Encryption

Data protection through encryption

Encryption has been used to hide covert messages from prehistoric times. Today, companies use encryption to protect data in transit and on disk. By Varun Aggarwal

The encryption story in the India is slowly beginning to unfold, thanks to compliance requirements like PCI DSS, SOX and HIPPA and the global exposure of most Indian companies. Secure data interchange has become a norm now when companies share data and critical information with their partners and customers alike. The physical boundaries that existed in the past between the enterprise and the rest of the world have faded. One of the most efficient and secure ways to control and share information with the right parties is encryption. Though just encryption is not enough for this, it needs to be integrated with policy enforcement mechanisms like Access Control, Segregation of Duties and Log Management.

Amuleek Bijral, Country Manager- India & SAARC for RSA, the Security Division of EMC said, “The Indian customers today are looking at vendors who can fulfill all these requirements and provide a complete, well integrated and consistent solution. The encryption can span from the application, network and storage layers.”

Today it is not just compliance that drives the security solutions, customers have started realizing that security can be a business enabler provided that it is done right. As infrastructure becomes more expensive telecommuting has become a critical requirement for IT and ITES companies. Making the right data available to remote offices and offshore operations is critical to the functioning of any business. All this can be achieved with the right security solution.

Data security is one of the top items on any company’s IT agenda. Almost all organizations backup their data regularly and maintain offsite copies for the purpose of data retention and disaster recovery. In spite of the fact that backup tapes contain confidential data, comparatively few companies have taken steps to ensure that the data that is backed up and transported offsite for storage is secure. In fact, while IT departments go to great lengths to secure their network perimeter against attack, many organizations are lax in the way in which they protect their backup infrastructure and tape media. However, a series of new regulations and a spate of high profile backup tape losses are finally forcing organizations to re-evaluate how effective their data security processes and technology really are.

We found out that software encryption is being widely adopted to protect data. Between software and hardware encryption, the latter will scale better and it offers better granularity and control over data that is being encrypted or decrypted.

Encryption: the hardware story

While data transmissions are commonly encrypted, mostly using the Secure Sockets Layer (SSL) protocol on the Net and increasingly even on VPNs, now companies are encrypting data right on the hard drive or tape where it rests.

That’s where the rub is, these devices mostly lack physical and security access controls to protect the data residing in their memory banks when they are misplaced, lost or stolen. The natural consequence of all this is that data stored on endpoint devices is at greater risk than transmitted data. Even devices that are being disposed off may still host valuable data that can be recovered by those who know how and have the right tools, caution experts.

Shailendra Sahasrabudhe, Country Manager, Aladdin Knowledge Systems said, “Smart-card-based authentication tokens helps to secure storage of all user credentials on-board, with users required only to remember their single token password to gain credential access. A strong authentication solution that offer user self-service token and credential management tools helps organizations to reduce costs further.”

Strengthening security also saves organizations significant costs by preventing the potential security breaches discussed in the section above. This includes the misuse of data and networks by insiders, lost data from stolen notebook PCs, and other security attacks that affect many organizations today.

“Generally speaking, depending on the implementation selected, strong authentication offerings provide varying levels of solution support. The broader the range of security solutions deployed—secure network access, single sign-on, PC security, and secure data transactions—the greater the return on investment (RoI),” added Sahasrabudhe.

Bijral opined, “Databases are the most ubiquitous containers for storing data in all organizations and hence database encryption is one of the most sought after solutions for security. Database encryption is an exceptionally challenging task thanks to the various flavors and brands of DBMS in use.” Native encryption may help to a certain extent, although it still is not a complete solution for various reasons:

Multi-vendor solution: Native database encryption is applicable to that flavor (worse only a particular version) of the database. It will not be interoperable with databases from other vendors or a different version of the same database from the same vendor.

• Granularity of encryption: Most native encryption solutions work at the database or the table level. These lead to processing power and storage capacity hits. What customers need is the ability to encrypt at the column level.
• Segregation of duties: The native database encryption is controlled by the DBA. This allows
• the DBA to switch-on/switch-off encryption at will conflicting with the SOD requirements of most compliance laws.
• Key Management: The biggest challenge of any encryption solution is managing the life cycle of the keys used for encryption. With native encryption, key management has to be done at the individual database level adding a lot of management cost and complexity to installations.
• Native database encryption: This is the latest variant of software encryption. Database server level encryption existed in the past but it wasn’t native code with the fine granularity that lets it encrypt a database column and leave the adjoining columns in clear-text.

Most databases support encryption of sensitive tables, rows or columns. The advantage of encrypting data in the database itself is that only the data that needs to be encrypted is, thereby minimizing processing overhead.

Nonetheless, encryption does have an adverse impact upon database performance. The encryption and decryption of encrypted columns adds processor overhead to every transaction. The latest operating systems incorporate data encryption capabilities. For example, Microsoft has the Encrypting File System as a component of its New Technology File System on Windows Server 2000 and later versions. This feature gives a user broad flexibility to encrypt files or folders that need protection.

Although single factor authentication was used in the past, today the emphasis is on two-factor or multi-factor authentication. Public Key Infrastructure (PKI) is emerging as a technology of choice when it comes to data encryption.

One can encrypt data using a software application or through embedded hardware. Both have their proponents and it is fair to say that it depends on the situation or need. Software-based encryption suffers on the performance scalability and stability front (this is true of all software not just encryption tools). Encryption software tends to eat CPU cycles more than most applications. Hardware-based encryption is more robust but it’s also less flexible.

Unless you have a hardware encryption chip built into your notebook (as in some ThinkPad models where the security system combines a security chip embedded on the motherboard with a software utility that lets you protect your files with hardware-based encryption) or PC, using hardware for encrypting data may be more cumbersome. That said, algorithms are algorithms, be they implemented in the hardware or in a piece of software.

Encryption isn’t just used to protect data on hard drives. It’s equally or even more important to protect backup tapes as these are more likely to be transported for backup to another location or tape vaulting. The trick here is to classify data so that only private and confidential data gets encrypted.

Hardware encryption revolves around special processors that are designed to do one thing and one thing only which is to encrypt or decrypt data. These are normally used to encrypt an entire disk or tape.

Endpoint encryption

There has been an exponential growth in the country’s mobile workforce. This has led to an increase in the use of endpoint devices such as notebook PCs and smartphones. When you have a mobile device that is not secured being used by a senior manager or member of the board there are chances that if it is lost or it gets stolen then it becomes a recipe for trouble.

Encryption is a shot in the arm for mobile users who are concerned about the safety of sensitive information on their notebooks, personal computers and mobile phones. Even if a notebooks’ hard drive is taken out and accessed by a thief or corporate spy he can do nothing if the data is encrypted for the credentials required to decrypt this data are not stored on the hard drive, but on a smartcard or USB key.

Online security

Extended validation (EV is also known as high assurance or HA) SSL is perhaps the most significant development in online security in the past decade. Newer browsers can display identity information contained in a EV or HA SSL certificate, letting consumers figure out if they are truly at the site that they think they are on.

Niraj Kaushik, Country Manager, SAARC, Trend Micro, said, “Encryption provides the most effective way to protect data at rest and is also the first line of defense against loss or theft of the device. Secure Socket Layer (SSL) is a security protocol that ensures data is securely transmitted from the device to the server over a secure Web connection. Alternatively, VPN solutions can be used to secure data in motion. However, VPN solutions can be relatively expensive and may cause increased CPU utilization and drain battery on the mobile device due to processing of additional VPN client software on the device.”

Some e-mail solutions encrypt their mail storage. “However, a comprehensive solution should include not only the mail storage but also the option to encrypt the rest of the data on the mobile device such as contact information, calendars, and files. Encryption should extend to files on the storage media used in the mobile device,” he added. An administrator should be able to configure the types of data to encrypt and the encryption algorithm to be used. The strength of any encryption system lies in the algorithm used. There are many algorithms available in the market. The choice of the algorithm can be distilled down to two types—secret key and public key algorithms. Secret key algorithms provide confidentiality whereas public key algorithms provide both authentication and confidentiality. Secret key algorithms are usually faster, often more than 1,000 times faster, than public key algorithms. Often, secret keys are used after some basic authentication is performed.

The most popular secret key algorithms are Advanced Encryption Standard (AES) and the older Triple Data Encryption Standard (3DES). “Companies can balance government regulatory requirements with performance and resource issues if they have the choice of algorithm and key length. An IT administrator should look for encryption solutions that offer flexibility such as 3DES and AES with 128 bit, 192 bit, and 256 bit encryption keys,” opined Kaushik.

Safer transactions

Most customers still feel insecure while transacting online. And there is some merit to it if one look at all the stories published about major banks, credit card companies and financial institutions losing critical customer data and the amount of online fraud surfacing recently. According to a survey done by Gartner in 2007 in the US alone, 3.6 million people lost money amounting to $3.2 billion due to Phishing.

Encryption can solve part of the problem by encrypting the transaction that happens between the client and the application at the vendor end. Though it is not a complete solution as it will not solve man-in-the-middle and Phishing/Pharming attacks. Anti-Phising/Pharming technologies in combination with stronger authentication (PKI, OTP, Biometric) and access management helps minimize the damage done by online fraudsters.

Some basic steps

As of now, only a few large enterprises have opted to encrypt their critical data. Encryption traditionally requires an additional investment to be made and it may even slow down the performance of existing systems making it a hard sell.

A prerequisite to implementing effective data access controls is the classification of data into ‘security classes’ that can be used while defining policies, procedures, and management. The bottom line is that not all data is equally important, and each data type requires its own level of protection. Data classification is necessary to prioritize data while applying controls.

Does the entire database or table need to be encrypted? If there are only a few sensitive columns such as a customer’s credit card number, bank account number, social security number and pan card number that are sensitive then only those columns can be encrypted. The stock of the number of coconut oil bottles in your inventory table does not need to be encrypted. So encrypting the columns using a column level encryption strategy is an optimal strategy for most companies.

PKI for electronic transactions

Public Key Infrastructure (PKI) is the only legally valid electronic form of signature. In the past PKI deployments have been marred with manageability and usability issues. Today the manageability problems are being addressed as better key management solutions are becoming available. Even USB keys are available today to store and retrieve client side certificates. Specialized APIs are available that ease the management of these devices on the client side. PKI is also available as a managed service from various vendors which also helps alleviate management issues.

There are various models possible for a PKI implementation depending on the scalability and complexity requirements:

a) Root CA/Hierarchy Model
b) Cross-Certification Model
c) Bridge CA Model
d) Cross-Recognition Model
e) Certificate Trust List model

“These models have many interoperability variations and the customer should be careful while choosing the right model. Considering the cost sensitivity and the medium scalability required by Indian customers the Root CA Model is the best approach for an Indian enterprise,” said Bijral.

The Government of India has initiated a major e-Governance initiative, known as MCA-21, in the Ministry of Company Affairs (MCA) for putting in place an operational system for electronic transactions of the core activities under the Companies Act. After the launch of the above e-Governance initiatives, e-Filing of IT returns or forms to be submitted to the Income Tax, Excise, ROC (under MCA21 Project) authorities had become mandatory. MCA envisages that paper forms and documents will no longer be accepted by ROC offices once e-Filing is launched.

MCA 21 is biggest example of a successful PKI deployment in country. It was launched by the Prime Minister at Delhi on 18th March, 2006 and is expected to be rolled out to all parts of the country. It is mandatory for corporate assesses to file their e-returns (Income Tax) with effect from 24th July 2006. According to MCA, filing of returns by companies from September 16, 2006 will be accepted by the MCA21 system only if the document is signed by authorized personnel.

Businesses are therefore required to classify their information needs to be encrypted and depending upon the costs can choose various technologies to encrypt the data. We need more initiatives such as MCA 21 need to percolate down and it should be made mandatory for all e-transactions on the Web.

varun.aggarwal@expressindia.com