Inadequate security and eager cybercriminals have led enterprise data breaches to increase at an alarming pace. Staggering numbers of affected customers — and huge financial losses to companies — continue to send shock waves through the business world, and threaten user trust. This global proliferation of cyber-attacks has resulted in one particular component of cryptography, i.e., ENCRYPTION, to become critical in the effort to safeguard sensitive data and intellectual property (IP).
We all know that Cryptography is the science of secret communication. Its fundamental objective is to enable communications over an insecure channel in such a way that a potential adversary cannot understand what is being conveyed.
Edward Snowden (famed American Whistleblower) once said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Encryption is a key element of comprehensive DATA-centric security. End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating, and large number of companies haven’t been using it effectively.
Q. So how can companies start using encryption to protect data?
Answer: Organizations can leverage encryption to provide persistent data protection by anchoring it with a comprehensive strategy that incorporates a complete lifecycle process along with the technology solution.
Effective encryption takes time; in addition to careful consideration of data states and encryption techniques, seven key elements can help you build a successful end-to-end encryption approach:
1. Collaboration
Creating an encryption strategy requires a collaborative effort. It is a major initiative that must include members of management, IT and operations. You must start by bringing together key data stakeholders and work to identify the regulations, laws, guidelines and external influences that will factor into purchasing and implementation decisions.
2. Classification of Data
Remember that companies which don’t have an effective data classification and/or prioritization program in place tend to struggle with data encryption. That's why your prime goal must be to separate the valuable information (which may be targeted) from less valuable info. Categorize them into pre-define groups on the basis of common risk they share. Next, elaborate upon Security Controls which are required to secure each info-group. You can use some Data Classification Tools for all this. They would improve your handling of sensitive data. This data classification will improve your data-governance, compliance, and would prevent inadvertent disclosure of sensitive data.
The work done in this part, and the metadata of classification you develop here, can conveniently be ingested by your Data Loss Prevention (DLP) solution, your encryption solution and many other security solutions which your company deploy.
3. Key Management = Guard Your Keys
Guys, give extra attention to this section!
If keys and certificates are not properly secured the organization is open to attack, no matter what security controls are in place. Many organizations have tens of thousands of keys and certificates, with no clear understanding of their inventory. They do not know how keys and certificates are being used, what systems they provide access to, or who has control over them.
Edward Snowden, himself was a low-level SharePoint administrator who took advantage of the fact that keys and certificates are blindly trusted to elevate his privileges and enter areas where he should not have had access. Snowden was a low-level SharePoint administrator who took advantage of the fact that keys and certificates are blindly trusted to elevate his privileges and enter areas where he should not have had access.
It is imperative that organizations understand which keys and certificates are used in the network, who has access to them, and how and when they are being used. The first step in gathering this information is to gain a clear understanding of the organization’s inventory by centrally managing keys and certificates. This will enable you to detect anomalous behavior, such as rogue self-signed certificates. Critical aspects of key management include the following:
Encryption Key Lifecycle Management:
While encryption key lifecycle management can be overwhelming to organizations with a large number of keys, there is no way to validate the integrity of the keys. It means that by extension, the integrity of the data itself cannot be ascertained, without any way of validating the keys. Keys must be protected with a reliable key management solution from the moment they are created through their lifecycle of initiation, distribution, activation, deactivation and termination.
You need a centralized key management platform which allows you the unified access to all of the encryption keys and a 360-degree "single pane of glass" view into the overall strategy. You require all keys to be managed from the same place, in the same way. This platform should allow you to gain a granular understanding of--how the keys are being used and more importantly, whether they are being accessed incorrectly.
If you don't have an overarching heterogeneous key management solution, then your organization will be continuously chasing after rogue keys and struggling to ensure encrypted data is valid and able to be decrypted when necessary. I hope you get it very clear!
The deployment of HSMs can help to protect the key management lifecycle in complex environments.
4. Finding the Right Solution for Your Environment
Once you have established your key management needs it is time to evaluate and implement encryption solutions. There are many options and factors to consider. Always adopt a “try-before-you-buy” approach because what works for other organization may not work for yours.
5. Access Control is a MUST.
Ensuring that only authorized users can access data is critical in the effort to prevent it from being tampered with by anyone inside or outside of the organization. A successful encryption strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
6. Consequences..?!?
Prior to deployment, a written policy should be developed, endorsed by management and communicated to end-users, including business partners and third parties (including any cloud providers) that handle sensitive data. If they cannot meet your company’s policies, they don’t get your data. Otherwise, you risk running into a compliance problem. Encryption responsibility should be fixed and carry consequences for noncompliance.
7. SSL Decryption
While encryption is a great way to protect data, it is also a great way to hide threats. Most network security controls cannot decrypt and inspect HTTPS (SSL) traffic. As more applications turn to SSL encryption to help keep users secure — Facebook, Twitter, YouTube, Google Search and DropBox to name a few — they are inadvertently hampering the ability of enterprises to ensure malicious code isn’t making its way into network traffic. Cyber attackers are exploiting this vulnerability, so when choosing the right encryption solutions for your organization, it is necessary to also consider SSL decryption technology to ensure visibility into important data at points of ingress and egress.
-
Hello guys, what do you think of this post about Building a sound Encryption Strategy? Which part of it made more sense to you? What thoughts came to your mind?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM