The eight myths of data encryption

The emerging model of the open enterprise has raised the stakes on ensuring data protection throughout an organisation. Companies collaborate more freely and more often with partners and suppliers, responding to supply chains that stretch across the world.

Web-based business processes and e-commerce have combined to create a much more open IT infrastructure and corresponding protection must be put in place to counteract possible network vulnerabilities.

This applies whether data is at rest – stored on a laptop, smart phone or PDA –in motion across a network, or on some form of removable media being transported from one place to another – or in use by an application.

Encryption can be applied to data in any one of these conditions. It has been embraced in a variety of areas where the sensitivity of data being transferred is extremely important. This includes the banking industry, business transactions conducted over the Internet, email communications where privacy is essential, and mobile phone technology.

Despite advances in encryption techniques, outdated ideas about encryption persist. In fact there are eight common myths that need to be debunked.

Misconception 1: Encryption is too complex and difficult to plan, deploy and use. The idea that data encryption creates insurmountable IT challenges is one of the most prevalent misconceptions. In truth, well-designed encryption solutions emphasise simplicity in planning, deployment and use. The key to achieving simplicity is fully understanding data movements – and corresponding risks – within the organisation.

Appropriate solutions depend very specifically to the situation it involves. A one-size-fits-all approach will not give the right balance between security and ease-of-use. Some solutions may involve encrypting data as it is being sent to a network backup device, or mobile computers, email communications throughout an organisation, or the data on the flash memory devices used by field personnel.

Management of encryption processes is also an important consideration. Look for solutions that centralise and simplify oversight and administration of encryption operations with a sound management strategy. Centrally managed data security products add consistency to system activities, preventing users from tinkering with system configurations, for example.

Misconception 2: Encryption is a great way to protect data on a notebook computer or corporate server, but it can’t help protect data on a PDA or smartphone.

Companies sometimes underestimate the scale of the problem of lost handhelds. In a recent survey of taxi drivers in a major U.S. city, 21,460 PDAs and pocket PCs were discovered in taxis within a six-month period – each lost PDA representing a potentially serious security breach. While an Australian city may not turn in such an impressive volume of losses, it is still a major issue here – just one PDA can contain sensitive personnel files, commercially critical business plans or your complete customer list.

Fortunately, a number of application solutions now specifically support data encryption information stored on mobile computing devices. Further security is provided by a variety of authentication options which can utilise a variety of authentication modes – including biometric input devices, passwords or symbols PINs which give companies a mechanism for meeting data confidentiality regulations at the state and federal level.

Misconception 3: The state and federal regulations with which my organisation must comply don’t say anything specifically about data encryption.

Most regulatory mandates do not specify particular technologies that must be deployed to ensure secure communications, data privacy, accountability or transaction tracking – however data encryption is often the easiest and most fail-safe method of meeting these requirements.

Full compliance typically requires a combination of actions, including:

•Initiating policies that govern the communication and storage of data
•Implementing accountability practices in the organisation to ensure that
personnel practices are followed and technologies are appropriately deployed
•Performing monitoring and oversight of transactions and activities involving
sensitive data
•Employing methods that prevent private data from being stolen, accessed, or
viewed on computing equipment inside or outside of the organisation
•Establishing techniques to positively verify the identities of anyone
accessing or using sensitive information generated by the organisation

Other complementary data security products that handle digital signature use and encryption keys, and perform other security functions, can also contribute to regulatory compliance.

Misconception 4: Encryption will significantly slow down my system or impact network performance. Major performance issues are a thing of the past thanks to advances in computer platforms, improvements in encryption algorithms and enhanced application designs. The new application designs use available computing cycles efficiently and take advantage of background processing to perform tasks. As a rough guideline, a well-designed encryption product should typically have a performance impact in the range of two to five percent for standard uses.

Simon Coffey Technical Services Manager, Computerlinks Network Security Systems.
Misconception 5: It will take a tremendous amount of training for company employees to begin using
data encryption. In many cases, staff members using data encryption on personal computers will require no training at all. Software installation is accomplished from a central location and staff members simply see a new sign-on screen next time they boot up their computer. Encryption and decryption all takes place behind the scenes and does not affect user productivity.

Misconception 6: My organisation already uses an operating system with encryption built in, we don’t need any additional encryption tools. Many organisations need greater flexibility, features and capabilities than is offered by a single encryption implementation – for example one included in an operating system or public domain application. Operating system encryption generally lacks central management capabilities as there are no provisions for managing or backing up the encryption itself, and they also lack reporting and logging features necessary for regulatory compliance.

Misconception 7: Encryption can’t be that secure if someone can just steal the keys from a server and break into any affected system. The theft of cryptographic keys is certainly a risk, however isolating the functionality of key protection in a dedicated hardware security module can offer stronger protection than a software only solution.

A hardware security module is a good solution for focused data security in e-business transactions and e-commerce operations. Following industry practice for passwords – using mixed combinations of letters and numbers, creating difficult-to-guess passwords and taking measures to avoid disclosing passwords to any unauthorised individuals is also paramount.

Misconception 8: Our organisation uses encryption to protect data in transit, such as Internet transactions. We’re not concerned about stored data. Stored data presents a greater risk of loss or threat than network data transactions. Despite clear evidence of this fact, only 30 percent of IT executives say that encryption is used by their organisation to protect stored data.

Companies that already recognise the value of encryption for data exchanged online or in a network situation need to identify other areas of stored data that need to be guarded against loss or theft. This stored data encompasses network storage devices, computer hard disk drives, system and network back-up devices and small and easily pocketable devices such as removable media,
flash cards, memory sticks and optical disks.

Encryption can be allied at various points in the data path depending on the network architecture in use and the policies in force within the organisation. For example, as data moves from a primary storage device to a storage destination, encryption might be performed prior to the data being sent across the network for storage, at the point where a backup application is physically accessing the data or where the backup software has formatted the data and is about to send it to the backup library or a long-term storage device.

Clearly the eight misconceptions do not apply. Strong encryption is a powerful mechanism that can offer effective, continuous protection of data – at rest, in motion and in use. Encryption can help meet legal and regulatory compliance requirements, and it is not difficult to plan and deploy throughout a company. In fact, a well-designed encryption solution will emphasise simplicity in planning, deployment and use.