Securing sensitive data is one of the greatest challenges faced by many organizations of all sizes. Increasing regulatory demands and the constantly changing threat landscape have brought data security to the forefront of IT issues. Several of the more important data security threats are related to the protection of the storage environment, where drive loss and theft are primary risk factors.
Organizations must begin to take a data-centric approach to safeguarding their sensitive information in order to guard against a growing number of advanced threats in a complex and evolving IT environment that is comprised of virtualization, cloud services, and mobility, while maintaining regulatory compliance.
The big misconception
A common misconception for many is that the user login to a device, or service, with a username and password provides an equivalent level of protection to encryption. That is not the case. A password to control access to a device that is not encrypted is not enough to protect against unauthorized or unlawful access to the data. In practice, a password can be easily bypassed and full access to the data can be achieved.
Where are the risks?
Risks are lurking everywhere throughout the organizations’ infrastructure. Confidential data is especially at risk during transmission across untrusted networks, such as the Internet, and when stored on portable computing devices: laptops, data backups, USB flash memory drives, PDAs, and other small or personal computer equipment. A comprehensive encryption strategy must consider all the different ways data is transferred, as well as how it’s stored. Some types of malware have the ability to gain access to data as it passes through the network. Data may also be compromised while it is stored online or physically archived. An end-to-end strategy must also include protection for data sent to/from business partners and third parties.
How to develop an enterprise encryption strategy
Failing to protect confidential data is not only a threat to customers and damaging to corporate reputation -- in some cases, it’s illegal. All companies no matter their size that store sensitive data should implement encryption policies anchored to a comprehensive encryption strategy. In order for encryption to be used consistently, it has to be implemented by default and be as transparent as possible. Any data that can be used to identify an individual, group, company, or entity should be protected against unauthorized access during creation, transmission, operations, and storage.
Creating an encryption strategy requires significant review and effort. It’s best to approach this as a major project, involving key members of your organization such as operations, management, and of course IT. As a group you must identify applicable regulations, laws, guidelines, and external influences that will have an impact on your purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, wireless networks, and data backups.
Encryption is useless if an attacker is able to access confidential data directly and skip the burden of having to defeat any cryptography. So, a successful strategy defines strong access-control techniques that use adequate combinations of file permissions, passwords, and two-step authentication. You will also need to monitor access controls on a regular basis to ensure their validity.
Use of Strong Encryption standard:
Make sure your encryption standards are properly implemented and updated. Strong encryption technology will be difficult to break through.
Effective Key Management:
Manage your encryption keys efficiently by using advanced key management technologies. We recommend that our clients manage their encryption effectively by using efficient key assignment, making periodic key rotations, and re-encrypting data with new keys.
You can reduce the risk of external attacks by encrypting data in rest, use and transit. Employees need to be informed about what procedures they need to follow and what their responsibilities are. They should be trained to manage and deal with encrypted data effectively by following the security procedures of the organization.
Compliance with Security policies and procedures:
Organizations should encrypt sensitive data based on industry compliance guidelines or mandates such as HIPAA, PCI, GLBA and so on.
Monitoring and reporting data theft
A best practice is to implement a tool to monitor and detect the leak or theft of confidential information. An organization’s written policy needs to include a statement indicating that any lost or stolen data should immediately be reported to the key stakeholders for evaluation. It should include specific steps to take when a data breach is detected. Also state, who should be contacted and how quickly; when will customers be notified, who decides, and how. Will customers be given free credit reports? All of these elements in the statement should be addressed and planned for ahead of time.
Unfortunately, no single encryption product protects all data areas. Some vendors offer nearly holistic solutions, but you need to find the right combination for your organization. Expensive software that required faster processors and memory to support encryption used to be the norm, but that is no longer the case. There have been many technology improvements over the years that have contributed to more advanced solutions while bringing the cost down. There are many hardware-based encryption technologies that have alleviated the performance bottlenecks of encryption that used to be an issue.
If you’d like to discuss your challenges, need help to plan your enterprise encryption strategy, or simply find the right solution to fill in a gap, call me at 1-866-610-8489 ext. 313 or send me an email
Carrie Lau, Storage Solutions Architect