Decrypting Encryption Myths

By Peter Tippett

(Back to article)

Some of the more prominent headlines over the past year were dominated by incidents of data theft, where corporation after corporation had fallen victim to information theft on a large scale.

While many victims had hackers and devious insiders to blame, other instances were simply due to human error such as lost data tapes and stolen laptops. In these cases, CIOs may think their information is not at risk because of encryption. But is this really enough?

Many organizations assume information stored on laptops, desktops and tapes is completely secure if it is encrypted. To some extent this is true. But while encryption is an important piece of the security puzzle, it is only one piece. CIOs need to make data encryption but one part of a broader security strategy to avert data theft.

Why Encryption?

Organizations are increasingly distributed and mobile, and the ability to ship and carry secure information is imperative for business continuity. Yet human error is always a factor be it leaving a laptop behind at the airport, or having your shipping carrier misplace your package of backup data tapes.

So, while CIOs can’t necessarily control the shipping process, they can insure that controls are in place to protect data on these systems; preventing Mary Bad-gal from accessing the 250,000 social security numbers. Mary might be savvy enough to turn the laptop on, but she is very unlikely to be able to decrypt the encrypted information stored there.

Looking at the challenge broadly, most security professionals differentiate between “data at rest” and “data in motion.”

Prudence dictates protecting both data at rest—sitting on a server or on archive or backup media—as well as data in motion—flowing over networks. Since most readers are already using VPNs, the next most useful place to use cryptography is on portable computers that contain sensitive data.

On a portable computer, the data is both at rest, in that it is locally stored, and in motion, in that the computer itself is easily transported.

When a portable computer is lost or stolen, you hope that the thief was just after the hardware and software and not the data. Most companies can handle the computer loss better than the loss of trade secrets, business plans and personal information.

Since the impact of loss may be very high, it makes sense to consider encrypting the data on portable computers carrying sensitive information. The material cost to implement this is very low. Both Microsoft Windows XP/Professional and Mac OS X support encryption of all user-area files. Without the login password, user data on the computer is inaccessible to anyone.

Crypto Myths and Truths

Myth: Crypto is hard to use. Truth: Writing cryptography algorithms and products is difficult. Using it is easy.

Myth: Cryptography is expensive. Truth: Some cryptography is free to use for the end-user (such as SSL-encrypted Web pages). But, your organization will have to pay the price of purchasing, creating, protecting and managing server certificates.

As with any security measures, deploying cryptography requires planning, counting the cost of deployment, user education, support and maintenance.

Myth: Cryptography must be deployed everywhere in an organization. Truth: Cryptographic solutions should be deployed where and how your risk assessment indicates they will do the most good.

Myth: When we have cryptography everywhere, we will no longer need firewalls or antivirus or ... Truth: Cryptographic solutions can and may be effectively deployed and used as part of an organizations overall risk mitigation plan.

The Rest of the Story

Crypto is not a magic bullet. It may be part of a computer and network security defensive arsenal.

Since a user has to occasionally access sensitive data, all encrypted data, to be useful, becomes unencrypted for use. Sometimes individual files are decrypted, sometimes the whole hard drive. This is the point of vulnerability for sensitive information, and this is where other controls and practices are needed.

To ensure that your encryption investment holds its value, an organization must rely on synergistic controls—combining various measures, mechanisms, and methods—shored up by encryption (where it makes sense).

Strong encryption accessed via weak passwords, for example, merely slows down an attacker.

As CIOs evaluate their organization’s security strategy, it is important they realize how powerful encryption can be when aligned with other security solutions and strategies. Otherwise, it becomes just another security step that seems right, but does little.

Peter Tippett is CTO of Cybertrust and chief scientist for ICSA Labs, a division of Cybertrust. He specializes in the utilization of large-scale risk models and research to create pragmatic, corporate-wide security programs.