Encryption solutions are not enough to secure data
(28/12/2007)

Companies and public sector bodies alike are at risk from unauthorised access to and the loss of valuable corporate and personal data. Recent events in the news have highlighted just how real this risk is. However, achieving confidentiality of data through encryption is straightforward, claims Dr. Bernard Parsons, CTO of BeCrypt. A challenge that organisations face is how to strike the right balance between confidentiality, integrity and availability, particularly when data is exchanged between partner organisations. Technology is available to secure data, but processes also need to be in place to ensure compliance and enable access to the encrypted information.

Achieving data confidentiality

Achieving confidentiality of data is a straightforward process with encryption, and technology is available today to enable this to happen. Solutions that are transparent to the user and therefore minimise the impact on how the user works are available that can provide an assured level of confidentiality. However an appropriate process needs to be defined and communicated to ensure its successful use. Data can be copied onto removable media and encrypted, but then the question of access is raised. To whom and how should the data be made available?

This has been particularly important in the cases of government offices, for example, where confidential data is increasingly required to be shared with external agencies and third parties. The data can be encrypted and transferred to the third party, but a process needs to be in place that defines who should be able to read the data. If a process is not put in place, then the encryption technology runs the risk of not being deployed.

Shared secrets

Mechanisms are required in the process whereby there are ‘shared secrets’ in place between organisations that have a requirement to share data. In the absence of pervasive PKI, these secrets may be encryption keys, passwords or passphrases. These need to be agreed with partners and support a process for data to be exchanged with confidentiality, enabling those that require access the ability to do so.

With a traditional focus on confidentiality within the Information Assurance community, rules and procedures surrounding the sharing of keys have often been so restrictive as to threaten the availability of a system. If it is overly complex for organisations to share keys, the choice is often: ignore security, or risk data not being available.

With a growing focus on risk management in recent years, products assured for government use have been able to incorporate simple mechanisms to help solve problems such as key sharing .

The growing requirement to encrypt removable data has driven this development, as the exchange of electronic data is increasing, both in frequency and volume. This is itself posing a challenge. It is difficult for individuals to appreciate the enormity of the risk and exposure that might ensue from the loss or theft of one piece of media and its contents. Faced with a three foot high stack of paper documentation detailing confidential details – home addresses, bank codes – an individual would appreciate that the information requires a high degree of protection and security. However, if this information is transferred to a disk it takes a considerable mind leap to apply the same requirement for security to one or two CDs.

Getting the right balance

Security is just one part of the puzzle. The usability of the data is determined by getting the right balance between three elements – confidentiality, integrity and availability. Buying the security technology is not enough, there needs to be understanding and action as to how it is employed. Clearly educating the users about the importance of the process is vital and ultimately, reduces the risk that the system will not be used. If good understanding of the process is in place, this will complement the technology and contribute to its overall success.

There are also technology solutions available to ensure compliance with processes to protect data. These allow organisations to be more accountable for electronic assets and provide a policing mechanism that makes it more likely that people will comply, by either controlling or monitoring behaviour.

Ensuring Compliance

A port control solution like Connect Protect from BeCrypt is designed to secure a desktop or laptop computer from the introduction of unauthorised data (including software, music and graphical images), and from the accidental or malicious leakage of data via Plug and Play devices such as removable disk drives, MP3 players, and printers.

BeCrypt’s solution enables data security to be controlled centrally, enforcing the business defined policies on the end users. Groups of users can be set up on the system, so that each group is subject to the most appropriate level of security – for example the Finance Group may be able to access some data via a USB port, while a support department may never need to use data from the network and so the USB ports are effectively ‘locked down’.

Connect Protect also provides an audit of activity. If files are copied onto a memory stick this is recorded, enabling a data leak to be quickly located and identified.

Availability is key to success

There is no doubt that data protection is becoming of increasing concern, both to large organisations and the individual. Indeed, identity theft at the level closest to home occurs with personal details thrown away in discarded post.

The new NHS national patient record system highlights potential risk at an even higher level. Yet again, the confidentiality applied to the system needs to be balanced with availability. It is important that if rigorous security controls are applied to medical health records, their availability and integrity are paramount.

Systems such as BeCrypt’s Trusted Client provide an alternative approach to supporting distributed data and systems. Rather than widely replicating data, secured media is used to provide remote access to shared data and systems.

Companies need to carry out a risk assessment from the outset - how and with whom is data to be shared and exchanged? What are the implications of the theft or loss of this data? What impact do security mechanisms have on other aspects of the system? Has a process been defined to ensure balance?

Clearly such questions should address the three key elements: confidentiality, integrity and availability, not just within the organisation but with partners. Companies that achieve the right balance with the deployment of both technology and polices will be successful in ensuring that their data is secure, yet accessible to the right users.

BeCrypt’s Seven Point Plan for Successful Deployment of Data Encryption Solutions
· Decide policy ie. who has access to what data, and what can be shared with outside organisations
· Put processes in place to ensure that the policy can be maintained and staff understand both the policy and the processes they need to follow
· Define simple “Shared Secret” procedures to share information with external organisations.
· Ensure there is balance between keeping data secure, whilst enabling those that need it to have access.
· Ensure that both data integrity and policy is maintained by making the processes easy to use through the use of technology
· Educate users to recognise the enormity of risk involved with digital assets and as