Encryption is an area of information management that causes problems: does the data need to be encrypted at rest or when in motion? Does the classification of the data mean that there are different encryption requirements?

It’s probably worthwhile having a look at the history of encryption and encipherment.

The desire to protect information from casual viewing has been around for over 2,000 years. In 405BC General Lysander received a message that had been written inside a belt, and the only way to read it was to wind it around a pole of a certain size.

Julius Caesar invented a cipher that was (with the limitations of education in Roman society) very hard to crack but it was Mary Queen of Scots who pushed encryption up to another level, by using symbols, not just for letters but entire words.

This meant that simple frequency analysis became harder without knowing the key. Although encryption has long been used to assist secret communication, nowadays it is commonly used in protecting information within IT systems.

Today, one of the greatest causes of concern when it comes to data is who can get access to the information that lies within.

Whether it is data that is at rest, such as information held on a computer disk and storage device, or data in transit, information being transferred via networks, internet and wireless devices – the question is: would it be possible for a nefarious party to remove the disk, or intercept the connection and access the data?

If the data isn’t encrypted then most definitely it can be accessed from a drive, as can be judged from the number of freely downloadable tools available to assist.

When talking about encryption there are a number of "usual suspect" questions, for example: Does it do full disk encryption? How do I recover the data in the event that the person who knows the password leaves the company?

Full disk encryption is usually reserved for end users and their laptops. It is easier to encrypt the whole drive than to specify certain data paths. The limitations are that in order to boot the machine the drive has to be unlocked, so if the user is overseas and forgets their password you’d better hope that the helpdesk is available 24/7.

In terms of recovering the data, if the encryption keys are lost, retrieving it will depend on how the solution was implemented. If Hardware Security Modules (HSM’s) are used, this will usually require a quorum of administrators to be present before the keys are released. The different models might require this to be in the form of physical keys, or smartcards.

Encryption is enabling the vision of being able to access data anytime and from anywhere but at the same time the proliferation of mobile devices and use of the cloud has also introduced new security challenges – so when it comes to data protection, any security strategy should look to encompass encryption and key management.

 

Si Kellow, CSO, Proact.