Encryption policies have been integral to data protection. Many organizations -- especially larger ones -- still look to encryption to protect sensitive data. Caesar would be proud of the fact that the hundreds of millions of people who use the Internet also use encryption, yet most of them don't even know it.Picking the right places and avoiding the wrong places for encryption will save you a lot of time and money.
The question is, is encryption always necessary? First, ask yourself: What you are trying to do, and what business are you in? Organizations in health care and financial services have known about and have been encrypting for years. Regulations like the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts made sure of that. Encryption, where appropriate, does protect private data and meets the spirit of both of these regulations.
But there is a new regulatory sheriff in town, and if you accept any kind of credit card payment you need to be familiar with the Payment Card Industry Data Security Standard. PCI, as it's known, requires you to protect your payment information and customer's private information and even goes a step further by mandating the use of encryption in numerous places.
So the next question is, where and when should an SMB apply encryption policies?
Picking the right places and avoiding the wrong places for encryption will save you a lot of time and money. Even though the core concepts have been around for thousands of years, the implementation still leaves a bit to be desired. Unfortunately, much of the encryption tools are still far too complex for many SMBs to effectively utilize.
Even worse, there is quite a bit of downside risk in getting it wrong. If you encrypt a lot of important corporate data and then mishandle, lose or compromise the encryption keys -- you're pretty much out of business. No key, no data. It's as simple as that. Of course, there are ways to manage the keys and ensure that they don't go poof -- but it is certainly something to be wary of.
No-brainers for encryption policies
Here are a couple of tasks that you or your service provider should be doing if you aren't already:
- Secure Sockets Layer (SSL) for e-commerce: You need to have a digital certificate loaded on your e-commerce server to protect any e-commerce transactions you perform. Many SMBs rely on shopping cart providers or Web hosting companies to take care of this.
- SSL (or IPsec) virtual private network (VPN): For years, the ability to protect a communication session with remote users has been built in. Additionally, Microsoft and Apple Inc. have VPN clients built into the operating system. So it's already there -- SMBs just need to use it.
Depending on your business processes and compliance requirements, you may need to look at a technology called whole disk encryption (or full disk encryption). This comes in really handy to protect traveling employees who need to have sensitive data on their laptops. The good news is that both Microsoft (with BitLocker on Vista) and Apple provide this within the OS. There are lots of third-party alternatives as well.
These technologies are not as easy to encrypt, so you need to tread carefully:
- Smartphones: There are products that can encrypt the data on a smart phone (BlackBerry, Treo, etc.), but there is probably an easier way. These devices support a policy that wipes the device with a number of failed password attempts. For example, my Blackberry will blow up with 10 failed authentications, so I'm protected from a brute force attack should I lose the device.
- Encrypted email: You could encrypt sensitive mail, but in many cases this is more trouble than it's worth. The technology is complex and requires a lot of work up front with all the people/companies with which you want to communicate.
- Database encryption: Although PCI does specify the need to encrypt payment data, the reality is there is a loophole (for now) called compensating controls that will allow you to put other defenses in place and avoid actually encrypting the data. If you do move forward with this, understand it is expensive and complicated.
- Encrypting backup tapes: Quite a few data breaches have resulted from lost backup tapes. SMBs should look at online backup options. If you store tapes off site, remember that if you do encrypt them and you lose the keys, your backup is gone.
Encryption is one of those technologies that you use every day and probably don't know it. But with new regulations, it makes sense to look at where the technology can work for you. Go in with your eyes open, in that it's still relatively expensive and complicated.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.