P2P encryption: Advantages and Disadvantages of point-to-point encryption technology

 

Recently, there have been many discussions about point-to-point encryption (P2PE) technology in the security circle, and the potential of this technology to minimize sensitive information leakage in high-risk environments. In this article, we will examine the benefits of P2P encryption to enterprise security, and point out some pending problems that delay the application of P2P encryption technology.

How P2P encryption works

Point-to-Point encryption technology allows enterprises to create secure communication links between multiple devices or components in the device to prevent leakage of sensitive information during transmission of intermediate devices over the network. P2PE is most often deployed as a solution that meets the Payment Card Industry Data Security Standard (pci dss), but it may also be used for other sensitive data.

For example, think about a clothing chain that stores many retail stores nationwide, and it handles all financial transactions through a data center in the city center. It is very difficult for retailers to ensure physical security of the LAN of each store, depending on the absolute number of these networks and the public nature of the retail stores. Furthermore, it is unlikely that trained security personnel will be on-site monitoring networks in each retail store.

By deploying P2P encryption technology, retailers can limit the scope of credit card numbers that are transferred in the product sales environment to be leaked. For example, by deploying a POS system (a point of sale information system) that uses an encrypted credit card scanner, it is supported by a back-end system that supports point-to-point encryption in the Home Office, the network of the entire retail store is isolated from the outside world. Because the hardware credit card scanner encrypts the data before it reaches the POS terminal, no device can decrypt the credit card number on the network of the retail store. This protects credit cards against various types of attacks, including unauthorized device eavesdropping and malicious software infection on POS terminals. Such devices cannot access encryption keys, so they cannot access credit card numbers.

Why P2P encryption technology?

The main benefit of point-to-point encryption technology is that it can reduce the scope of security work. In the retail stores described above, if retailers can ensure the integrity of the hardware credit card scanner, they only need the strictest security control for the centralized background system applications that are easy to decrypt. In an environment with high regulatory requirements, this policy can greatly reduce the number of systems and networks that must meet the heavy compliance and monitoring requirements.

Limitations of P2P encryption technology

Although point-to-point encryption is a promising security technology, it is still not widely deployed, mainly because there are only a few mature products on the market. Shortly after the simplified verification process was approved by the PCI Security Standards Board (pci scc) for such products, several organizations wanted to deploy it, but could not find the product meeting the pci ssc guidance. In many cases, vendors claim that they are starting to test their products, but they are not yet available for commercial use. These products are now looking for business opportunities in the market, and their systems are slowly put into service as sellers upgrade.

The delay in compliance is the second major limitation of P2P encryption technology, which usually requires considerable economic investment for establishment and operation. This includes upgrades to POS hardware and software, as well as possible increases in costs from vendors. Merchants are seeking to limit their compliance responsibilities, and they are eager to make a fortune in these unexpected business needs.

Finally, it is important to remember that P2P encryption is not a panacea. Although it reduces the need to ensure remote network security to a certain extent, it cannot eliminate the need for security control. The most important example is the use of powerful encryption key management practices. If attackers can obtain the decryption key, this solution will be useless. This means that any device deemed to be out of the permitted range should be prohibited from accessing the key used to protect sensitive information.

All in all, point-to-point encryption is a promising technology that enterprises are starting to use to enhance data security and reduce the scope of compliance management measures, especially in the payment system environment. However, it has several major limitations, and security professionals who want to use this technology must consider it. However, with the continuous improvement of commercial P2P products in the next few years, it may lead to growth of enterprises.

Original Chinese TechTarget content