Ulf Mattsson, CTO for data security specialist, Protegrity (below) explains what to expect from your solution and how to implement best practice

Does your organisation protect the resource travelling within its information pathways, and stored in databases and files, as well as it protects its physical space? Protecting offices, labs, manufacturing floors – even parking areas – from unauthorised individuals, is a given. Validating staff before entry, and during the workday, is second-nature to most business managers. Can you say the same for the sensitive information that is your enterprise’s life blood – keeping client and employee information confidential, maintaining competitive advantage, complying with industry and government regulations?

The perimeter

Protecting web-based transactions, includes using network perimeter firewalls, to defend internal IT processes from external malicious attacks.

But how about data inside the firewalled perimeter? Internal staff access files of all types in the day-to-day operation of your firm. More and more staff and business partners need access to this information while working remotely. The surest way to protect this data, controlling who gets to use it while making it available to the recipients with “need-to-know,” is data encryption.

What is encryption?

Encryption is one tool in the management and control of vital information resources. IT security professionals, and their data centre counterparts, also have to establish ground rules (security policies) that are promulgated enterprise-wide, then audited for their accuracy and efficiency.

The algorithms that encrypt ‘clear’ data (e.g. database column salary entries, passport photo image files, business applications, storage archives) ‘lock’ the information in a mathematical scramble that is extremely difficult to restore to its clear, intelligible, state. Under a security policy that defines authorised use, certain individuals gain access to the original clear information. The decryption of the ‘scrambled’ content, or application, occurs transparently when an encryption key ‘unlocks’ the seemingly random tangle, and presents the now useable information.

Storing encryption keys in a secure double-encrypted format and separated from the data renders information useless if an attacker has found a way into the database through an application backdoor. In addition, separating the ability of administrators to access or manage encryption keys builds higher layers of trust and control over your information infrastructure. Choosing the point of implementation not only dictates the scope of the task from an integration perspective; it also significantly affects the overall security model. The sooner the encryption of data occurs, the more secure the environment. Encryption performed on content within the database is the best protection for data at-rest.

Best practice also demands explicit separation of roles and duties. For instance, security officers set the policies, but may not access the sensitive data itself.

Of equal importance today is auditing successful, and unsuccessful, data access attempts, so that security administrators can report on the overall security of the system. This kind of information becomes part of the reporting required by legislation, and often, by stringent industry-specific compliance regulations.

The approaches

There are a few methods for encrypting ‘data at rest’ - application-layer encryption, file-layer encryption, storage-layer encryption and database-layer encryption.

• Application-layer encryption provides protection of sensitive data at the collection point; an ideal scenario. That data is then protected through the rest of its life-cycle.

There are two main drawbacks to this approach: (1) this is done through an application programming interface (API), which requires changes to the application code. This can be impractical due to limited IT resources, lack of access to source code, or a lack familiarity with old code. (2) Data can no longer be accessed by any other system other than the application itself. If this is a closed application, this can be a good thing. However, most enterprise applications today are accessed by third party applications to facilitate business processes (e.g. Business Intelligence (BI) applications for centralised reporting, Extract Transform Load (ETL) applications to move data between systems).

• File-layer encryption protects data at the file system level. This approach is necessary for unstructured files that do not exist in a database, such as image files, configuration files, or VOX files.

• Storage-layer encryption protects data purely at rest, in NAS or SAN environments. This approach is usually very fast, but does leave some serious exposures to threats for data that is ‘in use’, i.e. data in the database. Storage-layer encryption alone can only protect against a narrow range of threats – namely media theft and storage system attacks.

• Database-layer encryption allows enterprises to secure data as it is written to and read from a database. Database-layer encryption will also secure data in the file-system that the database is using to store the database information, making it a versatile and complete approach. Because it protects data while it is in use, as well as while it is at rest, it achieves critical and practical requirements.

Know your requirements

The key decision is to determine where encryption should be performed – on the storage device, in the file system, in the database, or in the application where the data originates. The deciding factors include:

•  Who should have access to the encryption keys?
• How much data must be encrypted to provide security? 
• What’s an acceptable trade-off between data security and application performance?
• How will database information be shared across applications and throughout the enterprise?

The value of your investment can be maximised by leveraging one secure encryption solution across all major applications and all major databases throughout the enterprise.

Encryption provides strong security for data, but developing a data encryption strategy must take many factors into consideration. There are six critical requirements for data security solutions:

• Protect data in database, file and storage environments
• Enforce privileges at the field/user level
• Separate security policy from data management
• Protect encryption keys
• Audit and report access to sensitive data
• Apply policy to maximise legitimate availability

In addition to these critical requirements, there are practical requirements to deploy and manage a data security solution effectively. It must be:

• Transparent to existing applications and infrastructure
• Minimal impact on performance
• Consistent with security policies across the enterprise
• Broadly supportive of data-stores and operating systems
• Open to information sharing across applications and throughout the enterprise
• Cost-effective to deploy and maintain.

Enforce privileges

Ideally, encryption deployment is done as a complement to security and access controls, forming a sound policy to prevent theft of critical data. A defence in depth approach is best practice to protect your organisation’s most valuable asset – its data.

The human element

From an administration point of view, an administrator (SA, DBA) is playing an important and positive role. However, when security and privacy are the issue, we cannot simply trust particular individuals to have total control over other people's secrecy.
For example, because of their ‘super-user’ power, a DBA can manage the whole system and make it work in the most efficient way. However, they also have the capability to do the most damage to the system. This is not just a problem of trust, it is a principle of accepted best practice in security. If the DBA account is compromised, the security of the whole system is compromised. With discrete security workstations, the security administrator sets user permissions. When the security administrator operates through separate middleware, the independent access control system operates free of operational constraint.

Protecting the keys

The essential component of encryption, that is often underestimated, is key management – the manner in which cryptographic keys are generated and managed throughout their functional lifecycle. The data protection solution is only as good as the protection of these keys. Security depends on two factors:

• Where the keys are stored and how are they protected
• Who has access to them and in what form.
• When evaluating a data security solution, include the ability to securely generate and manage keys. This can be achieved by centralising all key management tasks on a single platform, and effectively automating administrative key management tasks, providing both operational efficiency and reduced management costs.
• Data security solutions should also include an automated and secure mechanism for key rotation, replication and backup.
• Encryption keys should never be exposed in clear form. Encryption keys should be protected and encrypted when stored, during transport between systems and system processes. The use of a combination of local software cryptography, and specialised cryptographic server platforms can provide a selective, added level of protection, and help to balance security, cost and performance needs. The use of a combination with hardware security modules (HSMs) can provide a selective, added level of protection to help meeting corporate or governmental requirements.
• Access to key management functions should require strong authentication and management of encryption keys should be logged in an evidence-quality audit system.

Audit & report

The foundation of good security is the security audit function and a secure reporting and audit facility. The creation of an evidence-quality audit log that tracks activities performed by security officers, plus authorised and unauthorised access attempts to protected data, is a critical element of control and oversight. These logs must track information regarding the use of sensitive data, including records of what’s read and updated.

Managers can use this information to track trends, analyse potential threats and support future security planning. With this historical information they can also assess the effectiveness of countermeasures.

Logs should focus on the most useful information for security managers – activity around protected information. Focusing only on sensitive information maximises the usefulness of the protected security audit log.

What is tracked should not be limited to the access to the data, but also the changes made to the security policy itself. All changes, additions, and deletions to this policy need to be audited and protected, so that the Security Administrator can not make changes, access data, then change back the policy – in essence covering his/her tracks. All of these logs and reports need to be secured and protected from alteration.

To help a manage these security logs and reports, a centralised console that collects the security events from all protected data, across platforms is a necessity. Alert capability is also necessary to inform an administrator when severe events occur.


Minimising performance impact

Security solutions need to be implemented with minmised impact on the organisation’s operations. In general, the closer the encryption is to the transaction, the faster it will perform. If encryption is done at the application level, it is important to understand where it is best implemented, and fully understand the downstream impact. For files, it is necessary to be completely transparent to the end-user applications, and the impact on all applications accessing the files must be taken into consideration.
For databases, indices are typically created to facilitate the search of a particular record, or set of records from a database table. In an encryption environment, functionality to handle different indexing requirements can provide significant performance benefits and fully transparent and fast index searching, both for exact matches and search on encrypted data. To optimise performance, it is imperative that your solution include this capability.

Cross platform solutions

More advanced encryption solutions provide centralised management of encryption parameters, supporting all major databases and operating systems, including mainframe platforms. Ensure it automates encryption, audit and separation of duties for access to sensitive information. Also important are cryptographically enforced authorisation, secure and automated key management, secure audit/reporting facilities, interoperability with other security technologies and operational transparency to applications.

Performance and security

While any data type can be encrypted, there are always trade-offs. Encrypt/decrypt functions add processing steps, and so have an effect on overall IT system performance. You have to balance enforced security with enterprise needs:

Identify your data flow, understand each impacted area and find a solution that can match your requirements

Realise that the requirements will differ from department to department in your organisation; you need to work with a company who has the experience and solutions that can accomplish an enterprise-wide encryption solution

Ensure the solution you pick is flexible, for the rules governing today’s security will change tomorrow

Don’t underestimate the importance of strong, centralised key management

Yes, encryption does add ‘overhead’, but recognising this up-front will result in a secure, yet responsive, IT environment.