By Terence Spies
You’re a talented IT professional. But your customers, your government, and your management are increasingly fretful about the data you manage.
That’s hardly surprising. The news media is littered with reports of data breaches representing millions of dollars in direct costs, not counting the brand damage. Since the advent of California SB 1386, every legislative body in the country seems to be drafting regulations to punish companies that mismanage data. At the same time, the body of hacking tools and the criminals with the motivation to use them seems to be growing daily.
In the midst of this sea of change, many companies continue to rely on classic core firewall and virus scan tools to defend their networks. But that may be solving the wrong problem. What you really want to do is to defend your data. Fortunately, there’s a new generation of emerging security tools that focus on defending data rather than defending the machines and networks that transport this data.
These new tools can be classified into two broad categories: classification and encryption. Classification tools work by examining the content of data, giving administrators a clearer picture of what business data is stored where, and how it is flowing into and out of the network. They also classify data, which allows data encryption so that only authorized users can gain access to the information. This classify-then-encrypt strategy wraps the business data in a policy-based cryptographic shield that works no matter how data is stored or transported.
As an example, an SMTP email scanning tool might examine all attachments leaving an enterprise, looking for customer data. If the scanner detects customer data, it signals a tool to encrypt the attachment so that only authorized employees and partners can access that data. The encryption tool may lock the document up so that it remains encrypted even when opened and saved. A related scanning tool might examine network file shares and encrypt documents in storage, so that they are defended even before getting sent. A number of vendors such as Proofpoint, Tablus, Code Green Networks, Vontu and Vericept all sell products that offer this kind of scanning and classification.
Contrast this with a pure network approach, which might attempt to safeguard that data by ensuring that it is transported over an encrypted SMTP over TLS connection. While this is a simpler approach to set up, and has value even in the presence of data-centric tools, the documents are in plaintext form in storage at the sender, in any email relays, and in storage at the recipient. Those weak links are cause for concern. Recent major data breaches (at ChoicePoint, TJ Maxx, etc.) shows that data is most vulnerable in storage, not when traveling over the network. Instead, it has been stolen by malicious employees, carelessly handled backup tapes, and, in the case of TJ Maxx, compromised code reading data out of storage (Securitas Operandi, "For an Interesting Account of the TJX Breach, Read Their 10-K", May 3, 2007, Peter Gregory). Handling these threats from the inside should be a core consideration for any security architecture.
From a cryptographer’s perspective, in an ideal world, every piece of data written to a disk or tape would be encrypted. It’s not enough to just specify encryption, though. The security of an encryption system fundamentally boils down to the question of key management, or more simply, how access to decryption keys is handled. In low-level encryption utilities like SSL/TLS and whole-disk encryption, keys are controlled on a per-machine basis. If a user has access to a machine, they have access to all the encrypted data on the machine, or in that machine’s network connections. This yields a very easy to deploy encryption scheme, but one that has very little ability to map encryption to complex access control policies. By adding classification technology into the picture, encryption utilities now have the ability to encrypt on the basis of classifications rather than just the data’s destination machine. Being able to encrypt on the basis of “this is HIPAA relevant data†rather than “this is being sent to mail.example.com†allows for much more sophisticated access control.
The challenge for encryption products in this environment is their ability to take this policy information and map it to an encryption key, and enforce those policies when decryption keys requested. Some older technologies like Public Key Infrastructure (PKI) tend to have very fixed, high overhead policy to key mapping techniques. Newer technologies like Identity-Based Encryption (IBE) and some rights management protocols are designed to work in this new environment by going directly from a policy description to an encryption key. IBE is able to do this entirely mathematically, which allows data-based key management to be done without needing to build server infrastructure. There are good key management answers for encrypting data in email and file transfer applications, and toolkits can be used to integrate data-based encryption into custom applications.
The demand for more sophisticated key management has also driven standards activity in IEEE. The 1619.3 group is building standards for communication between applications that store data and a key management server. These standards are still in the early stages of development, but this approach will enable a much wider deployment of data-based security for stored data all the way down to tape and disk units.
There is still work to be done to make data-based security as easy to deploy as standard firewalls and virus scanners. Every application that handles potentially valuable customer data or enterprise IP should consider data classification and encryption as a core part of application architecture. Eventually, encryption based on classification will be a fundamental part of every enterprise architecture, but IT professionals can deploy solutions today that will defend data in their most vulnerable and valuable data channels.
Terence Spies is chief technology officer at Voltage Security Inc. Spies graduated with a Bachelor of Science degree in Logic and Computation from Carnegie Mellon University in 1991.
www.voltage.com