This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
|Click here for a sample of encryption vendors and their products. (PDF).|
Enforce password complexity. Be both proactive and reactive. Your systems should automatically check new pass phrases the first time they are entered, and force users to replace them if they are weak. You can also test existing passwords, using cracking tools, but this should be a backup, not your primary enforcement.
Use two-factor authentication. Pass phrases aren't enough. Protect your investment in encryption. It's expensive, but so is losing your data.
Defend the host. The keys are as safe as the system they are stored on. Invest in strong endpoint security that includes firewall, host IPS and strong patch management, in addition to antivirus and antispyware.
Look for integrated key management. For database encryption, the most robust key management must be implemented in the database itself, not added on later. Oracle, the leader in this regard, integrates key management into the database when you use their security options.
Validate before you go live. Perform end-to-end penetration testing against the solution to ensure that there are no unaddressed vulnerabilities. Many organizations do a solid job testing functionality but do not test security. Bring in an independent third party to find issues that developers missed. For example, a pen tester would look for alternative ways to access data without the key, such as attempting SQL injection attacks.
The message is don't take encryption lightly--if you cannot properly manage the keys, implementing encryption gains you nothing. Implement controls and secure distribution channels for the keys to reduce risk. Be particularly cautious if you're considering live database encryption. If the database vendor does not provide built-in key management, it might make sense to forego database encryption and use other methods of protection.
This was first published in June 2007