Encryption no longer an optional technology

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."

Download it now to read this article plus other related content.

Unravel the ins and outs of how your organization should deploy encryption.


For many years, encryption was something companies could choose to use if they wanted an extra degree of security for their data. However, the days of optional encryption are gone forever. Today, companies in a variety of industries are subject to regulations that mandate encryption and other security measures, and face stiff penalties for failure to adequately protect their data. Even if a company is not subject to these types of regulations, many states have laws requiring companies to disclose security breaches in which unencrypted customer data has been compromised.

Consequently, it is no longer a question of whether a company should use encryption, but rather how a company should encrypt data. The first step in planning an encryption strategy is to understand the primary types of available encryption solutions: storage, network encryption and application-level. While each offers benefits, there are also drawbacks to take into account.


    Requires Free Membership to View

    Login

compliance

Details
PCI is far more prescriptive than HIPAA when it comes to encryption.
by Marcia Savage

What do regulations such as HIPAA actually require in terms of encryption? The HIPAA Security Rule lists encryption as an "addressable" technical safeguard, which means it's not mandatory but must be addressed. "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate," the rule reads.

Like many regulations, HIPAA is intended as guidance rather than mandates, says Richard Mackey, vice president of consulting at SystemExperts. Ultimately, a risk analysis is required to determine the specific security measures a business should implement. "You're supposed to conduct a risk analysis to figure out the real risks, the likelihood of an attack, and what methods would be effective in protecting against those attacks," he says.

Far more prescriptive is the Payment Card Industry Data Security Standard, which provides specific direction on encryption. Requirement 3.4 lists four ways organizations can make the Primary Account Number (PAN) unreadable wherever it is stored: strong, one-way hash functions; truncation; index tokens and pads; and strong cryptography with associated key management processes.

Then, there are the state laws (at least 44) requiring notification of breaches involving personal information, many of which make exemptions for encrypted data.

This was first published in October 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top