5 myths about data encryption

Encryption has a bad rap and far too often protection schemes are deployed foolishly without encryption in hopes of protecting data.

 

t’s a heartache, nothing but a heartache. Hits you when it’s too late, hits you when you’re down. It’s a fools’ game, nothing but a fool’s game. Standing in the cold rain, feeling like a clown.

When singer Bonnie Tyler recorded in her distinctive raspy voice “It’s A Heartache” in 1978, you’d think she was an oracle of sorts, predicting the rocky road that encryption would have to travel.

Just a year earlier in 1977 the Encryption Standard (DES) became the federal standard for block symmetric encryption (FIPS 46). But, oh, what a disappointment encryption DES would become. In less than 20 years since its inception, DES would be declared DOA (dead on arrival), impenetrable NOT.

How could that possibly be?

 

A brief history of encryption

Based on an algorithm developed by IBM and modified by the National Security Agency (NSA), DES was at first considered unbreakable in the 1970s except by brute-force attack — that is, trying every possible key (DES uses a 56-bit key, so there are 2^56, or 72,057,594,037,927,936 of them).

By the late 1990s it was possible to break DES in a matter of several days. This was because of the relatively small block size (64 bits) and key size and advances in computing power according to Moore’s Law. Eventually, unbreakable encryption would achieve a resurrection of sorts.

Although originally approved for encryption of only non-classified governmental data, encryption AES was approved for use with Secret and Top Secret classified information of the U.S. government in 2003.

Encryption AES is a symmetric block cipher, operating on fixed-size blocks of data. The goal of AES was not only to select a new cipher algorithm but also to dramatically increase both the block and key size compared with DES. Where DES used 64-bit blocks, AES uses 128-bit blocks. Doubling the block size increases the number of possible blocks by a factor of 2^64, a dramatic advantage over DES. More importantly, in contrast to relatively short 56-bit DES key, AES supports 128-, 192-, and 256-bit keys.

The length of these keys means that brute-force attacks on AES are infeasible, at least for the foreseeable future. A further advantage of AES is that there are no “weak” or “semi-weak” keys to be avoided (as in DES, which has 16 of them).

Few today dispute the virtual impenetrability of AES encryption. Via AES, only those in possession of management keys and/or who are granted permission to access the encrypted data can read/use the encrypted data.

Despite all that, data encryption has developed a bad rap of sorts and far too often data protection schemes without encryption are employed to guard against the theft of sensitive data.

Here are five myths about data encryption in today’s marketplace: 

1. Encryption is too complicated and requires too many resources

In fact, data encryption can be very simple to implement and manage. The key is to understand the types of data you need to encrypt, where it resides, and who should have access to it.

2. Only businesses that have compliance requirements whereby encryption is mandated by law need to use encryption.

Sensitive data should always be encrypted – whether it is mandated or not.

3. Encryption will kill database and application performance

Performance of applications, databases, servers, and networks is a top priority of IT and end users. When designed and implemented properly, encryption can not only protect the critical data running through those systems, but its presence can have minimal impact on performance that is not perceivable to users.

4. Encryption doesn’t make data stored in the cloud more secure

Storing encrypted data in the cloud is more secure than storing non-encrypted data in the cloud. Too often, those who store data in the cloud do not know where their data is stored, nor do they know who has access to the data; all the more reason that all the data sent to the cloud should be encrypted, with the encryption keys in your control.

5. Encrypting data is more important than key management

Too many organizations fail to manage their encryption keys, either storing them on the same server as the encrypted data or allowing a cloud provider to manage them; such pointless behavior is similar to locking the door to your automobile and leaving the key in the door.

 

This article was recently published in Network World.

Image courtesy of iStockphoto.

‘Get Smart’ when it comes to using cloud-based services for file sharing

Encrypting data on your own might be the smartest move.

 

For those of you old enough to remember the TV comedy series “Get Smart” featuring a spy that used his shoe for a phone, the good guys belonged to an agency called “Control,” and the bad guys were affiliated with “Chaos.” This month “Get Smart” celebrates its 50th anniversary, yet CIOs continue to struggle in a seemingly never-ending battle to restore control in a chaotic, cloudy world in which data security is less than transparent.

Much like the BYOD trend, the use of cloud-based services for sharing files is widespread and it’s likely that if you’re a CIO, your employees are already using them, whether they are officially sanctioned or not. Dropbox has led the charge to offer cross-platform file syncing for your personal files, and all the major players have followed suit, from Google (Google Drive), to Microsoft (SkyDrive), to Apple (iCloud). There’s also Box, Sugarsync, and many others. For consumers, they are perfect, providing easy instant access to photos and documents from any device. That familiarity and accessibility is why they’ve crept into the enterprise.

If you don’t take immediate action to regain control over your assets, then there’s a real risk you’re going to lose data. According to an article from Business Cloud News, a recent survey conducted by Fruition Partners of 100 CIOs found that 90% believe unsanctioned use of cloud services has created long-term security risks.

The solution to regaining control over IT is relatively simple, enterprises just need to adopt newer technologies and services so their employees don’t feel the need to use outside sources. If employees had a company-wide, cloud-based file-sharing service they could use just as easily as Dropbox then they would use it, and IT would have no worries that the information wasn’t secure and in their control.

Many CIOs see the need to bridge their internal communications people with their managed services provider (or MSSPs) on how best to educate employees about cloud services limitations, so that upper management feels confident about using cloud services in the first place. Before contracting with an MSP, make sure you ‘get smart’ and ask these questions:

  • What kind of authentication do they use? Your files may be encrypted in transit, but all too often they are decrypted when they arrive and stored on the cloud server.
  • Have they ever had a security breach?
  • Is there any provision for client-side encryption?
  • What about compliance? Is the MSP living up to the standards that your industry or your clients demand?
  • What kind of disaster recovery policy does the MSP have? What is their level of commitment to keeping your files safe? How soon could you access a backup if there was a problem? Would there be any data loss? Where are your files physically stored?

When an enterprise selects a cloud solution it’s paramount to ensure that the enterprise has in-house controls, so you know exactly where your data is and who has access to it at all times. Make sure that you know what your cloud service partners can commit to. Don’t assume that your data is safe when you can’t even say exactly where it is.

  • How do you manage user access and set the right permissions for staff?
  • Is there any consideration of version control to prevent documents being overwritten, or to deal with simultaneous updates?
  • Can you prevent employees from leaking data, or taking it with them when they leave?

And, speaking of ensuring that you do all within your own control to keep your data safe, protect your sensitive data with strong encryption before transferring it into the cloud. Some storage providers may offer server-side encryption, but encrypting your data on your own might be wiser. Control today, avoids chaos tomorrow.

 

This article was recently published in Network World.