Current Filter: Security>>>>>Feature>

   

Key Management Strategy: "Keys can be the Achilles heel of any encryption system - if keys are not handled appropriately, the loss of them will render the encryption null and void.

One must consider how encryption keys will be used, distributed and recalled. Who has access to them? What happens when a key is lost or compromised? If using digital certificates, what is the mechanism used to revoke them and is that mechanism sufficiently robust?"

Products: "Do you trust the implementations used to encrypt or authenticate your data or just assume it's bulletproof? Do you have a robust patching scheme to update products following security flaws being identified and which could be exploited to gain access to your data? Are you tied to one proprietary product/solution where, should the product be discontinued, there are no security patches being provided?"

Implementations: "If you're developing encryption solutions, have you actually considered the strength of the algorithm and whether the implementation is sufficiently robust - battle-proven open source software will likely be more robust than a new proprietary implementation? Is there enough entropy/randomness in any key derivation implementation? What if the encryption platform or software is hacked - are your keys for the rest of your system easily accessible to the hacker?"

Morris goes on to point out factors such as Risk Mitigation: "What would the consequences of losing encryption keys be - is the total loss of the data or service a better outcome than information falling into the wrong hands? Can key backup and restore strategies mitigate the risk of permanently losing data, without themselves being a target of malicious activity?"

And finally, there is Support: "Is there a sufficient support infrastructure in place to process requests to recover lost passwords, keys or digital certificates and re-issue new ones? Are your IT support personnel sufficiently trained to deal with encryption technologies?"

INSIDE THE CLOUD
These are all questions that any enterprise should be asking itself, especially at a time when the adoption of cloud by the enterprise has dramatically increased the attack surface for the defenders. As Lise Feng, director, CipherCloud, points out: "By turning the network and its data troves inside out, cloud has created a need for a security layer between the enterprise and the cloud. This layer is what leading analyst firm Gartner calls cloud access security brokers (CASBs), which it forecasts will be the next billion dollar segment in security. By providing visibility into shadow IT and measures for securing data beyond the four walls, CASBs give organisations control over the data they are sending into the cloud. That control is critical for addressing regulations that require privacy, security and sovereignty assurance for handling sensitive information."

Core CASB technologies, such as cloud encryption and tokenisation, enable the enterprise cloud journey by securing data before it leaves the premises. "The PRISM and MUSCULAR revelations underscored the security case for using strong encryption and enterprise managed keys," Feng continues. "Because more vendors are baking the technology into products, government officials in the US and EU have suggested mandating encryption backdoors to give law enforcement data access to investigate suspected criminal activities. As a result of its robustness, cloud encryption post-Snowden has gained rapid adoption with companies in finance, healthcare, telecommunications and other regulated sectors, as well as with multinationals that operate under a myriad of regional privacy laws.

"In security, the best publicised news focuses on the vulnerability, not the cure. But, as Snowden highlighted, 'trust the math'. Encryption and tokenisation, applied with proper security hygiene, offer proactive data defences against unwanted intruders. With regulators around the world setting an increasingly stringent privacy agenda for the treatment of data, companies investing in cloud can keep using their applications, as long as they prove they are taking adequate protection measures, such as encryption and tokenisation."

Given the EU court's suspension of Safe Harbour, there is more incentive than ever for companies that move data across the Atlantic to strongly encrypt or tokenise information that regulators categorise as sensitive, Feng concludes.

CRUCIAL COMPONENT
Strong encryption that actually protects the data wherever it resides is a crucial component for any business or organisation that collects sensitive data, of course, and many leading companies are already employing format-preserving encryption to protect the data itself. Thus it is important for all companies to ensure that, if their data does need to be collected, stored or analysed, it is protected with strong encryption, warns Brendan Rizzo, technical director EMEA at HPE Security - Data Security.

Page   1  2