Encryption may be good for securing data, but it blinds network-based IDSes. While there aren't any surefire fixes, these techniques will steer you in the right direction.
Encryption used to be unequivocally good for security. After all, it kept the bad guys from getting at our private information, right? Who could argue with that? Many of us became crypto-evangelists, demanding encryption everywhere.
Then we realized that we were blocking our view with all this encryption.
Administrators need to be able to look at the entire network to properly defend it. IDSes, IPSes, sniffer tools and network analyzers provide a clear view of network activity. But, the more prevalent encryption becomes, the more we lose that view.
So is encryption bad for security? Are IDSes and IPSes dead? No, but imprudent use of encryption can send a well-meaning network security engineer into unsafe territory.
The pressure is on for enterprises to implement encryp- tion as a standard of due care--HIPAA mandates privacy for health care transactions, and California's SB 1386 requires the disclosure of security breaches of unencrypted personal information. In the private sector, the Payment Card Industry (PCI) security standard includes rules regarding data encryption for credit card transactions.
How can an enterprise protect itself from the bad guys, meet regulatory requirements and have an effective IDS/ IPS solution? While there are no clear-cut answers,
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
we'll explore some of the ways you can keep a clear look out for hazards on the horizon.
This was first published in September 2006