Data Encryption

Encrypt everything

Companies stand to lose their reputation, not to mention business, in cases of severe data loss. One way to prevent the inadvertent leakage of information is to go in for encryption to secure data on hard drives, flash drives and the like. Subhankar Kundu looks at the different aspects of data encryption in the corporate world

Businesses are striving to protect vital data from internal and external threats. Today, there are three sources from where the threats have been tracked namely malicious external attacks, malicious insiders and unplanned leakage on the part of insiders. The high volume of unstructured data flowing through the average enterprise defeats attempts at protecting data for the greater part.

Preventing data loss has become a primary focus of IT security today. A multitude of software and appliances are being deployed to address these issues. Although unauthorized intrusions have been hyped up CIOs today are equally if not more concerned about the inadvertent leakage of information from inside.

The industry needs to ponder upon how to deal with organizational insiders or which are the right applications or policies that can scrutinize the information being sent out of the network. This is the core of the immensely complex problem of data loss.

Industrial intelligence among highly competitive businesses often requires that extensive security measures be put into place and companies are taking a hard look at data encryption in this regard.

With an exponential rise in network traffic and content generation, selecting the right data encryption solution or hardware becomes imperative to be able to protect nearly anything. It also depends on the IT policies set by the CIOs that determine the extent to which content is monitored, scanned and sensitive data identified. Mitigating risk through encryption of outgoing messages and the restriction on the usage of external devices by employees is one way.

Adoption of data encryption

Encryption software applications are readily available in the market and there are some free downloadable packages available on the Internet as well.

Microsoft has put in a strong security infrastructure and policy in place. On the network, it has domain wide IPSEC (Internet Protocol Security), which is an end-to-end encryption for IP Packets travelling across the wire. This is specifically helpful in eliminating Man-In-The-Middle attacks and eavesdropping. On the wireless infrastructure front, it has EAP authentication which requires certificates, issued by its internal CA for machine level authentication. On all the client workstations, the company has enforced the usage of BitLocker and regularly audits the same.

Sanjay Bahl, CSO - Microsoft India, said, “We use ADRMS (Active Directory Rights Management Services) to encrypt and rights protect our documents which are uploaded on SharePoint or sent through e-mail. The Active Directory RMS enables persistent data protection for e-mail, SharePoint documents and all Office documents. This is essentially protection for data on the move. On the client side, we have BitLocker and BitLocker-to-go for protecting and encrypting data. This is very secure for mobile users who travel from one place to another and work on their laptops. For removable drives BitLocker-to-go is a flexible solution for encryption on the go.”

SafeNet claims that its Software Rights Management products allow companies to protect their applications against piracy and reverse engineering. These products allow enterprises to work out a fraud prevention mechanism that prevents the field workforce from perpetrating the same by backdating transactions. There are other products from the same player such as High Security Modules to protect data on laptops, workstations and servers from falling into the wrong hands due to physical theft and can facilitate the protection of symmetric as well as asymmetric keys that are used for the protection of critical transactions and data in a department.

SafeNet’s DataSecure range of products provides a high level of database and application security for demanding processing environments featuring high availability and streamlined implementation.

Rana Gupta, Director, India & SAARC, SafeNet India, said, “This particular range of products facilitates businesses to encrypt the selective structured as well as unstructured data while not burdening them with complex key policy management.”

James Lyne, Senior Technologist, Sophos, said, “We provide protection at a number of different layers in the enterprise. We use encryption to protect endpoints (for example, laptops left on a train) but also offer encryption capabilities at the file level to protect data in transit—even if it is stored on an iPhone or a cloud storage platform. We believe that our encryption suite should provide encryption for all kinds of devices to enable an enterprise to achieve compliance standards and protect against the loss of data.”

E-mail encryption

Businesses have been widely using e-mail encryption. The reason for this is that e-mail is considered to be a mission critical activity today but it remains vulnerable to a growing array of threats. Viruses, worms, denial-of- service attacks, spam, legal e-discovery and the need to satisfy a growing set of regulations all make effective message management increasingly difficult.

The primary benefit of e-mail encryption is to ensure that protected content remains secure, even when it lands in the hands of unintended recipients. E-mail encryption helps in achieving the goals of confidentiality, integrity and non-repudiation.

E-mail continues to be a popular vector for data breaches—both malicious and unintentional. For example, users often mail information to the wrong recipient while using the auto-complete feature in their e-mail application. According to a study conducted by the Ponemon Institute supported by Symantec, 38% of employees who stole data in 2009 did so by sending attachments to a personal e-mail account.

Vishal Dhupar, Managing Director, Symantec India, said, “Several threats are delivered over e-mail today, including spam and phishing which can pose a serious threat to information. E-mail encryption also adds an additional layer of security to ensure that if the e-mail does not reach the intended recipient, the information is still safe.”

Companies that regularly send confidential information by e-mail should move to gateway e-mail encryption, rather than relying on systems that require individual users to implement encryption technology.

Sending SMTP e-mails without using encryption or authentication is the equivalent of leaving a letter unsealed before putting it in the post.

Gateway encryption is simple to implement, and does not rely on individual users to manage it (as with client-side solutions such as S/MIME and PGP).

Shubhomoy Biswas, Country Director, India & SAARC - SonicWALL, said, “If you do not regularly send confidential information by e-mail, or you trust your ISP to protect that information, then you don’t need gateway encryption. However, if you do, then it is worth considering as an alternative to client-side encryption.”

It’s always better to consider using encrypted e-mail for sensitive information and to configure existing security systems to support encryption for SMTP mail, either by using ‘opportunistic encryption’ mode or by configuring security to require encryption between specified domains or servers.

New computing paradigms and business models fundamentally require businesses to rethink how they deal with compliance, risk management and data protection. Central to IBM's approach to addressing clients' security challenges is a shift in focus from securing assets to securing critical services. IBM has an e-mail encryption software named Lotus Protector.

Sandeep K Dutta, VP - Storage, Systems and Technology Group, IBM India/SA, said, “With integrated service management tools that provide a ‘command center’ view into a client's operations and potential areas of risk, we can help clients design security into the fabric of the services that they deliver, making security intrinsic to their business processes, product development and daily operations.”

Bahl said, “From Microsoft’s product point of view, the next generation version of Forefront Security for Exchange Server provides fast and effective detection of malware and spam, blocks out-of-policy content, and integrates with Forefront Online Protection for Exchange to offer the defense-in-depth benefits of hosted and on-premise filtering in a single solution.”

E-mail is one of the easy points to secure, as e-mail tends to flow through specific gateways where security can be deployed in most organizations. A surprisingly large number of breaches and transfers of sensitive data occur over e-mail, so policy in this area can provide low cost, high gain risk mitigation. The biggest challenge at this layer is agreeing on encryption standards with partners or customers—if an external party has to work to support your encryption it can make adoption difficult.

Lyne recommended that enterprises use mixed mode encryption, capable of enterprise encryption with partners and providing the ability for an external party that lacks pre-agreed encryption to receive data securely.

Encryption ensures that data is not compromised even when there is a breach. Hence, encryption is one of the key components to protect sensitive business or customer data while at rest or in motion or while being worked on. Data being a business differentiator, encryption helps a business to protect itself and grow. Increasingly mobile phones are being used by corporate employees for data access and are soon set to exceed desktops/laptops.

Sriram said, “The relevance of encryption has increased multifold. Business needs flexibility these days with respect to employees working from home, cyber cafés, any geography, airport, hotels, etc. and many of these places are not adequately protected for safe access. Encryption can mitigate some of the risks with flexibility.”

Encrypting data in transit

Almost every player opined that encryption of data in transit is a workable practice. As the amount of network-attached data and storage systems grow, so does the exposure to data loss. Unless you are using a mainframe computer, the level of risk for data loss and theft from unauthorized access is growing daily.

Biswas said, “Data in transit—especially data traversing the Internet—is not the big security risk that it's made out to be. However, it seems that most organizations and security product vendors are still focused on securing data as it travels across the wire.”

IPSec (Internet Protocol Security), is an industry standard for achieving this goal. It is the de-facto standard for applying encryption to data traveling on the wire.

Solutions such as Symantec NetBackup provide flexible technologies to secure data, including access and authorization control and disk and tape encryption methods. Symantec NetBackup offers Source/Client encryption and data is protected while in transit and on media, and Media Server Encryption Option for greater flexibility in backing up to tape. Symantec NetBackup also leverages the NetBackup media server, thereby avoiding an adverse impact on client performance.

Dhupar said, “An additional benefit is the centralized and integrated key management service for encrypted tape drives.”

The Cisco Storage Media Encryption (SME) solution enables hardware compression and encryption on the network before data is written to a tape device. With the introduction of the Cisco MDS 9222i Multiservice Modular Switch and of the Cisco MDS 9000 18/4-Port Multiservice Module line card providing encryption services, the Cisco SME solution provides a distributed, scalable and secure network based on the Cisco MDS 9000 family of switches and directors.

When setting out to protect data one should think in terms of a chain—where does the data get transferred to? Who accesses it? Where is it stored?

Lyne points out, “It is common for people to encrypt laptops, but they often forget to encrypt the backup tapes for the entire enterprise.”

A standard feature on drives

With encryption becoming a standard feature on enterprise hard drives and tape drives, will the usage of this technology go up?

In today’s world, when a great deal of attention has been given to security, encryption forms a core part of an organization’s overall security strategy. In fact, encryption is embedded in applications and products.

Dutta said, “Today we have encryption capable hard disks which can be used in disk arrays used in a NAS or SAN. The concept is that as data enters the disk drive it is encrypted and as and when the data is required to be read, it is decrypted. Similarly, we have encryption capable tape drives. If the question pertains to encryption of data as it moves between tape and disk drive, then it may not be relevant as the tape and disk drives would normally be in the same SAN fabric which is not accessible to the outside world.”

Bahl said, “When working in a secure environment, we must ensure that everything that gets stored to the disk is not stored in clear text. Usage of this technology is set to go up because of increased awareness and the importance of the need to protect data and also innovations in this area from companies like Microsoft.”

The key going forward is going to be the integration of security and data protection technologies into all products and making it less complex to implement.

E-mail has become the primary communication method for organizations of all sizes. Whether private information is deliberately or accidentally leaked, the ramifications of data loss are severe; violation of compliance regulations, erosion of customer trust and the destruction of brand equity. As a result, executives are focused, more than ever, on rapidly deploying solutions to address data loss and to do so in an easy-to-administer, unobtrusive manner.

Jatin Sachdeva (CISSP, CISA), Information Security Specialist, Cisco, added, “In the past, only a small number of organizations adopted some available tape encryption technologies. Data on tape was considered relatively safe, and the risk involved was not enough to justify the additional cost, slower performance and additional operational procedures. Recently, new conditions have caused the risks associated with tape data loss to be seen as much more critical. Tape encryption is now widely regarded as a necessity. In addition, new technology options are making the implementation of a solution that secures data on tape less expensive in terms of CAPEX and maintenance.”

Sriram S, CEO, iValue InfoSolutions, said, “DLP along with encryption will be amongst top five technologies both in terms of adoption and growth with increasing relevance. Growth in the last couple of years and lead indicators are strong enough to confirm this trend.”

With data security becoming an ever-growing problem and laptops always in the news for being ‘lost’, encryption has become a common security measure implemented on hard drives for use in the enterprise. The problem with encryption is that you need to implement a solution across a company which takes time and costs money.

The problem of securing data isn’t just about managing it during the life of a drive, but also ensuring that it is securely deleted once that drive is no longer in use.

Biswas pointed out, “Transparency is the key feature. For the individual, there may be a move to store data in the cloud, but we all still buy and use hard drives in our PCs, laptops, or as a separate portable unit and they all need to be protected. For business users, it’s probably the decommissioning of a hard drive that costs the most money, especially if a third-party is hired to do this. Being able to just delete an encryption key instead and forget about data deletion or specialist hard drive destruction will save a small fortune if there is confidence that this is all that you need to do to secure the data.”

Lyne opined that it’s a simple practice with strong risk mitigation returns.

Lyne said, “It’s going to be pretty ubiquitous. Encryption will move into the fabric of the infrastructure as it is increasingly deployed. Regulations mandate the use of these controls, as an aside to the genuine desire to protect against data loss. The use of this technology has increased drastically over the past two years for these reasons, but is set to continue rising and expanding to new points of the infrastructure. Web applications, mobile devices and the other prolific technology trends too are building in encryption capabilities. This trend is further reinforced by the rise of the mobile workforce. Expect a time to come where everything is using this to provide a basic level of protection.”

Gupta had a different take on this. “I think that it is not the encryption by itself that is a bottleneck. It is key management that will decide whether organizations make use of this technology or not. You don’t want to be sitting on a bunch of tapes with encrypted data but not knowing six months down the line as to how to decrypt those tapes, do you? So, having a strong key management infrastructure is critical to deploying any kind of encryption technology.”

Encryption as a centralized policy

According to a report by Privacy Rights Clearinghouse, 93.8 million personal records have been reported lost or stolen since 2005 alone. Further, Ponemon Institute estimates that each data breach now costs the average company $6.3 million. Most of these losses are caused by careless or naive employees, not hackers or data thieves. With Internet access now a constant from almost everywhere, it is becoming increasingly difficult to ensure that confidential or valuable data is not exposed or released by authorized users.

Sachdeva mentioned Cisco’s latest Data Leakage Study and compared the information technology profession's biggest concerns around employee risk with the reality of employee behavior, which regardless of whether it's inadvertent or malicious, can impact company brands and cost businesses a fortune.

For large organizations, data security is not an option, it's essential. While there are many different security mechanisms, data encryption is perhaps the most effective with regard to protecting confidential information. Most organizations are enforcing data encryption in their centralized IT policy.

Endpoint encryption is centrally administered and supports multiple encryption algorithms. Data is password protected for authorized users only and the system provides extensive auditing capabilities and reports for potential compliance auditing.

With smartphones being used for accessing corporate data and these devices being more likely to be misplaced or stolen, data encryption becomes all the more important. Data encryption is one of the aspects of an overall corporate DLP solution. Compliance continues to drive adoption with large businesses. Cloud adoption should also increase the importance of encryption.

Lyne thought that it was still early days on the DLP front although the pace of growth was quite fast. DLP is slated to be the next wave in security like anti-virus/spam was in the past.

Microsoft is enforcing infrastructure policies to promote encryption on its network on a large scale.

As businesses look to drive growth, they need to increase collaboration, sharing and access to information but they must do so while protecting assets and infrastructure. Frequently, this must be addressed in the context of shrinking budgets and increased regulatory pressure.

Bahl said, “In response to these business challenges and opportunities, Microsoft is taking a fundamentally different approach to security. We call it business ready security.”

Dhupar said that the industry had moved beyond encryption to adopting data loss prevention, which is a proactive, risk-based approach to information security that protects data wherever it is used or stored.

These objectives coupled with a technology framework will probably lead the organizations to follow a set of best practices for managing data privacy, security, regulatory, and internal compliance requirements.

Subhankar.Kundu@expressindia.com