Data protection How to develop enterprise encryption Strategy (1)

Source: Internet
Author: User
Keywords Data protection
End-to-end encryption policies must take into account everything from input to output and storage. Encryption technology is divided into five categories: file-level or folder-level encryption, volume or partition encryption, media-level encryption, field-level encryption and communication content encryption. They can be defined further by the encryption key storage mechanism. Let's take a look at the grim forecast: According to the US Privacy information exchange, One-third of the U.S. people will encounter the loss or leakage of personally identifiable information from companies that store data electronically this year. Whether this is the right number or not, the public knows a staggering amount of data leaks. Who's to blame? Blame hackers and unwary employees, of course. But companies that do not encrypt confidential data should also be held accountable. Ultimately, companies must be held accountable for far-reaching consequences. Failure to protect confidential data not only threatens customers, undermines corporate reputation, and in some cases is illegal. According to Warren Smith, vice president of marketing at Guardianedge Technologies, 16 of the country's existing 20 privacy laws require encryption to protect confidential consumer data. Unfortunately, the operating system and application software developers have not made it easier and smoother to develop a comprehensive encryption strategy. Existing laws and norms often conflict with each other or provide normative guidance. However, all companies that need to store sensitive data should implement encryption policies tightly around the full encryption strategy. "Encryption has to be consistently used, and it has to be implemented by default," said Stephen Roll, Kings's product manager at Iron, a data-protection company. And be as transparent as possible. For example, if we back up data over the Internet, we encrypt it before data transfer. In this way, the data is protected in transit and is encrypted using 128-bit AES prior to transmission to the storage medium. "Any data that is used to determine the identity of an individual, organization, company, or entity is designed to protect against unauthorized access during creation, transmission, operation, and storage." If confidential information is transmitted on untrusted networks, such as the Internet, and stored in portable computing devices: Laptops, data backup devices, USB flash drives, PDAs, and other small computer devices, this is particularly precarious. A comprehensive encryption strategy must take into account all aspects of data from input to output and storage. Hackers are increasingly prone to client-side attacks. Hackers entice unsuspecting legal employees to install Trojan horses or keystroke loggers, and then they can use them to access data. Some malware also has access to data transmitted over the network. If data is stored online or physically archived, security may be compromised. End-to-end policies must protect data sent to business partners and third parties. The simplest approach also requires encryption in the following areas: wired and wireless network transmission lines, hard disks, floppy disks, CD-ROMs, DVDs, backup media(tapes and worm drives, etc.), e-mail, instant messaging (IM), Peer-to-peer technology, PDAs, databases, USB keys, passwords, and active memory areas. The development of encryption strategies requires extensive review and work. It is best to think of this as a major project involving key members of the business, management, and it sectors. You may want to bring together key stakeholders who use data to explain the project tasks. The entire team must determine the applicable regulations, laws, guidelines and external factors that may affect procurement and implementation decisions. Then identify the high-risk aspects, such as laptops, wireless networks, and data backup devices. Encryption is useless if an attacker can access confidential data directly without defeating any encryption technology. Therefore, a successful strategy should define a robust access control approach, with a full combination of file permissions, passwords, and double factor validation. Access control must be reviewed regularly to ensure effectiveness. Investigate different cryptographic solutions, read technical reviews, and contact the customers of the vendors you are interested in. There is no better way to do this than to try it out first, because the program applied to one company may not apply to another company. Finally, you must choose one or more cryptographic solutions that best suit your company. Before deployment, develop a written policy that is approved by the manager and deliver policy and operational guidance to end users, including business partners and third parties that handle sensitive data. If they can't meet the company's strategy and prove it, they won't be able to get your data. It should be determined who is responsible for the encryption and what the consequences of non-compliance would be. Consider implementing tools to monitor and detect the disclosure or theft of confidential information. Policies should always include the fact that once data is lost or stolen, it is necessary to report critical stakeholders immediately. Policies should include specific steps to be taken when discovering data leaks: Who is the specific contact? How fast is the connection? When will the customer be notified? Who's going to decide this? How to decide? Do you provide customers with free credit reports? All these questions should be answered beforehand. Although proactive data destruction strategies are not associated with encryption, this strategy should be implemented. Many embarrassing data thefts this year have been linked to the fact that the data should have been destroyed long ago and not destroyed in time. If the data is not needed, clear it-the risk associated with it will not exist. A good strategy is clear: how long should data be kept (starting with data creation and availability)? How should it be protected and destroyed? Optimizing encryption Technology Unfortunately, no encryption product can protect all aspects of the data. Some vendors offer near-complete solutions, but ultimately it project managers have to assemble multiple solutions. Encryption products are divided into five categories: file-level or folder-level encryption, volume or partition encryption, media-level encryption, field-level encryption and communication content encryption. They can be defined further by the encryption key storage mechanism. File-level encryption protects data on a logical file-by-document basis. File encryption includesOn-Disk File and folder solutions, and password-protected encrypted archive formats, such as PKZIP. File encryption protects specific files, so less important files do not waste the extra resources necessary for encryption and decryption. File-level encryption programs are the most mature products of cryptographic schemes, often using the same reliable basic standard protocols, such as triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), Diffie, Blowfish, and stochastic scheduling algorithms (RSA). There are often file encryption mechanisms at the operating system level. Microsoft has Encrypting File System (EFS), Mac OS uses FileVault. The encryption of the operating system level is often problematic in the face of new portable media types or across foreign volume partitions, so the application-layer file encryption solution comes into being. The most popular solution is developed by PGP. It is divided into open source code and commercial two versions. Folder-level encryption products can encrypt the contents of the entire folder, such as the Windows My Documents directory or the home directory of Linux or Mac users. Note that many of the scenarios that appear to encrypt a folder are not to encrypt the entire folder into an object, but to encrypt each file in the folder individually, using an encryption key for a particular file, or a folder master encryption key, or both. For example, Microsoft EFS uses its own unique symmetric key to encrypt each file (even if the entire folder is selected for encryption), and all participating users share this symmetric key. This unique, shared object file key is then encrypted using each user-specific asymmetric encryption key for each user's copy. While file-level encryption products are among the most popular and sophisticated solutions, a major drawback is that they are becoming less popular among users. That is, file-level encryption is hard to protect against unprotected data leaks. For example, suppose you have file-level encryption for all files in a private document folder. Although file-level encryption protects specific files that are specified, it is highly unlikely that any temporary files that the application or operating system generates when the document is opened, copied, or transferred are protected. Unless the encrypted user knows exactly and protects all locations where the data may be temporarily stored, the disk Analyzer is likely to find unprotected residue files. Several cryptographic solutions address this significant problem of file-level encryption by encrypting the entire volume or partition on which the file is saved. This can be implemented at the operating system level or by using application implementations. Some volume encryption products work by creating a large logical file that represents the entire volume. When the data is copied to the volume, it is added to the larger encrypted file as the containing element. Other volume encryption products work by adding custom device drivers to interact with the operating system and provide encryption/decryption programs to ensure normalFile read and write operations. TrueCrypt is one of the more popular open source volume encryption solutions. A major drawback of volume or partition encryption is that the entire volume is unusable as long as the disk or volume is damaged once; Or whenever a leak occurs, all protected documents are immediately exposed. Intruders may also be able to embed malicious code and intercept data transmitted between the volume cipher program and the disk, which actually leaks all the data in the plaintext format. Protecting Dynamic Data storage-level encryption products is the most reliable cryptographic solution. That is why they should be given serious consideration. They can encrypt the entire disk (known as full encryption), or all data that is transferred to a media source (such as a sequential tape backup). Storage-level encryption can be implemented using application software, operating system, or hardware. Databases that need to be protected typically require field-level encryption. It can encrypt each column or row of data, but it is usually best to encrypt the data by each element. In fact, all the data stored in the database table has been added before the database, and then the real-time technology (on the fly) was used to decrypt it. This poses additional challenges for indexing and searching. Because of this, these mechanisms have to first understand the field-level encryption program used to store the data. There are few field-level encryption products that can be applied to different databases or programs on the market. Most solutions are for specific databases or applications, or they need to be programmed specifically. Microsoft, IBM, Oracle, Sybase, and other reputable database vendors provide field-level encryption solutions. It is important to protect data that is transmitted over unsecured networks. Web focus on TLS standards; Network transports and VPNs are often protected with SSL, SSH, or IPSec. e-Mail can be protected by using asymmetric encryption techniques such as PGP or S/MIME. Other ways of network traffic such as Peer-to-peer and instant Messaging (IM) traffic must be validated and encrypted, which is increasingly common. If you have to protect your data across multiple platforms and devices, the overall solution can work. Although none of the solutions can meet the needs of almost every kind of confidential data, many scenarios can meet a variety of needs. Several solutions protect hard disks, laptops, Removable storage media, USB keys, CD-ROMs, and DVDs, and have centralized management and key recovery capabilities. A single product can often simplify management and reduce costs. According to Adnrew Krcik, vice president of Marketing at PGP NetShare, the company's solution can encrypt shared files across multiple applications, such as files, emails, IM, laptops, and PDAs. "Users can encrypt files on the server, across the network, and on the local computer as long as they use a single key." "The key to the data kingdom. Various major encryption schemes can be entered into aThe aspect of step segmentation is where the cryptographic operations are performed and where the encryption keys are stored. For most software-based solutions, encryption/decryption is performed in the general memory area of the computer. Hardware-based solutions, such as smart cards and cryptographic tokens, handle passwords in dedicated memory areas, and only hardware devices can access this memory area. The latter method is much safer and operates much faster. Many products store encryption keys on protected computer devices. This type of key itself should be encrypted and protected by a long passphrase (passphrase) or another hardware device. Today, encryption keys are increasingly stored on hardware devices. Smart cards are increasingly commonly used in dual-factor validation, but more generic devices are being developed to help further enhance the encryption effect. Most PC motherboards will soon have a trusted Platform Module (TPM) chip that can be used to securely store cryptographic keys for various operating systems and applications. As part of the Vista operating system, Microsoft's upcoming BitLocker technology can store the volume encryption keys on the TPM chip. A TPM solution can defend against a new software-based attack. As a reminder, many products have been found to store encrypted/decryption keys in plaintext in a common area. The last and most important point is not to implement encryption if it is not guaranteed to reliably save and manage the key. Good encryption technology is like a double-edged blade, if the decryption key is lost or damaged, if there is no appropriate recovery method, the data will be completely lost. Encryption drives security current The decryption key is the core of the controlled permissions and the data that is deleted. The two-wave stream of data protection is using encryption to achieve their goals, and the two trendy streams are controlled rights (controlled right) and self-deleting data. EMC's Documentum 5 application suite allows you to create documents with built-in controlled permissions. The latest edition of the company's recent release strengthens access control and retention policy management, allowing users to set policies outside the Documentum repository. This is done primarily by encrypting the content creation phase before setting policy and content export. To read a record or document, a related application, such as Acrobat Reader or office, must access the central policy server to obtain the decryption key. To delete a document or deny access to a document, the authorization agent can change the access policy or delete the key. Once a user is granted access or other permissions, the authorization agent can be revoked in real time (that is, in addition to ensuring that the authorized user is using it, shielding other users), or revoke the document's authorization later. Documents are validated and encrypted when they are created and distributed in encrypted format. If someone tries to open the document, the relevant application connects to the author of the document, confirming that the requesting user still has access.If so, the decryption key (that is, decryption) is provided, and the document can be opened. The purpose of this is that the contents of the document are still secure unless the user prints or copies the data during authorization. A similar trend has to do with deleting data, which is now an option for laptops, mobile computers, PDAs, and other devices that employees may need to protect. After the data is encrypted, it is further protected by the monitoring software and compatible devices. As soon as the device is turned on, it will use the Internet (or mobile phone network) to connect to the host's authorized server. This "round trip" connection does not require a user's request. 1 2 Next page >> content navigation to force (0 votes) (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Text: Data protection How to develop enterprise encryption policy (1) Return to network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.