Where Data Goes, Security Must Follow
Sep 25, 2006 4:00 AM PT
It used to be that armed guards, locked file cabinets and vaults were the tools for securing currency, as businesses operated in a physical world. Today, information is the currency of the global economy, as consumers pay through electronic card swipes, employees are paid through direct deposit, and businesses sell a good deal of their wares online. More than ever before, companies are now challenged to find ways to protect "currency" as it is exchanged with people inside and outside secure corporate networks.
Over the last several years, data breaches have become more pervasive. Additional legislation, including PCI (Payment Card Industry) standards and the GLBA (Gramm-Leach-Bliley Act), have been created to safeguard consumer data. Well-publicized security breaches are causing enterprises to develop security policies in order to protect their brands from the damaging publicity surrounding such an event.
The growing trend toward outsourcing non-core business functions is also driving the need for enterprises to extend their security policies to their partners. In this risk-filled environment, a data-centric approach to security may be the only way for enterprises to remain in control of their information, no matter where it resides.
Data encryption allows individuals and organizations to secure their data at a file level. An encrypted file can be sent via any communications mechanism (SSL/FTP/e-mail) and the sender can rest assured that their data cannot be tampered with. When data encryption is coupled with a Public Key Infrastructure (PKI), files can also be digitally signed and authenticated. This provides the originator the highest level of assurance that their data will reach its endpoint securely.
Information takes many "states" within the enterprise. Data "at rest" can be found stored on mainframes, servers or even proliferated to an infinite number of desktops. Information can be stored to back-up tapes at off-site storage facilities or even on CDs and USB drives. Integrating encryption into data-management policies prior to saving to tape or CD will ensure that the information remains secure.
As information moves through operational processes both within and outside of the enterprise, it becomes data "in transit." Data moves throughout the enterprise from one computing platform to another. Data on the mainframe can be sent to servers or desktops, and vice versa.
In order to compliment existing processes, an encryption solution must allow for this multi-platform versatility, otherwise security can become restrictive and ineffective. An added consideration for facilitating data in transit is to use an encryption product that compresses data prior to encrypting it so that the file exchange has as little impact as possible on bandwidth.
Business partnerships change dynamically as resources come together to achieve common goals. Whether the goal is a successful insurance claim or the processing of a financial transaction, information to support the activity must be exchanged. For a security solution to be transparent and non-restrictive to partners, it must take into consideration the uniqueness of partners' computing platforms and security environments. Data-centric security is unique in this regard because it transcends operational requirements.
Moving to a Data-Centric Security Model
The common thread in most legislation today is that customer data must be vigilantly protected. As an organization looks at how to keep its information secure, it should look to how data flows within it. The following example illustrates the data flow of a national wholesaler working to achieve PCI compliance.
This particular wholesaler needed to secure transactional data being received daily in its mainframe data center. The data needed to be batched and encrypted every 24 hours. The data then resided in storage for several days while transactions closed, after which the files were sent to an AIX Server where the information was decrypted and stripped of sensitive information. The remaining non-sensitive data was then moved to tape and stored in an off-site facility. As an added challenge, this wholesaler needed to maintain processing windows while adding security to their environment.
In reviewing the process flow from this wholesaler, cross-platform interoperability became one of the key components of the solution. The wholesaler needed the ability to take information encrypted on the mainframe, decrypt it on an AIX server and then protect the information as they saved it to tape. In this case, the wholesaler was able to meet PCI compliance and maintain its processing windows through the use of compression. Another advantage of a data-centric security model is that it represents a cost savings to an organization because there is no need to secure the communications mechanisms, which are often expensive and difficult to maintain.
Encryption Best Practices
Easy to Use - One of the difficulties organizations face in implementing a security solution is that if it is difficult to use, or not centrally controlled, employees will find ways to circumvent it. The ability of an organization to create and enforce policy surrounding how encryption solutions are being used is a critical success factor. Policy management not only dictates who in the organization is authorized to use encryption, but when and how it should be used. The easier the solution is to use, the better the solution.
"User Proof" - The potential for employees to misuse encryption is a risk of the data-centric security model. In some cases, employees have encrypted information and upon its exit from the organization, the information becomes inaccessible. To prevent this from happening, encryption solutions should include a contingency or master key feature, which allows the system administrator access to any files being encrypted by users within the organization. An integrated policy manager will also allow the organization to dictate encryption policy through an administrative interface.
Non-Disruptive - Many security solutions do not compliment an organization's environment. The advantage of using a data-centric security model is that it compliments the security investments that organizations have already made.
Choosing an Encryption Vendor - The security market is saturated with vendors offering partial or point solutions. The best option is a practical solution that is able to address multiple concerns. As an organization looks for the right security solution, here are some things to keep in mind:
- Backward Compatibility - In many cases, files that have been encrypted must remain accessible for several years to remain in compliance with regulations and audit requirements, even after they have been backed up. Look for a solution that is standards-based and can open legacy file formats.
- Scalability - In order to choose a system that operates as effectively on one computer as on 1 million computers, look for a solution that operates using a hierarchical security model that is compatible with a trusted X.509 standards-based certificate authority.
- System Agnostic - Because data moves from platform-to-platform throughout your organization, your encryption solution should work on any major computing platform.
- Compression - Encryption solutions add processing time and increase the size of your files. Look for an encryption solution that compresses files before encrypting them to save you processing time and bandwidth.
- Future Proof Your Solution - Regardless of whether your organization is currently using a PKI environment, the encryption solution that you choose should allow you to operate using any security infrastructure.
The only feasible approach to securing information is to take an encrypted, data-level approach to security. Anything less leaves companies, customers and partners at risk.
Joe Sturonas is CTO of PKWARE, a leading provider of enterprise solutions for secure and efficient data transfer and storage.