Video: Data encryption techniques and methods for protecting dataDate: Feb 10, 2008
According to a survey of more than 608 enterprise security pros, 80% of enterprises say they
need a better strategy for protecting data.
SearchSecurity.com is responding to this growing need with a multi-lesson Data Protection Security School to help you formulate a comprehensive strategy to secure sensitive info throughout your network.
This screencast will highlight different data encryption techniques and methods, and help you discover the options, challenges and risks associated with different data encryption approaches and how to implement and use data encryption to protect sensitive company data.
Introduction: Data encryption techniques and methods
- Business drivers
- Potential points of protection
- Encryption methods
- Managing the project
- Choosing a product
Data Encryption Business Drivers
- Follow that data
Potential Data Storage Points
- Portable Storage
Data Encryption Techniques and Methods
- Hard drive
- Trusted Platform Module (TPM)
- Digital Rights Management
- Mobile Methods
Hard drive; Software Methods
- Policy server
- Client software component
- Integrated with USB or smartcard
- Hidden costs
Hard drive; Hardware Methods
- Desktop Methods
- Usually hardware key
Trusted Platform Module (TPM)
- All business-class PCs
- Requires free client from PC vendor
- Integrates with biometrics
- Partial disk encryption only
- VERY secure
- U.S. courts following this technology closely
- Only one third-party central policy server available
Digital Rights Management
- Encrypts the content (data only)
- Protection travels with the data
- New meta data controls
- Central policy server
- Requires client software
- Author determines rights
- Software only
- Central policy server
- Application or platform specific
- Cross platform
- Portable encryption challenges
Managing the project
- Team selection
- Choose encryption type
- Product testing
- Vendor selection
Choosing an effective data encryption solution solution
- What are you protecting?
- Have you had a breach recently?
- Where/how is your data going?
- Infrastructure capability
- Varies greatly by vendor
- Greatest obstacle to encryption deployments
- Key management
- Key backup
- Key recovery
Data Encryption Methods and Techniques: Conclusion
- While regulations may be the largest push, business concerns are also a cause for growth
- Wide range of devices that require protection
- Full disk, partial, mobile devices or combinations
- Choosing a product should be a business decision -- not IT alone
- Key management is the greatest headache
About the speaker:
Tom Bowers is managing director of consulting firm Security Constructs.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact firstname.lastname@example.org.
Video: Data encryption techniques and methods for protecting data
Eric: Hello and welcome to Data Encryption Demystified with guest speaker Tom Bowers. My name is Eric Perigrow and it's great to have you with us. It's no surprise that data encryption has been getting a lot more attention as of late because of a number of high-profile data security breaches. Many organizations are wondering whether comprehensive data encryption is the only way to ensure that sensitive corporate information never finds its way into the public domain. We'll discuss the industry regulations and privacy laws fueling many data encryption initiatives as well as the benefits, challenges, and risks associated with today's data encryption methods plus much more.
Our speaker today, Tom Bowers, is the Managing Director of independent think tank and security industry analyst group Security Constructs. He holds the CISSP, PMP, and Certified Ethical Hacker designation, and his areas of expertise include aligning business needs with security architecture, risk assessment and global project management. Tom is a technical editor for Information and Security magazine and a regular speaker at industry events like Information and Security Decision. Thanks for joining us today, Tom.
Tom: My pleasure as always, Eric. Thanks.
Eric: And now, without further ado, ladies and gentlemen, Tom Bowers.
Tom: Thanks, Eric. Data encryption is an area that's really truly near and dear to my heart. I've been doing a lot of work over the past five or six years. I've worked a lot of products, I've reviewed a lot of products, and I've broken a lot of products through the years using data encryption, so hopefully today we can begin to tear away some of those veils that create a mist in front of what data encryption can and cannot do, how it meets business needs, what you need to do to think about.
Today we're going to start, as we always should in this field, in the information security field, with the business drivers. We'll certainly talk about business drivers holistically as well as regulatory etc. We're going to talk about some of the potential points you need to look for protection. Some of these may surprise you; some of these you may not have thought of before; some are very obvious. We're going to look at the various encryption methods, and there are more available today than there ever has been.
Then, we have to talk about managing a project. You have to look at this whole encryption process as a deployment project and all the various components there. This is probably one of the more surprising slides and probably the most important here. Then we will talk about how do you choose a product. How do you go about choosing the right solution for your enterprise. Lastly, we'll talk about keys, key management, key creation. It's really the lynchpin for encryption processes today.
So, the business drivers. We have to obviously start with the business itself and, in my mind, even though a lot of corporations are going to item number two, regulations, and they're doing a quick and dirty reaction to regulatory requirements, you really have to start with the business. You have to look at the data losses that you are suffering or you're potentially suffering. You have to look at things like outsourcing, where your information's flowing. Do you have a mobile workforce? Do you have, in past companies I've worked for we've had very large, remote sales forces in the thousands of people and not just in the United States but in other parts of the world as well. Now, you add to that things like outsourcing and the whole business momentum, the business drivers for why you'd want to encrypt or protect that data become a little more clear.
You also want to maintain competitive advantages. Let's think about losing laptops, having an executive at a local restaurant, having a car broken into and stealing a laptop. Well that particular executive may be your Strategy and Marketing VP. So the information on that laptop could be highly, highly valuable. And don't be misled, competitive intelligence agencies, other competitors out there, this kind of stuff really does happen. There are a lot of cases in the court system about lost laptops that are going to competitors or finding its way into competitor's hands. So competitive advantage can be a true business driver.
Well certainly we can't talk about encryption without talking about regulations. Certainly, privacy is, in my mind, the biggest driver right now. It's certainly the most public. You see the Veterans' Administration is a great example last year. I happen to be, actually I and my wife happen to be two of the people of those 25 million on that laptop that were lost because there was not only military personnel but some of the military spouses between certain years. Well, we happened to be among those.
Obviously, they got very fortunate and recovered that laptop intact. They then confirmed that forensically, but privacy, that whole breach notification - it gets attention in the CEO suite. Why does it get attention in the CEO suite? Because it drops the stock price. You have to do a public notification, it's required by regulations and laws, and when you do the public notification, your stock price drops. The average has been around 15% or anywhere from a few days to a few months depending on the company, the size of the breach, etc.
When you talk about even companies like DuPont, who lost, an insider employee tried to steal $400 million worth of intellectual property. They announced that back in February. This really wasn't an encryption issue, but it points to the fact that this kind of stuff really does happen, and when DuPont made that public notification, their stock actually took a dip for a while. Well, you think of a company the size of DuPont, how much is 15% of their stock price? That's a lot of market capitalization. So the whole privacy issue, in my mind, tends to be a big business driver in my mind for encryption.
Certainly you have other areas like the PCI, the Payment Card Industry, the FFIEC guidelines for financial, the FERPA guidelines, people don't tend to know about that one even people in education. It's really virtually identical to FFIEC in many ways, it's just pointed at education. So there are a number of regulatory guidelines here that you must meet that are driving the encryption process. The bottom line, though, is you have to follow the data. That's really what you have to point to for this encryption process. Let the business data use drive the project. And you have to think globally. You can't just look at your laptop in a local pizza joint; you have to look at the outsourcing agreements that you're making with Romania, with Hong Kong, with India. You have to think in global terms as to what encryption you may need and how it needs to be deployed.
So this becomes an interesting point. In my formal position as a senior manager of information security, I was responsible for intellectual property protection. It's very interesting, when you begin to do some investigations, about how people are either intentionally or unintentionally releasing information, your intellectual property. The most obvious one is laptops. Lots and lots of laptops out there, a lot of laptops get stolen. Big corporations are reporting anywhere from a 100 to 200 lost, quote unquote lost, every year. Well how much intellectual property are on those laptops? Well then you've got portable storage devices.
We all know it used to be five and a quarter floppies, well now I'm dating myself. But five and a quarter floppies, then three and a half inch floppies, three and a half inch floppy was approximately 50 pages of text. Well now you can get a USB flash drive that's eight gigabytes, so how much data can you put on eight gigabytes? And I was just reading last week that the big chip manufacturers are looking at the second generation of flash memory, what they're going to do to upgrade, so I expect to see 20 and 40 gig, maybe even larger, flash drives. Small, little pen-like devices that fit in your pocket. It's going to be too easy to lose information along with those devices. You still have things like CD-ROMs, however, DVD-ROMs, so you can have 650 meg, you've got 4 to 7 gig depending on the format.
But some of the more interesting ones are things like MP3 players, cellphones where people connect them to their corporate workstations and decide that, and for the most part it's inadvertent loss. They're copying files on an MP3 player because it's just a storage device. Most of the time it stores music, but it can certainly store data, and they take it home. Their intent is to put it on their home computer and do work at home. Well, unfortunately, that's a data leakage point. Cellphones are the same way, just as importantly are cellphone cameras. That's an area that most people think about. You can take your cellphone camera nowadays, take a picture of a document on a desk, take a picture of a screen, send it to a website on the Internet for free via your cellphone. And that document will be OCRed (Optical Character Recognition scanned), and they will then turn around and send you a PDF file. All of this for free, and it takes about five minutes. Then there's a lot of good software out there that converts PDFs back to word documents, word processing documents. So now I've gone from a cellphone camera picture to a word processing document in less than ten minutes. So it's a leakage point most people don't think about, and it may be an area that you're going to have to think about protecting, potentially with encryption.
This is what we're going to try to go over today, and there's a lot of meat here folks, and there's a lot to cover. Certainly, there's hard drive, we're going to talk about both software and hardware methodologies for it, and, of the two, hardware is really an interesting space. There's some real growth going on in the hardware portion of it. The trusted platform module, TPM chips, we're going to talk extensively about that, that's a real surprise area for encryption. Digital rights management is a new and very growing area. Some people talk about it in terms of enterprise management.
Think here, digital rights management for newbies that you'll buy at your local retailer store, or you buy a CD of your favorite musical artist and they've got encryption built around that. Now what's really digital rights management; what I'm talking about here, is an enterprise version of it. Then, mobile methods. I've mentioned some of those mobile methods already, things like MP3 players, cellphones, etc. What are some of the encryption methods we can apply to that.
So the first one, obviously, we have to talk about is software methods. It's really been along the longest. Our software methodologies, there have been some vendors that have been in this space 10 and 15 years, actually a very long time. What I'm seeing nowadays that's really encouraging with the software vendors are policy servers. That allows me central control, it allows me a great deal of reporting and auditing capabilities. It allows me to set up standard configurations based on business unit needs, so I can set up the encryption, I can set up its utilization, I can set up its use, how the client ends up interfacing with it, that encryption software product. I can set all of that up in a policy server. That becomes a really big deal in a global enterprise. The last enterprise I worked for, 52,000 employees, a 120 offices in a hundred countries globally. So, that's where a policy server became very important.
There's obviously, though, a client software piece on the machine that has to be loaded onto each and every machine. Typically, that client software is set up for use of full disk encryption, but it could be partial; I've seen both. It modifies the boot sector, so it tends to protect data at rest. That's really its forte. This client software piece, basically software encryption, is really data at rest. You have to remember that when you boot that machine up, come up to a desktop, it's basically decrypted. It's being decrypted on the fly, but it's being decrypted. So there are still some vulnerabilities there. It's really data at rest, so it's good for things like laptops that are in cars sitting at a pizza joint so that if they get stolen, it's basically a boat anchor.
It creates, however, a big processor load. It's gotten much better. When I started looking at software-based products six years ago, it created a huge processor load and as a consequence there were real vulnerabilities. So I was able to actually break, not necessarily break the encryption, but break the process of, or get it to come to a halt, if you will, and throw out its contents into the paging file. That paging file would give me user names and passwords. So processor load is not the problem it used to be with AES encryption. AES encryption is much more efficient than Triple DES or DES ever was. Even Blowfish, etc. There are some really good algorithms out there. AES is mathematically, and from a processor standpoint, very efficient. So it's not as bad, but there is still a problem.
And as I mentioned, it has leaked usernames and passwords in the past. The new generation, I am saying, is much stronger, and the newer generation can protect in a better fashion. It can protect that data in live form, so when you come up to the operating system, even though it's being encrypted decrypted on the fly, my ability to go in and affect that process is a lot more difficult nowadays. It can be integrated with USB or smart cards, and I think this is a very, forgive the play on terms, but I think it's a very smart play that you use it with USB and smart cards. Because remember that as I talk about these encryption technologies, it's only as good as the access control.
I just stated that some of the earlier generations of software-based, I could get it to basically halt. I broke it using a SETI@Home client. I just overloaded the processor basically, I got the encryption decryption to halt. When it halted, it spit out usernames and passwords in plain text. Doing the same thing with USB and smart cards makes it a more difficult process because you're strengthening the access control for encryption, so.