail, virtual private networks or wireless devices, or backed up on tape and trucked to secure sites is as unprotected as if it had been broadcast from the rooftop by megaphone.
Typically, desktop network encryption programs can also encode e-mail, backup tapes and data transmitted from one company to another, or within a company via the Web and other communications outlets. But to encrypt data that is accessed by mobile devices requires much more stringent policies about data security than most companies are willing to put into practice. Usually, it involves installing a program that scours equipment such as laptops and PDAs each time they are attached to the corporate network for data that should be encrypted.
But even with a full-blown encryption system, many companies are at risk because partners they share data with may be less careful about protecting confidential information. That was the case in June when hackers stole 40 million MasterCard and Visa accounts from CardSystems Solutions Inc., a company that processes credit transactions between merchants and banks. Although both MasterCard and Visa require companies in their networks to encrypt data transmitted electronically, CardSystems ignored the rulea violation that is not uncommon.
"Unfortunately, even when the original trustees of the data incorporate proper security precautions, the data is often sent out to third-party vendors with archaic data privacy practices that haven't kept pace with the evolving threats," says Jim Stickley, chief technology officer at Baton Rouge, La.-based TraceSecurity Inc. As part of his job, Stickley and a team of hackers attempt to breach the networks of TraceSecurity clients, primarily banks and credit unions, in order to identify security vulnerabilities.
To be certain that sensitive data is protected after it is sent to a partner, security experts say that companies must do more than just request that the information remains encrypted. They also must test these third-party systems to be sure that they live up to their promise.