By Ken Steinberg
The Nature of Data
Everything stored on your computer can be divided into exactly two categories: applications and data. Applications do the work and data is what they work on. Data is by far the more valuable. A case can be made for the value of individual applications, but in reality it is the algorithms they employ, not the applications themselves, which are valuable.
Most business people and technology professionals will agree: data is king. Whether in government, banking, telecommunications, medical imaging, manufacturing process control or transportation the secure use of electronic data is the lifeblood of a global economy.
Data can be further divided into two very distinct categories: inward facing and outward facing.
Inward facing data is that information, often proprietary in nature that allows a company to produce its goods and services. This data is used internally by employees and the company’s various business components. Efforts are made to ensure that inward facing data does not leave the organization.
Outward facing data is that private information that the company uses to compete in the marketplace. This “portable” or “mobile” data may be used in sales, customer service and analytical functions that are often used by employees outside the confines of the company proper. The data stored on the laptop of a salesperson is an example of outward facing data. It may be just as sensitive as inward facing data, but it probably is exposed to higher risk.
This distinction is particularly important to security professionals as the large number of data breaches in recent years bear witness to the fact that many security professionals do not understand the implications of the differences between protecting inward facing data and outward.
While there are occasions when applications themselves need to be secure, more often than not, it is the securing of data that has the biggest impact on business continuity and profits. To achieve this, the successful security officer needs to focus on only two actions-keeping inward data inside and outward data from being acquired, compromised and/or coerced while outside of the corporate environment.
Further confusion occurs, when security professionals seek solutions that facilitate successful information assurance but fail to take into account real-world conditions. These errors result in the inevitable selection of a tool set that becomes burdensome to both the corporation and the operation of its computing systems. These implementations may survive a few years but are ultimately removed due to their disruptive effect upon the business environment and culture. We predict that many of the organizations rushing to employ full disk encryption today will be retiring these solutions a few years from now.
Whole disk encryption will protect against system loss.
The knee-jerk reaction of most IT professionals, when asked to secure portable information, such as laptops, is to blanket an entire system in encryption. This appears, at first blush, to be the “easy and simple answer.” What is often miscalculated is the inherent danger of key management. Whole disk encryption requires that a set of keys be distributed with the encrypted system so that the core applications can subsequently be unencrypted before the system can run. Transportation of an encryption key with the encrypted information provides opportunity for the encryption to be broken. It is unlikely anyone will find a way to brute decrypt AES 256 encrypted information, but the four digit pin that protects the encryption key is not as much of a challenge to attack
Shipping the key with the encryption set, or making the safety of the encryption key reliant on the user of the system, also puts the user at risk of harm. Depending upon the attacker’s level of intent, knowing that the user can provide critical parts of the key, may result in direct or indirect (family members, etc.) threats of harm in order to obtain key information. In all cases it is better that the user has no knowledge of the key or its seeds.
There will be a huge performance penalty to be paid.
Encryption of common applications is a performance impacting and unnecessarily burdensome action. Encryption of data, not common applications, mitigates the performance degradation as the operating system is not subject to decryption.
The additional and unfortunate issue with encrypting application sets is failure recovery. When encryption fails or keys are corrupted, unless there is a recovery mechanism, the whole system is lost. Once corrupted, it is even more difficult to get the system into a working state in order to recover the data.
System encryption will not keep data from being stolen.
Hiring employees and consultants implies a level of trust. Trust, in security, implies access. In order to conduct business employees must have access to unencrypted information. Encryption is therefore unable to protect the data when it is being used. All encryption efforts must be enhanced with data access logging and data copy protection.