Is your encryption getting out of control?
2014 marks the 25th anniversary of the creation of the World Wide Web. From its earliest beginnings, users have demanded security for their sensitive information and web sites have universally responded by supporting encryption protocols such as SSL/TLS to encrypt data as it moved across the wires.
Since those early days, encryption has come a long way. Its use is no longer limited to the company’s web site. With data privacy legislation, data breach disclosure laws, organized crime and more recently, concerns over state sponsored cyber-attacks and government surveillance, the use of encryption has become pervasive, a last line of defence – if the data is encrypted, who cares if it gets stolen.
Respected media outlets have refereed to 2014 as the “year of encryption’. That sort of prediction raises concerns even for people that have been working with encryption technologies for years; those in the banking sector and governments know what the implications are, but for the rest of us this is a step into the unknown.
The rise of encryption technology is now proliferating within many organizations at a prodigious rate. Encryption is deployed in the cloud and on premise; for protecting data at rest, data in motion and data in use; in databases, on memory sticks, in email, in storage networks; the list goes on.
The trouble is that in almost all cases these encryption deployments will rely on point solutions which, although they might use familiar sounding encryption algorithms (AES, RSA etc.), are far from compatible, creating security pockets that are tied to individual applications or elements of IT infrastructure. Inevitably, at an enterprise-wide level, organizations will suffer from fragmentation and inconsistency, or encryption sprawl.
Encryption sprawl can be a major headache for any organization. Sprawl drives up the costs of managing the myriad of encryption devices, it increases the risk of error, makes compliance and forensics more painful and limits flexibility – all at a time that resources are under pressure to do more with less.
So just how can an organization prevent encryption sprawl? Here are three top tips:
Understand your environment – discovery, consistency, certification
Even if encryption sprawl in your organization is unavoidable, at least focus on consistency and quality. Keep a record of where encryption is being used and define an internal set of approved algorithms (NIST 800-131 is a good start) and avoid proprietary algorithms completely. Where possible, select products that have a formal security certification where the implementation of product has been independently validated (the FIPS 140 validation program is the most widely recognized).
And finally, make sure that these disparate encryption systems are kept up to date and patched correctly. The recent Heartbleed vulnerability illustrates this need very well. Taking these measures won’t do much to address the inefficiency of sprawl but they will at least help you know where you stand, avoid basic vulnerabilities and prepare you for the next step.
Take control of your keys
At some point you’ll need to take a more active approach to sprawl and take control. As this year’s Global Encryption Trends Study highlighted, key management is the number one pain point when it comes to encryption. Keys are secrets and managing secrets is hard but key management goes way beyond this. From an operational perspective, not having the right keys in the right place at the right time can bring systems to a standstill, lock out users and worse still, losing a key might well mean destroying the data it encrypted forever.
A proliferation of encryption devices only increases the complexity of key management and at some point it will be necessary to centrally manage keys on behalf of multiple encryption devices.
One important development in centralised key management is the relatively recent arrival of the Key Management Interoperability Protocol or KMIP. KMIP aims to provide a standard method for keys to be delivered to applications or devices that need them, on demand, from a shared repository. Needless to say any sort of key management capability needs to be secure and KMIP key managers are often physically hardened.
Of course technology is only part of the story and creating a central control point requires establishing a formal organizational role to be responsible for it. Few organizations have such a role today – many projects to centralize key management will be limited to a single department or silo (such as storage or web infrastructure) – but at least it proves the value and prepares for the next step.
Think beyond the silo towards end-to-end protection
Efficient encryption key management within a silo still means that data is only protected there. Unfortunately data is the lifeblood of the organization and is rarely restricted to a single silo. Usually, data encrypted in one silo will be decrypted before it leaves either to be accessed by a user or to be stored, analysed, shared by systems in another silo. Even if the data is transmitted over “secure’ channels and even re-encrypted at its destination, there will still be points of vulnerability commonly referred to as “air gaps’ in which data can be stolen.
This situation is particularly clear when some of those siloes are in the cloud. An obvious approach is to protect data wherever is it – persistent encryption that moves with the data and that is only decrypted at the point the clear text data is actually needed. Documents protected by a digital or enterprise rights management (DRM/ERM) system provide an example of this “end-to-end’ encryption. Of course, end-to-end encryption needs end-to-end key management or at least the ability to share keys across siloes – an even bigger organizational and policy challenge.
Having said that, it’s been done before – the payments industry adopts this level of control for PINs as they flow across the entire payment network and uses a similar approach to enable mobile payments and to reduce compliance across merchants and their payment processors. With the rise of chief privacy officers and other central policy roles the days of enterprise-wide key management might not be so far away.
As you plan your approach to encryption remember that one size almost never fits all. The first step should always be to classify the sensitivity of data and the risk to it. Apply encryption selectively – be “data centric’ in your planning. But ultimately any organization implementing encryption on even a moderate level will suffer some encryption sprawl. However, by carefully selecting certified technologies and adopting a smart, centralised approach to key management, organizations can ensure that the pain is minimized.