This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Source encryption systems encrypt the data at its source. A file system, such as Windows Encrypting File System, or a database encrypts the data stored therein. If data is stored encrypted, and it's not unencrypted when backed up, it would meet the encryption requirement of various breach notification laws; you wouldn't need to notify customers if you lost a tape with personal data on it. These systems have the added benefit of encrypting data while it's being transferred across the network. For those concerned about malicious insiders, this can be a real plus.
|The Classification Challenge|
Classifying data is tough without help from appliances tailor-made for the chore.
If an organization wants to encrypt only data that would result in it having to do a public disclosure in the event of a breach, then it needs to be concerned about personal information. The challenge is in making sure you locate where such information is stored.
Some of the obvious locations are customer information databases, as well as imaging systems where contracts are stored. Other locations may be less obvious and very difficult to find.
The best way to ensure you've found all that personal data is to use a data classification appliance. Without one, data classification is near impossible. These appliances crawl your file systems, databases, Web pages and even backup tapes, looking for metadata to classify information based on sensitivity--and always seem to find data in places you didn't think it resided.
The cost of these devices ranges from a few thousand dollars to tens of thousands of dollars, and they support several different ways to access your files, such as HTTP, NFS and CIFS. They typically are very easy to use and install.
Source encryption systems suffer from a number of drawbacks. First, they typically impact the performance of the file system or database in question. Every file or database record must be encrypted when written, and then unencrypted when read, which can significantly impact performance.
Another challenge is key management, because each file system or database type would typically have its own encryption system and set of encryption keys to manage. Since key management is a top priority when storing data at rest, this is a big concern. If you've got several data types to encrypt, this may become a show stopper. Managing one key system is challenging enough; managing multiple key systems would be even harder.
Finally, encrypting data at the source removes the compression feature of any backup system since encrypted data cannot be compressed. This would result in a 25 percent to 50 percent loss in capacity and performance from Unix, Windows and MacOS backup environments. (Hardware compression increases performance as it reduces the number of bytes actually written to tape.)
As a result, source encryption is mainly applicable to encrypting very small amounts of data, such as a single file system or database storing personal information. It's also appropriate if you're concerned about encrypting data before it's transmitted across an unsecure network.
This was first published in February 2007