Code of conduct

Data encryption is crucial to protecting the integrity of enterprise information. Organisations investing in encryption have to understand their requirements, and implement solutions across the company to get the most from them.

  • E-Mail
By  Sathya Mithra Ashok Published  September 2, 2008

Data encryption is crucial to protecting the integrity of enterprise information. Organisations investing in encryption have to understand their requirements, and implement solutions across the company to get the most from them.

Encrypting data is not a new idea. Coding information to ensure that it is sufficiently protected from people with malicious intent is a pretty old technique. The logic is simple - codify your information so that it cannot be easily read or understood by parties who are not supposed to have access to the data.

However, as any concept, it has evolved over the past decade to reflect the changing needs of enterprises worldwide. This is immediately visible with the standards of encryption.

The facts remain that the data that is being worked on every day, on every person’s system, is sensitive and it can be anywhere and used by anyone.

"There are two main methods which have distinct advantages: - the quicker symmetric key method and the harder to crack asymmetric key method. Early attempts to use asymmetric methods to encrypt user hard drives required the deployment of public key infrastructure (PKI).

There are firms who use this. However, there is little widespread adoption due to both the logistical issues with distributing and managing personal digital certificates for every user and the slow encrypt and decrypt times for files. Symmetric key mechanisms are seen as the way to go for bulk encryption: files, file systems, databases," says Naveed Moeed, technical consultant (MEA) for RSA.

Guy Bunker, distinguished engineer at Symantec EMEA, states: "Most people have heard of DES (Data Encryption Standard), or Triple DES. However, those have been replaced with AES (Advanced Encryption Standard) - this can have a key length of up to 256 bits - and is secure enough for the US government to allow it for classified data, so it is probably good enough for most organisations.

There are a number of implementations, and you need to check that the one you choose is FIPS (Federal Information Processing Standard) 197 or FIPS 140 approved."

Encryption is based on key length, and the longer the key the more difficult it is to break the code. Vendors warn that state-of-the-art encryption solutions from 20 years ago can now be cracked in a few minutes, so enterprises need to invest in the best available today to guard themselves.

Coding the region

In spite of a largely established standard in AES, and the fact that data encryption by itself can prove to be an easy task, many enterprises still shy away from deploying enterprise-wide encryption solutions.

"Major banks and financial institutions have adopted data encryption. They are very aware of its benefits, simply because almost everything that they deal in is crucial information. They are the leader in deploying encryption solutions. Most other companies are still considering their options," says Samir Kirouani, technical manager at Trend Micro, MENA.

One of the reasons for this is the complexity of key management.

"I think there are some core challenges that organisations face with encryption systems, primarily from the way keys are handled. It is one of the biggest challenges they face - how to reduce the complexity of key management," states Guru Prasad, general manager for networking at FVC.

There are public keys and private ones. Public key encryption is a lot more susceptible to risk. As encryption levels need to be higher, and the data is more critical, organisations tend to go towards private key encryption.

This brings along the need to manage as many private keys as there are people who have access to encrypt or decrypt.

"The first challenge is in creating these keys, since that takes time and effort and the second is the storing of these keys. Until recently, these keys were stored in open text by some organisations.

The third problem involves actual management of these keys - who will access it, how it will be backed-up, how to make it secure and such," explains Prasad.

To avoid some of these problems, companies largely used keys across organisational divisions, rather than individuals. However, new solutions in the market enable organisations to manage keys better and in a more minute manner.

"There are tools which actually take care of encryption for types of data and there are also specific tools to manage keys, which are based on, or inherit, security from the systems themselves.

For example, functional encryption basically says x person has got access to xyz on the network, or xyz modules on an app, and that can be inherited from the app itself.

And all that information is stored in another database which is completely encrypted. So it is becoming easier for organisations to actually manage, and they can now use policy based encryption when it comes to creating and managing keys. That's the whole difference," says Prasad.

Many enterprises, however, remain unaware of these advances in technology which make encryption easier. This is complicated by the latency levels that encryption solutions enforce on enterprise data.

"The most glaring challenge is the impact of encryption on performance. One really needs to understand what impact encryption will have on performance and actually rebuild some of the architecture to ensure that it does not become a limiting factor for applying encryption to that particular area.

The second is safeguarding against accidents and omissions, especially when it comes to key management. I have seen many instances when, although the data was encrypted, the keys were not managed properly. They were lost or became corrupted and thus the core data was lost," says Prasad.

"The final challenge is justifying the cost of implementing encryption. That has always been a challenge for an organisation. If it is not for regulatory purposes, it is just to ensure the integrity of data, and justifying that cost is a big challenge for enterprises today," he adds.

One of the few exceptions to this is corporate outgoing e-mail, which is the easiest to encrypt and enforces very little latency for the organisation. This is also the reason that most organisations start with e-mail when they begin encrypting information

For the rest of corporate information however, companies need to invest a lot more effort and time.

Encryption levels

The level of encryption on any piece of information depends largely on how critical the information is to the organisation and where it resides on the corporate network.

"The differentiator is the data. Whether it is travelling the corporate network, on a hard drive, in a USB or on the internet, if the data is not financially sensitive or critical then it can travel openly.

But if the data is important, then it will need to be encrypted," says Faisal Khan, senior security consultant at McAfee Middle East.

Some others believe data needs to be differentiated based on where it resides.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code