Enterprise encryption strategy: The path to simple data encryption

Encryption has become much more usable in recent years, to the point where a company of nearly any size can rely on simple data encryption to protect sensitive data and, in some cases, help meet compliance needs as well.

In this presentation, IT security professional Mike Chapple provides a brief introduction of encryption technology and what it can and can't do. He also examines the state of the technology landscape, discusses different types of encryption, covers the best usage scenarios for encrypting different devices and data types, and offers a helpful enterprise encryption strategy to make encryption easier for your organization.

This presentation covers:

About the presenter:
Mike Chapple is an IT Security professional with the University of Notre Dame.

This presentation was originally recorded Sept. 27, 2010.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected].  

Enterprise encryption strategy: The path to simple data encryption

Welcome to the Search Security Webcast: Simplifying Encryption. I am
Mike Chapel. Encryption can be an intimidating topic. It may bring to mind
visions of mathematicians with chalk boards full of formulas and
complicated security technologies. In this webcast we are going to break it
down into simple terms.

We are going to talk about what encryption is, what it can and cannot do,
the basics of encryption algorithms, and some simple applications of
encryption. To get started, we first have to talk about what encryption is.
And there is an entire field of cryptology dedicated to the study of
encryption. Basically what it is is taking plain text information, clear
messages, and converting them, using mathematical algorithms in a
ciphertext, that is not understandable to someone who is not an intended
recipient to the message. The ciphertext can only be decrypted by someone
who has access to the encryption key, and this is a theoretical
requirement, of course. There's a whole entire field called cryptanalysis
that is dedicated to breaking encryption schemes. It is very important that
you select a strong, credible encryption algorithm, and that you carefully
protect your key when you are using encryption. We will talk more about
that later on.

Encryption is one of the strongest tools in the security toolkit. It can
provide several major benefits. But it is important to recognize what
encryption can do and what it cannot do. There are two major functions
encryption can perform. First, it can protect data in transit, so data
traveling over a network, whether it is your local network, a wireless
network or the internet. It can be protected against eavesdropping with
encryption, so that someone who is also on that same network, who has
access to the data transiting the wire or traveling over the air, cannot
read the contents of the message while it is being sent. Encryption can
also protect data at rest from theft. So information stored on a laptop
computer or external hard drive, for example, those physical devices are
vulnerable to theft if they are left in an unsecure location. If the data
on them is encrypted, however, the thief only makes away with a hardware
device worth a few hundred dollars, and does not have access to the
sensitive data that might be stored on it and might be worth much, much

Now that you understand those two things that encryption can do, it is
important to remember what encryption cannot do, and that is everything
else with security. Encryption is not a [panacea]. It provides protection
for data at rest and data in transit. But you still have to worry about the
configuration of your security devices and computers, using other security
controls, such as firewalls and antivirus to protect against malicious code
and also the insider threat. Remembering that someone who has access to the
encryption key can bypass all of your encryption controls, so there is
always that risk that an internal person will take some action against you.

Let us take a look at the four goals of cryptography. Before we do that I
want to introduce you to three people. Alice, Bob and Mal. These are three
characters that are commonly used in examples when we are talking about
cryptography to describe the transit of a message between two people and
the goals of cryptography during that communication. In this example, Alice
is the sender of a message and Bob is the intended recipient. Mall is the
spy, the evil person who is lurking in the background trying to gain access
to that message, and bypass the goals of the cryptography.

The first goal is confidentiality. When Alice and Bob communicate with each
other, they both want to make sure that the communication is secret. That
is, Mal or anyone else, even if they are able to gain physical access to
the message while it is in transit between them, is not able to understand
what the contents of that message are. The second goal of encryption is
integrity, protecting the contents of the message from alteration. Bob and
Alice both know that if when Bob receives the message the message that he
is looking at is the message that Alice actually sent. And that it was not
altered by Mal when it was in transit.

The third goal of cryptography builds on integrity, it is called non-
repudiation. And what it does is it provides Bob the ability to go one step
further. In addition to him being able to prove to himself that the message
he received was not altered while it was in transit. It also provides Bob
with the ability to prove to other people that the message that was sent
actually came from Alice, so it is evidence that he could use to prove to
Charlie, the third party who is not even shown here, or a court of law for
example. That the message that he is holding came from Alice and is not
something that Bob could have forged himself. Finally, the fourth goal of
encryption is authentication, providing evidence of identity. With this
goal Alice is able to use encryption to prove her identity to Bob or to
someone else.

Those are the four things we try to do with cryptography. There are two
basic technical operations that we can perform using the mathematical
functions of cryptography. The first of these is encryption. Encryption is
again, quite simply, taking plain text, running it through an encryption
function with some kind of encryption fee which you can basically think of
as the password to the encryption and producing ciphertext. So an
encryption function uses the super key to convert plain text into
ciphertext. Once you have that ciphertext , the recipient of the message
has to do something to be able to read it, and that is decryption. The
decryption function takes that ciphertext , uses a decryption function with
a super key to convert it back into plain text again.

There are two different types of cryptography, symmetric algorithms and
asymmetric algorithms. The main difference between them, is the types of
keys that are used. In symmetric cryptography both the sender and the
recipient use the same key. So the same key is used for the encryption
function and the decryption function to transport into plain text into the
ciphertext and the ciphertext back into the plain text again. In
asymmetric cryptography on the other hand, different keys are used. So both
the sender and the recipient have different keys that are used for the
encryption and the decryption function. The sender is the only one who
knows the encryption key, and the recipient is the only person who knows
the decryption key. We are going to continue to talk about this as we move
through the presentation.

Let us take a deeper look at symmetric cryptography. We are going to talk
about the number of keys that need to be used. In our basic example where
we have Alice and Bob using symmetric cryptography, there is only one key
that is used. So Alice and Bob have that shared secret key that Alice uses
to encrypt the message and then Bob uses it with the decryption function to
decrypt the message when he receives it. It is very straightforward. If we
add a third person, Charlie, to the scenario. And everyone in this network
now; Alice, Bob and Charlie want to be able to communicate privately with
everyone else in the network, we have to have three different keys. Alice
and Bob have to have a shared secret key that Charlie does not know, Alice
and Charlie have to have a shared secret key that Bob does not know and Bob
and Charlie have to have a shared secret key that the other two do not
know. The three total keys are needed for the encryption.

As we expand the scenario, you can see here examples of what happens when
we move from two to three, four, five, six or even seven people in the
communication. The number of keys needed to provide that direct path
between each of the two individuals grows very, very quickly. Here is a
slide that shows you this mathematically. So the formula at the bottom of
the slide; N x N -1 / 2, tells you how to take the number of people, N, who
are communicating and transform it into the number of keys that are needed.
So if we have a very realistic scenario in a company where you have 100
users, you would actually need 4,950 keys for each one of those users to
communicate with everyone else privately. You can imagine that every time
someone comes to, or leaves the organization; you have to change all of the
keys that they used in order to update your security.

If we grow to a large enterprise that has 20,000 users, the scalability
becomes completely unmanageable. Because now we need just about 200 million
keys to allow that private communication. That is where asymmetric
cryptography comes into play. As I mentioned earlier, in asymmetric
cryptography each user gets a pair of keys. So every user that is in the
system has a public key and a private key. The private key, as the name
implies, is kept for the users use only, it is not shared with anyone else.
The public key is freely distributed to everyone else in the organization
or everyone else with which that person might need to communicate with. The
asymmetric algorithm is set up in such a way, that anything encrypted with
one key from the key pair can only be decrypted with the other key. So
anyone who wants to send a user a message has access to that user's public
key and can encrypt the message using that key. The user is the only one
who can decrypt the message. Because he or she is the only one who actually
has access to the private key. This allows for greatly enhanced

If we go back to our chart and add a new column for asymmetric
cryptography, you can see here that the formula used to compute the number
of keys simply takes the number of users and multiplies it by two. In our
mid-size business example where we had 100 users and we would have needed
almost 5,000 symmetric keys, we only need 200 asymmetric keys. As we scale
to a larger enterprise where we needed 200 million keys for 20,000 users,
we would only need 40,000 asymmetric keys. That is obviously a much more
manageable scenario.

Now you may be asking yourself why wouldn't we use asymmetric encryption
for everything? The trade off is that using this algorithm lets us have a
much, much smaller number of keys takes a lot more computational power. It
is a lot slower to use. Symmetric cryptography is fast but requires more
keys in a larger environment, and asymmetric cryptography is slower, but
lets us have much simpler key management. In a moment we will talk about
some technologies that combine symmetric and asymmetric cryptography to
have the benefits of both. Where we can have a smaller number of keys using
asymmetric cryptography, but then we can switch over to symmetric
cryptography and benefit from the enhanced speed of that method. The
security of the encryption key is critical. As I mentioned earlier, it is
the password, it is the secret sauce in cryptography. The algorithms are
widely known to everyone in the world so the key must be very difficult to
guess, just like a password. It should be chosen from a large key space, so
we want to have a large number of possibilities. We want to have long keys
that consist of letters, numbers, punctuation, we choose them just like we
would a password. It is good to have them randomly selected so that they do
not match dictionary words, and carefully guarded so that no one gains
access to the key. Generally speaking, the longer the encryption key, the
more secure the encryption.

There are many, many choices for encryption algorithms. Both symmetric and
asymmetric, but all of these are based upon two fundamental concepts
substitution and transposition. Substitution cyphers are very simple. What
they do is take each letter of the message and they replace it with another
letter. If you think back to the Captain Crunch decoder rings of your
youth, where you had a little wheel and you knew to turn all of the A's
into Q's and all of the B's into R's and so on, that is very simple
substitution. Transposition is moving the letters around in a message, so a
word or letter scramble. Where each letter shifts around in a predetermined
pattern that can then be unscrambled. Very, very basic substitution and
transposition ciphers are very easy to crack. With the Captain Crunch
decoder ring, there are only 26 possible combinations, there are only 26
ways that you can set that ring for substitution encryption. However,
modern encryption algorithms still use these very basic techniques, but
they combine them in a very complex fashion, to provide secure
cryptography. And they rely on very advanced mathematics.

We are not going to go into the details, it is not necessary when you are a
user of encryption to understand the math. What is important to know is
that you selected an algorithm that is mathematically sound, and has been
tested and validated by the cryptographic community. What I would like to
do is to show you an example. There is an encryption algorithm from the
1980's known as the Data Encryption Standard and how it works. In the
picture here you see the basic operation of Data Encryption Standards,
something known as the Feistel Function. And it takes text that is coming
in from the top here, that is that half block that is mentioned at the top
of the diagram, it takes the encryption key, it is called the sub-key in
the diagram, 48 bits. And runs it through, each one of those s1 through s8
boxes is performing a substitution operation. We are performing eight sets
of four substitution operations, so 32 substitution operations on a piece
of the message. Then we are doing what they call in the data encryption
standard permutation, the transposition of the message.

We take those 32 substitutions and we scramble them up and that is the
basic operation of the data encryption standard. This operation actually
happens 16 different times. As you can see, it takes the very basic
building blocks of substitution and transposition, and combines them in a
complex fashion. The interesting thing is that the data encryption standard
is no longer considered secure. That complicated algorithm that I just
showed you is not sophisticated enough to provide security for a modern
environment. It is very easy to break. But there are stronger algorithms
available, a few examples are the Advanced Encryption Standard, which for
government use replaced the Data Encryption Standard. There is RSA public
key cryptography, there is an algorithm called Blowfish and there are many
others. The key to take away from this, is that it is critical that you
choose an encryption algorithm that is proven; that the cryptographic
community has tested, validated and vetted. When you see someone making up
their own encryption algorithm or telling you that the encryption they use
is proprietary and secret to their organization, that is a gigantic red

Encryption algorithms are complicated, and they should never depend upon
the secrecy of the algorithm to provide its security. The algorithm should
be open and available for public scrutiny and tests by mathematicians. Who
can validate that it is secure, there are not flaws or intentional back
doors built into the algorithm to allow the developers to gain access to
the information without the key. Rather, the security should always rest in
the key. As long as you keep that key secure, your encryption will be
secure. That is a summary of the basics of cryptography and how the
technology behind cryptography works. What I would like to do now for the
remainder of this webcast is talk about a few applications of cryptography.
There are four specific areas that we are going to talk about. The first is
disk encryption, we will talk about full and partial disk encryption. The
second is the use of cryptography to secure electronic mail. The third is
the use of the hyper text protocol over the secure sockets layer. Which is
a very sophisticated way of talking about secure web traffic. The fourth is
virtual private networks, a way you can use cryptography to securely
connect to a network from a remote location.

The first example is disk encryption. Disk encryption is an example of
protecting data at rest, as we talked about earlier. It uses encryption
technology to protect data that is stored on a computer or any other
device. You can use disk encryption for external disks, for USB devices,
for anything that stores data. The primary protection that disk encryption
provides, is protecting against the theft of the device. If the computer,
hard drive, flash drive, whatever it is stolen, the thief who has the
device only has a piece of hardware that is worth a few hundred dollars to
you. They do not have access to the sensitive data that might be stored on
the device. Disk encryption counters a rash of security incidences that
occurred several years ago. Where before people were using encryption
technology, laptops were being stolen, backup tapes were being stolen or
lost from delivery trucks and organizations were being forced to report
security incidents to the public where they did not even know that the data
was actually compromised, but they did know that they lost control of the
device. Because a thief might have been looking for a device and simply
wanted to sell it at a pawn shop for a few hundred dollars, but since the
data on the device was not encrypted, the company had no way of knowing who
had control over it so as a precautionary measure had to notify everyone
that they had lost the data and that it may have been compromised. Disk
encryption protects you against that scenario and stops you from having to
do those notifications.

There are two different types of disk encryption, full disk encryption and
partial disk or file encryption. I will talk about each of those. Full disk
encryption protects the entire hard drive, and these technologies work in a
number of different ways. But essentially they grant access to the hard
drive at boot time. You provide your password to log into the computer and
that password is then used to feed the decryption function so that when the
operating system goes to access the hard drive, it gains access to the real
contents of the drive, and the files stored on your computer. It is
transparent to you. Once you log in to your computer, the hard drive
becomes unlocked essentially. And the operating system has access to all of
the data and it is able to show it to you when you need it. If your hard
drive is not encrypted it is very easy for someone to simply take it, put
it into another computer and read the contents without booting the
operating system that is stored on the drive. They simply boot a different
operating system, read the contents of the drive and are able to bypass the
password controls, and all of the other security and protections that your
operating system provides. When the disk is encrypted, this approach simply
does not work and a thief that gains physical access to your computer, and
then tries to remove the hard drive and insert it into another computer,
won't be able to read the contents. Because they are all encrypted. Without
access to the encryption key, which is protected by your operating system
password, they are unable to gain access to the contents of the drive. So
when a computer with full disk encryption is stolen, the organization can
be confident that the contents of the computer have not been disclosed to a
third party.

Now, just as we talked about early with the encryption having its
limitations. It is very important that you remember here that full disk
encryption protects you against theft. It is a very strong protection, it
is that best that you can do to protect yourself against the loss of data
due to theft of a physical device. But it does not protect you against
anything else so if the computer gets a virus and the user goes and logs
on, gaining access to the hard drive, that virus also gains access to the
data on the hard drive, and that data could be lost that way. Or if the
user simply leaves the computer powered on, logged in and unlocked on their
desk, anybody can walk up to it and gain access to the data. Once it is
unlocked it is unlocked, but if a thief steals a computer when it is turned
off, they will not be able to gain access to the content of the drive.

I have also listed here a few common technologies for full disk encryption.
Microsoft includes the BitLocker technology, which is now built into the
Windows operating system, so it is available to you already. It can be
managed through active directory. Then there are quite a few third party
products. A couple that are very popular is a product called Safe Guard
made by Adamac, and the PGP company is whole disk encryption product.
They all provide different management capabilities and slightly different
functionality. But the main goal is that they provide this full disk
encryption that protects the entire hard drive. The alternative to full
disk encryption is partial disk encryption. Partial disk encryption, as the
name implies, protects portions of the file system. Unlike full disk
encryption which simply encrypts everything, and then provides access to
the user when the computer is booted and the user provides his or her
password. Partial disk encryption protects only parts of the file system.
The user or the system administrator can designate which folders and files
are protected with encryption technology. And access to those files is
granted when the files are requested. There are a large number of
technologies available to provide partial disk encryption solutions.
Microsoft, like they provide BitLocker for full disk encryption, also
provides the Encrypting File System, EFS, which is available to users of
Windows for use in providing partial disk encryption. You can designate,
again, which files you would like to encrypt in EFS and the encryption is
managed by Microsoft active directory and provides for things like password
recovery; so if a user encrypts a file and then that user either won't
provide or forgets his or her password, say they leave the organization,
the administrators have a way to recover the password and gain access to
the file without the user's intervention.

On the Macintosh side, there is a product called FileVault that is built
into Mac OSX. That provides partial disk encryption. There are many, many
third party products available that can be used to provide encryption. Some
are very complex and provide advance technology like EFS and FileVault,
others are quite simple and allow you to encrypt individual files. And as
an example, most zip utilities, you probably remember zip as a file
archiving software that lets you combine a whole bunch of files into a
single file and compress it for transmission. Most zip programs actually
provide encryption as well. It is built into the zip standard and some
programs offer advanced encryption on top of the basic that is supported by
the zip file standard. And allow you to encrypt a file and you can even use
that to provide both data at rest and data in transit. Because if you use
zip to create an encrypted file, now it is encrypted on your hard drive and
that zip file, but you can also email, or send by any other means, that
file and it is already encrypted. So the data that is in transit is also
encrypted without providing any additional network security. You can get
extra bang for your buck that way.

The second application of encryption technology that I would like to talk
about is email encryption. And for obvious reasons, you would like to
encrypt the content of a message. Thinking back to the goals, Alice and Bob
want to encrypt the message so that they provide confidentiality and no one
is able to read the email message. They want to be able to provide
integrity to make sure that no one has been able to alter the email
message. They want to be able to provide non-repudiation. To be sure that
Bob, the recipient of the message can prove to a third party that the
message he received was actually sent by the sender, Alice in our example.
Secure/MIME is the most popular standard for email encryption. Many people
use it but do not know it by that name. Because Secure/MIME, S/MIME is the
encryption technology that is built into many modern email systems,
including Microsoft Outlook and Exchange. Digital Signatures is a
technology that is used to provide that non-repudiation. Digital
signatures, first of all, require the use of asymmetric cryptography. Where
each user has their own key. So you can't use digital signatures with the
symmetric cryptography. They just rely on the principal that I mentioned
earlier, where anything you encrypt with one key, you decrypt with the
other. So in basic encryption, where you want to provide confidentiality to
a message as we described earlier. The sender of the message gets the
recipients public key and uses it to encrypt the message, now everyone has
access to the recipients public key. But the recipient is the only one that
has access to the recipient's private key. When the sender encrypts the
message with the recipient's public key, the only person that can decrypt
it, is someone that has the recipient's private key, and the only one who
has that private key is the recipient.

With digital signatures we flip that process a little bit and the sender of
a message that wants to be able to provide a digital signature so others
know guaranteed that this message came from that sender, takes the message,
generates a digest of the message and then encrypts the message digest with
his or her own private key. So they are creating an encrypted signature
that the sender is the only person who could possibly create it. Because
they are the only ones that have access to the sender's private key. Then
the recipient of the message, or anyone else for that matter, can verify
that signature by taking the digital signature that was encrypted with the
sender's private key, and then decrypting the signature using the sender's
public key, which everyone has access to. Then the person who is verifying
the message creates their own message digest, using the same algorithm the
sender used. And compares the message digest created with that algorithm to
the decrypted digital signature, if they match, they know that the sender
sent the message and the goal of non-repudiation has been met, and they
have done it in a way that can be duplicated and proven to someone else.
That is how digital signatures add non-repudiation to email encryption.

Here is a quick example of encrypting email and how you can use encryption
with email. You do have to do a little bit of set up in terms of providing
encryption keys and digital signatures, and that is beyond the scope of our
discussion here, but there is great documentation available on line and you
can see examples of that at SearchSecurity.com. If you look at Microsoft
Outlook as an example, you can see a couple of screen shots here, of the
ribbon that appears at the top of an email message. Once you have it
configured if you want to encrypt a message with Outlook, all you have to
do is click that little blue envelope icon and that encrypts the message.
If you want to add a digital signature you just have to click the envelope
icon that has a little red seal indicating a signature and the message then
gets a digital signature. So this technology has now gotten to the point
where it is very simple for users to use. Once it is all set up for them,
which an administrator can do, they just have to remember to click one of
those two buttons when they would like to add confidentiality through
encryption and/or a digital signature to the message.

Digital certificates are an important part of all of this. As I mentioned
earlier they are used to add authentication to encryption. And they are a
prerequisite to what we are about to discuss in the next application of
cryptography over the web. What digital certificates do is they use
asymmetric cryptography to facilitate the pure exchange of public keys. So,
if I need to give my public key to you, there are not many ways that I can
do that, without using digital certificates. If I email it to you, you will
get it, but how do you know that it actually came from me and not Mal, in
our example back using Alice, Bob and Mal, that Mal did not send you a
public key and say, "Hey, this is Mike's public key," you accept that and
now you communicate back and forth with Mal, but you think that you are
communicating with me. Now I could write it down and send it to you or
print it out and send it to you in the mail. But that is very difficult
because these keys are very, very long.

So, the alternative is the use of digital certificates, which use
principals of asymmetric cryptography to facilitate that exchange and they
rely upon trusted third parties, certificate authorities, and these are
names you recognize, companies like VeriSign, Go Daddy, and Entrust. There
are many certificate authorities out there, that provide added trust to the
transaction. And what they do is they take a person's public key, they
verify that person's identity. Whether they do a driver's license check,
credit check or they have all sorts of methods that they use to verify
identity, and they vouch for them, the public key. They say, "This is a
public key that I received from this person who proved to me who they were"
and they sign it using their own private key, and then create a digital
certificate for you. And that digital certificate can then be used to prove
your identity to other people. This is commonly used for servers. When you
are using secure web communications you put a digital certificate on your
server that is generated by one of these trusted certificate authorities
and then you can give users your public key and they can securely
communicate with you and know that they are actually communicating with the
organization that they think they are communicating with.

Now to a certificate authority, trust is essential. Their entire business
is built on trust. If people do not trust a particular certificate
authority, and believe that they are doing a good job creating those
digital certificates and verifying the identities that they are vouching
for, the business model falls apart for them, and their certificates become
worthless. It is important that they preserve that trust. As I mentioned,
digital certificates form the basis of encryption over the web, so when you
add that extra 'S' to a URL to use encryption, you are using digital
certificates to provide that secure web communication. With HTTPS, we are
basically taking the standard HTTP protocol, the hypertext transfer
protocol that is used to exchange information over the web. And we are
enhancing it with a technology known as the secure socket slayer. You can
see here the steps of that process.

First, when you type in a website, you go to https.yourbank.com, you are
accessing that secure site with your web browser, and a lot of things
happen behind the scenes. Your browser recognizes that it is trying to
communicate with a secure site, and it asks the site for its digital
certificate. The site sends that to your browser, and your browser has the
technology built into it to automatically verify that certificate. It
checks the certificate authorities signature, makes sure it is valid, makes
sure the certificate has not been revoked. And then if any of those things
have problems, it pops up a warning message that you can look at telling
you what has gone wrong in the process. But if everything checks out okay,
you do not notice a thing. The user just begins communicating with the
site. What is happening then is that the browser, once it has verified that
certificate, switches over to symmetric cryptography.

Remember, I mentioned earlier that we were going to talk about an example
that combines asymmetric and symmetric cryptography. So digital
certificates and the verification of them require asymmetric cryptography.
Because you want to have non-repudiation and you want to be able to do this
without having an exchanged secret key in advanced. Once the browser
verifies the certificate, it wants to switch over to symmetric cryptography
because it is much faster and it is able to do that with much less
overhead, both for the user, the browser and the server. So the browser
just randomly chooses a symmetric encryption key, a shared secret key, that
will be used just for that session. And then it encrypts it using the
public key from the server certificate that has already received and
validated and it sends that encrypted symmetric key to the server. The
server, when it receives that message, is able to decrypt it because the
server has its own private key that nobody else has, it decrypts that
message and has the symmetric key. So from that point forward all the
communication between that client and the server for that session uses that
shared secret symmetric encryption key. The next time they try to
communicate, the whole process begins again and a new symmetric key is
created. So it is a work-around, that lets you have the benefits of
symmetric cryptography combined with the benefits of asymmetric

The final application of cryptography that I would like to talk about is
virtual private networks. Virtual private networks are technology that uses
encryption to securely tunnel traffic over an unsecured network. There are
two very common applications of this. Virtual private networks are very
often used by remote workers. So if you are working from home, coffee shop,
airport, hotel or where ever you happen to be, you can use virtual private
networks to securely connect back to your office network and your
organization just simply has to run a virtual private network, VPN, server,
that you can connect to. And even though you are communicating over the
internet, all of the communication between your computer and that VPN
server are encrypted. So anybody who happens to eavesdrop upon your
communications, whether they are sitting next to you in the coffee shop or
they are somewhere on the internet in-between the two places, is not able
to understand anything that is going on, it is still encrypted to provide
that confidentiality. Once the traffic reaches the VPN server it is
automatically decrypted and then put on to the company network. So to the
end user it is just as if they were on the company network. It might be a
little bit slower because they are not physically there, but encryption
provides that link over the internet so you can securely communicate and
have a secure presence on your company network.

The second use of virtual private networks is to link sites. So an
organization that has multiple offices, for example, can use virtual
private networks to set up site to site links, so that it appears to each
of the users at each of the sites as if everyone else on the network, even
if they are at remote sites, is all on the same network, and they can
access the same resources. So virtual private networks provide a very
important means of communicating securely between users who are either
located at remote sites or are who are in different offices in the same
organization. In summary, encryption provides a powerful technology, that
is used to protect the data from eavesdropping while it is in transit, or
from theft while it is at rest. It is important to remember that those are
the only two things that encryption is used for, the only protection that
it provides. Remember our goals. Encryption can be used for
confidentiality, integrity, non-repudiation and authentication. It does not
protect against viruses, insiders and all of the other risks that we need
other security technologies to protect against. The selection of an
encryption algorithm and encryption applications is critical. When you are
selecting an algorithm, pick one that is commonly accepted in the security
community, and has been tested and vetted by cryptographers and
mathematicians for its security. You also have to choose a key and keep it

Thank you for watching this presentation. For more information visit
SearchSecurity.com. Have a great day.

View All Videos