Encryption Strategy: Today's Challenge
Encryption transforms data into an unusable form, reducing the risk in the case of unauthorized access. Once employed only for the most sensitive government secrets, encryption is today a common practice with strategic importance for businesses of all types. Financial institutions, retailers, healthcare providers, and others must protect customer information and are often bound by data breach disclosure laws. All types of businesses must keep private their diverse information about employees, customers, business operations, and intellectual property. Given that failure to protect confidential information may be not only embarrassing but also illegal, it’s easy to see why encryption is a core component in a broad data protection and IT security strategy.
Organizations have many different options for encrypting information and should design their encryption strategy with the specific needs of the business in mind. Considerations include the type of information to be protected, the potential risk to the business should a data breach occur, how the information is used and by whom (or which applications), application performance requirements, where the information is stored, and applicable regulations. Sensitive data can easily spread through organizations almost like a virus, residing in systems where it was never expected and increasing the risk of attack or accidental loss. While organizations may be tempted to apply point solutions to address local issues, this piecemeal approach can give rise to serious compatibility problems, driving up operational costs and complexity while still leaving points of weakness that attackers can exploit.
Like most security technologies, encryption can be applied in layers. In some cases, such as network-level or storage-level encryption, protection is applied on a bulk basis, encrypting all data on a network or individual storage device. In other cases, for example within business applications or edge-of-network devices such as point-of-sale terminals, encryption might be applied in a highly targeted fashion to protect specific data elements at the earliest possible opportunity. Each approach has its own advantages and disadvantages in terms of scope of protection and deployment complexity; these are discussed in more detail throughout this solutions area.
While defining an encryption strategy, decision-makers should keep in mind that an encryption process is only as strong as the keys that protect it, and also that the overall operational costs of encryption are often dominated by the costs associated with key management. Your encryption strategy MUST include a well-defined process and environment for archiving and managing cryptographic keys, for two main reasons. Firstly, if attackers gain access to your cryptographic keys, they can steal sensitive information even if it is encrypted, and secondly if encryption/decryption keys are lost or become corrupted, data can be lost forever.
Risks Associated with Encryption Strategies
- Encryption is not a silver bullet for protecting data; it can be applied in a wide variety of ways to protect a wide variety of data types. Most likely it will be applied in layers, with each layer playing an important role. Failure to adopt a strategic approach will result in increased costs, complexity, and business risk.
- It can be easy to focus on encryption and overlook the issue of key management. Encryption technology itself is mature, some would say commoditized. Attackers are extremely unlikely to even try to break encryption algorithms—instead they target the encryption keys and processes used to manage them.
- Compliance requirements and auditors are increasingly tuned to the issues of key management; to avoid falling behind, organizations should be ready to demonstrate their adherence to best practices or other standards of due care.
- The risk of key theft may be smaller than the risk of losing keys—and therefore losing the data they protect. Human error is common, particularly in situations where key management relies on manual processes, poor documentation, and poorly trained staff.
- Encryption can often be a computationally intensive process that can degrade performance of servers, gateways, and other application platforms. If not implemented in an optimal way, encryption can limit capacity, drive up costs, and adversely impact the user experience.
Encryption Strategy: Thales e-Security Solutions
Thales e-Security can help you design and implement an encryption strategy that meets the needs of your business processes, your applications, and your information. Solutions from Thales and its technology partners employ independently certified, best-of-breed, hardened cryptographic platforms and key management systems that embody industry best practices to ensure that your information is protected, your policies are enforced, and your business operations continue to run smoothly. These proven encryption solutions will vary in their specific function, depending on exactly how and where you choose to encrypt data, but all focus on ease of deployment, minimizing your ongoing cost of ownership and increasing your level of assurance.
Beyond our technology based products and solutions, Thales plays a prominent role in the broader encryption industry, conducting regular market surveys, publishing easy-to-read consumer guides, helping to define international standards such as KMIP, and guiding industry bodies on appropriate best practices.
- Design an encryption strategy that protects sensitive and valuable information while maintaining high levels of application performance and availability.
- Comply with applicable regulations and standards such as PCI DSS while minimizing your scope of compliance.
- Benefit from well-proven best practices and standards of due care when deploying any encryption or key management system.
- Take advantage of Thales e-Security’s broad range of partnerships with leading database, application, and security product vendors to deploy solutions that will integrate easily with your existing systems.
- Employ professional services from Thales Advanced Solutions Group (ASG) for deployment planning, policy definition, custom development, and training to accelerate encryption projects and reduce risk.