Cryptography, the science of information protection once seen as the domain of geek academics and intelligence services, is going mainstream.
Although cryptography has long been used to protect data in motion, for example to secure important diplomatic signals or sensitive Web pages, it is now regularly being applied to protect “data at rest” in databases, filing systems and storage devices while allowing anytime, anywhere access.
Indeed, the proposed acquisition of industry leader RSA Security by data storage giant EMC underlines this trend.
Strong encryption however, is a very powerful tool and its wider use presents its own challenges and risks.
Get its technology or management wrong and encryption can provide a false sense of security, or simply become a giant corporate document shredder.
From a risk management perspective, encryption represents a double-edged sword: while it can protect critical data, without effective management tools it can also render important information permanently unreadable or irretrievable.
Just as crucial management lessons have been learned about supervising users and their software passwords, large corporations would be very unwise to leave it to individuals to manage their own encryption and decryption keys.
The data protection stakes are simply too high, thus forcing companies to find “key management” solutions that can be managed centrally and are independent of those who originally encrypt the data.
Ensuring that a corporate entity retains the ability to access data after the fact is also a source of concern to law enforcement agencies: they want to be able to decrypt data if a crime is suspected.
This has resulted in various ‘key recovery’ or ‘key escrow’ proposals, which would require individuals and organisations to store their encryption keys with a neutral third party. But can these plans work practically, and should they be allowed to?
Good security requires defence in depth and that means encryption has to be part of the mix, but the idea of ubiquitous encryption begins to sound complex and highly challenging.
If encryption is to be used by just about everyone, the complexity must be transparent to the user and it must be easy to manage: good key management lies at the heart of every successful encryption deployment.
Until now, the complexity of key management has restricted the deployment of encryption to extremely critical systems and applications, such as financial payment systems or board-level email security, where organisations have been prepared to dedicate the required resources.
Key management is seen by many as the Achilles heel of the technology known as Public Key Infrastructure, or PKI, often touted in the past as the solution to many business security needs.
Overcoming these challenges and barriers demands a new, centralised approach.
Yet, centralised key management systems that allow keys to be secured and managed - while allowing them to be provisioned, on-demand, to users or applications that need them - are emerging only now. There are a host of other issues to consider, including:
- Since encrypting absolutely everything is a practical impossibility, data classification (to decide what information will really benefit from encryption) needs to be part of any data security strategy.
- Issues of cost, performance implications, disaster-recovery and key management must all be tackled head-on before the system is architected.
- For encryption to be deployed everywhere – from applications and databases, to file and storage systems – organisations need to be sure that only those users and machines that have rights to view and use the data will be able to unlock it.
That means linking cryptography to identity management and strong authentication, so as to verify that only the appropriate people get the access to information they are intended to have.
- Users need to be able to use the technology easily for encrypting and decrypting the data that they are entitled to see, but they should not need to be involved in key management, where mistakes and poor practice potentially expose both the data, and the entire organisation, to unacceptable risk.
The net result of a well-planned deployment of encryption, supported by carefully chosen key management tools, is better protected data accessible to the right people at the right time without compromising security.
This outcome reduces the risks to critical data, enables compliance with the law, demonstrates best practice and protects customers and their personal data in the way that they have increasingly come to expect they should be protected.
Nobody said cryptography was easy - but there is help at hand.
Alex van Someren, co-founder and CEO of nCipher, oversees the company's corporate, strategic and emerging business. Alex has 20 years of experience in the information technology sector and is the author of several books on the applications of computers and microprocessors.
Alex is also a co-founder of embedded Internet software firm ANT Limited where he managed the development of various embedded Internet and networking products. Before 1993, he provided computer consultancy services for clients including Acorn Computers, Autocue and Redwood Publishing.
Read his interview (2003) by Techworld here.