Encryption Isn’t a Silver Bullet
Last week’s encryption gold standard post has a nice reference model for encryption, but it neglects to explain that encryption isn’t the be-all, end-all solution for data protection. If you’re not careful, encryption can be a recipe for serious data loss issues, not to mention big payouts to vendors and huge project/engineering costs.
So be smart. Look at things from a holistic, reference architecture perspective. Mix and match controls from multiple project silos and security domains. In many cases, the following controls or practices should come first before even contemplating encryption.
- Minimize data management costs by minimizing use and storage of personally identifying information (PII) or other “toxic data” at the application layer
- Use data discovery tools to find copies of sensitive data held outside a minimal set of authoritative repositories. Incentivize, enable or require business and IT groups to reduce the number of copies.
- Consider outsourcing the handling of nonessential sensitive data (such as credit card data not needed for business operations) to third parties and thereby reduce the scope of compliance obligations. Note such outsourcing may have to occur all the way up at the business process layer to really transfer risk.
- Ensure that contractual terms for hosting agreements provide adequate, auditable control of data security
- Deploy database audit and protection technologies
- Effectively address identity and access management
Consider the overlaps between access control and encryption. With effective identity and access management, for example, organizations can implement separation of duty. This can mean the capability to deny privileged administrators access to key material (wherever appropriate) and thereby closing many back doors in the IT environment.
Cloud encryption gateways (CEGs), which encrypt information in software-as-a-service (SaaS) environments, also combine encryption and access control. They start by performing blanket encryption at the field or file level in Salesforce, Google Apps or other services; by default deny, no plaintext is available to any users – not even the cloud service provider (CSP) administrators or the local law enforcement authorities serving the CSP a warrant requesting access to the database. CEGs only open the kimono via access control policies; depending on the identity of the user accessing the SaaS application, selected fields or values are decrypted in the gateway and served through a browser interfaces or an API.
Hopefully, this establishes that as complex as encryption is, its only one piece of a bigger security architecture puzzle. Now, please go back and read the encryption gold standard post!