Why cannot Data Encryption replace comprehensive security?

Why Data Encryption is no substitute for comprehensive security

Why cannot Data Encryption replace comprehensive security?

Endurer Note: 1. Replace... with substitute for

By Jonathan yarden

Author: Jonathan yarden

Translation:Endurer1Version

Http://techrepublic.com.com/5100-1009_11-6079162.html? Tag = NL. e044

Keywords: authentication and encryption | Security | E-mail messages | Security Threats

Keywords: Proof and encryption | Security | email information | Security Threats

Takeaway:

Jonathan yarden asserts that data encryption can actually increase security risks if you apply it without considering how it will affect other IT functions. find out why he stresses that data encryption is only one of the tools in a comprehensive Internet security setup.

Overview:

Jonathan yarden claims that if you do not consider applying data encryption to other IT functions, security risks are actually increased. Let's see why he stressed that data encryption is only a tool in the integrated security settings of the Internet.

 

 

In all my years in the computing industry, I have seen a number of technologies come, go, and resurface. without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.

In the days when I joined the computer industry, I have seen the emergence, disappearance, and reproduction of many technologies. There is no doubt that the most interesting one is Data Encryption. However, the public still does not seem to firmly grasp it.

Endurer Note: 1. A number of: Many, several
2. Without a doubt: Of course, there is no problem, no doubt
3. General public: Public
4. Seem to: It seems that...
5. Get a firm grasp of: firmly grasp

Part of the problem may be that could IT pros get their information about data encryption from security vendors. none of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive encrypted ate security architecture. for instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. you probably won't hear this in any security vender seminar because they want to your products-I just want to educate you.

Some problems may be that some IT experts obtain data encryption information from security vendors. In the security seminar I attended, none of the vendors stressed that data encryption is by no means a substitute for the integrated enterprise security architecture. For example, data encryption makes sense only when there are no other options available. Sometimes you do not need to use data encryption at all. You may not hear about this in some security supplier seminars, because suppliers want to sell products-I just want to make you understand.

Endurer Note: 1. Part of: part (Part)
2. None of none; none of them (none of them)
3. By no means never
4. For instance example
5. Makes sense makes sense and makes sense.
6. At all: complete, fundamental

Know when to use data encryption

Know when to use data encryption

Data Encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. in fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.

Data Encryption is not very useful unless you apply it to specific risk mitigation or to identify legal requirements. In fact, if you do not consider applying data encryption to other IT functions, it actually increases the risk of other areas of the enterprise.

Endurer Note: 1. Legal Requirement legal requirements

A striking example of the misuse of data encryption is when it pros use encrypted file systems where this type of security is simply not needed. windows and almost all major operating systems can support data encrypted file systems, but most deployments wocould be hard pressed to find a general use for such security. even so, commandid ations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. this is generally not true; the real security issue is keeping the system protected from compromise in the first place. an encrypted file system is not a reason to stop being vigilant when applying updates and patches. also, backups are a must because, if you lose the decryption keys, your data is lost.

An outstanding example of data encryption misuse is that IT experts use the encrypted file system in a safe and simple place that is not needed. Windows and almost all major operating systems support data encryption file systems, but most companies will find it hard to find out the general purpose of such security. Even so, some companies adopt encrypted file systems because they believe that if the system is compromised, this protects their information. This is generally not the truth; real security problems first protect the system from harm. Encrypting the file system is not the cause of application updates and patches. Likewise, backup is required. If you lose the key, data will be lost.

Endurer Note: 1. Be hard pressed to do something...: very difficult to do...
2. General use, general purpose
3. Use
4. Even so
5. In the first place: At first, first"

There are specific cases where it makes sense to use data encryption. however, disable it pros decide to use data encryption because they assume this means they will have "Improved" security. for example, a company that implements a VPN system using IPsec isn't immune from a worm or virus if its virus contains only inspects e-mail at the firewall border. A solution is to enforce virus and worm scanning at the E-mail server, as well as at the network perimeter; this guarantees that internal e-mail messages are properly scanned for malicious content.

There are some special cases where data encryption works. However, some IT experts decide to use data encryption because they believe that this means they will have "Improved" security. For example, a company that implements a VPN system that uses ipsec cannot be immune to worms or viruses if its virus scanning program only reviews emails at the firewall border. One solution is to force virus and worm scanning both on the email server and on the internet weekly. This ensures that internal email information is properly scanned for malicious content.

Endurer Note: 1. Be immunized from: V .. immune...
2. As well as (in addition to...) Also, both... and; also,

Reconsider using SSL to pass sensitive data online

Re-consider using SSL to transfer sensitive data online

Verify it pros incorrectly assume their data are secure if they submit information using SSL. these two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. however, once the data is stored Ed and decrypted on the other side of the SSL connection, you no longer have any real control over it. or, if your windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.

Some IT experts mistakenly assume that data is secure if SSL is used to submit information. Two things are true: SSL encryption makes the intercepted data more difficult to use (using SSL V3, which may be nearly impossible), and SSL is more secure when the data transmission mode is based on clear files. However, once the data is received and encrypted on the other side of the SSL connection, you can no longer have actual control. Or, if your windows system is infected by a Trojan with a record key, enter a credit card in the SSL session of the browser R to prevent theft.

Endurer Note: 1. Close to, near

The general belief of SSL providing security is precisely why limit of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. the real question is: what happens to the data afterwards?

The general confidence in SSL security is exactly why some new phishing tricks use SSL to trick people into giving up personal information. SSL does not provide simpler data transmission security. The real problem is: what happened later?

Endurer Note: 1. Trick into cheat... dry

Encrypt e-mail using archivers

Use a NAS to encrypt emails

Endurer Note: 1. Archiver N. archive storage

Secure E-mail is another area where locations ations need some education. most events do not need the level of e-mail security provided by PGP or built-in public key encryption in most e-mail systems.

Ensuring Email Security is another part of education for enterprises. Most enterprise email systems do not require the e-mail security level provided by PGP or built-in public key encryption.

Endurer Note: 1. PGP-pretty good privacy is a mail encryption software based on the RSA public key encryption system.

When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text e-mail. when the recipient gets the e-mail, they decrypt the archive using a previusly established decryption password. while this is far from perfect, it's generally secure enough to lower the risk to minimal levels.

When someone needs to send a Word document or Excel spreadsheet securely, I usually recommend that they use the data encryption feature of file storage programs such as WinZip or WinRAR, and send security data as attachments to normal text emails. After receiving an email, the recipient decrypts the file with an encrypted password. Although this is far from perfect, it is usually safe enough to minimize risks.

Summary

Summary

I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.

I must emphasize that data encryption is only a tool in the comprehensive security settings of the Internet. If you do not care about your business, remember that the minimum public denominator in Internet security is human rather than technology.

Endurer Note: 1. Regardless of whatever, regardless
2. Sales pitch
3. Lowest common denominator <number> Minimum Public denominator