Encryption must be strong, used properly to reliably protect data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: It is axiomat­ic that wider use of data encryp­tion would help stem data breach­es. In this guest essay, John Grimm, senior direc­tor of prod­uct mar­ket­ing at Thales e-Secu­ri­ty, exam­ines the nuances.)

By John Grimm, Spe­cial to ThirdCertainty

The Anthem breach result­ed in the expo­sure of up to 80 mil­lion records, includ­ing birth­days, address­es and Social Secu­ri­ty numbers—everything an iden­ti­ty thief could hope for. Many of the head­lines that cov­ered the news includ­ed the fact that Anthem did not encrypt its inter­nal data. Accord­ing to one report, Anthem was active­ly “con­sid­er­ing encrypt­ing its inter­nal data­base as well as tak­ing oth­er steps to improve its secu­ri­ty” at the time of the attack.

John Grimm, Thales e-Security senior director of product marketing
John Grimm, Thales e-Secu­ri­ty senior direc­tor of prod­uct marketing

To sug­gest that Anthem sim­ply need­ed to encrypt the per­son­al health infor­ma­tion it was stor­ing in the cloud is an over­sim­pli­fi­ca­tion. Most prac­ti­tion­ers today will agree that encryp­tion is one of the best ways to pro­tect data. How­ev­er, although many regard encryp­tion itself as being black and white—data is either encrypt­ed or not—the real­i­ty is that there are sev­er­al degrees of sep­a­ra­tion between prop­er­ly imple­ment­ed encryp­tion and poor­ly imple­ment­ed (and eas­i­ly exploitable) encryption.

Much of the vari­ance comes down to the qual­i­ty of the cryp­to code itself, and the key man­age­ment prac­tices used. The end result may look the same, but the net lev­el of secu­ri­ty varies enor­mous­ly. Encryp­tion must be imple­ment­ed prop­er­ly using best prac­tices and well-under­stood tech­niques like buffer over­flow pro­tec­tion, prin­ci­ples of least priv­i­lege, .etc—or in today’s world, you’re tak­ing your chances.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Sys­tems that process pay­ments, per­son­al­ly iden­ti­fi­able infor­ma­tion (PII), and oth­er sen­si­tive cus­tomer and cor­po­rate data must be trust­ed to do so secure­ly. They must be in com­pli­ance with gov­ern­ment, indus­try and cor­po­rate reg­u­la­tions and must min­i­mize the impact on oper­a­tional per­for­mance. There are numer­ous solu­tions on the mar­ket that employ cryp­tog­ra­phy to pro­tect data end-to-end while in use, in tran­sit and in stor­age. But what about the secu­ri­ty of the cryp­to­graph­ic keys used with­in these cryp­to sys­tems? Their foun­da­tion of trust relies on prop­er safe­keep­ing and man­age­ment of the keys—and that can prove to be the ulti­mate Achilles heel.

Once attack­ers have access to pri­vate encryp­tion keys, they can decrypt past, present and future encrypt­ed data—meaning key pro­tec­tion from the moment of gen­er­a­tion, and then ongo­ing man­age­ment through­out the life­time of the key, is essen­tial. How­ev­er, not all busi­ness appli­ca­tions and data sets require the same lev­el of pro­tec­tion. Orga­ni­za­tions should con­duct a prop­er risk assess­ment of crit­i­cal sys­tems to help deter­mine which appli­ca­tions (and asso­ci­at­ed data) need the high­est lev­els of pro­tec­tion. Cer­ti­fied pro­tec­tion of cryp­to­graph­ic keys may be nec­es­sary using spe­cial­ized hard­ware secu­ri­ty mod­ules (HSMs) that remove keys from the host serv­er envi­ron­ment and pro­vide a safe place to gen­er­ate, store and man­age the most sen­si­tive keys.

It’s a safe bet that Anthem soon will have a strong inter­nal encryp­tion strat­e­gy and an oppor­tu­ni­ty to safe­guard PII data and win back the trust of its cus­tomers. Com­pa­nies seek­ing to avoid breach­es like this one would do well to locate and encrypt the most sen­si­tive data with­in their net­work envi­ron­ments and pro­tect and man­age encryp­tion keys like their data depends on it—because it does.

More on emerg­ing best practices
Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things

Posted in Data Privacy, Data Security, Guest Essays