GSN February Digital Edition

More documents

Recommendations

Info

Campbell on Crypto Encryption Basics: Three Steps to Better Data Protection By Shawn Campbell In previous columns for Government Security News, I’ve said that security professionals need to accept the fact that security breaches will happen. Perimeter security isn’t sufficient for protecting your organization from breaches. For overall protection of sensitive data, you have to focus on safeguarding your data, not just your network. That means encryption. Encryption is the hot topic in cybersecurity. It’s at the core of many security tools we use for everyday transactions and communications. And because it protects data in motion and data at rest, it’s often thought to be the holy grail of data protection. During the encryption process, plaintext (data in its original format) is encrypted through an algorithm into unreadable ciphertext (the result of applying a cryptographic cipher to plaintext). The encryption process generates cryptographic keys that can be used to lock (encrypt) and unlock (decrypt) the ciphertext. Effectively protecting your data boils down to three steps, and at The growth of huge volumes of often-sensitive data transmitted across networks presents real risks ranging from malicious attacks to unintentional transmission errors. their core they all involve encryption: • Know your data. You have to know what you need to protect. • Protect your data. Once you’ve identified the data you need to protect, you have to encrypt the data to keep it safe. • Manage your protection. Encrypted data requires encryption keys to lock and unlock data, and you have to be sure your keys are all securely stored and managed. It’s important to remember that 32 encryption inherently applies protection to the data itself. Even if your perimeters are breached, your data is still protected. That should offer some relief in these days of more frequent network security breaches, and it underscores the reason you should extend your controls from protecting the perimeter to protecting the data. Now let’s take a closer look at each of the three steps for effective data encryption. Know your data First, you need to catalog the data you have, and determine its level of sensitivity. Then you must assess where it resides, and what protections are in place for the sensitive data. Some key questions to ask are: • Is it in a physically secure environment? • It is accessible only to people who need to see it?
• It is accessible if is it accidentally or deliberately released? As you catalog your data, start with your data centers on-premise and then move to your cloud and virtual environments. Examine data in storage, file servers, applications, databases, and even removable media. Don’t forget data that travels across your network. Remember, when data leaves your organization’s borders, you lose control of it. Protect your data The place to start here is data in motion. The availability of greater bandwidth has allowed us all to exchange information faster and more frequently. Unfortunately, the growth of huge volumes of oftensensitive data transmitted across networks presents real risks ranging from malicious attacks to unintentional transmission errors. Therefore sensitive data in motion— whether it’s moving across your network or traveling between your data centers—must be encrypted. There are two main types of network encryption for Ethernet networks: integrated or dedicated. Integrated encryption capability within routers is sometimes called ‘onboard encryption’ or Layer 3 (Internet Protocol Security – IPSec) encryption. Dedicated encryption is hardware-based and is referred to as Layer 2 encryption. In general, dedicated encryption is the preferred way to protect data in motion. Compared to Layer 3 (IPSec) encryption, Layer 2 networks can be secured and encrypted with dedicated appliances without any loss of speed and performance, minimal management, and greater reliability. This results in a comparatively lower cost per gigabyte. But data in motion is only part of an effective data protection strategy. After all, data is not only at risk when in motion, but also when at rest on your servers or in storage. For storage and media, the choices are generally straightforward – usually an “encrypt all or nothing“ approach. For servers, there are many different options that enable you to encrypt dynamically. You can encrypt specific files or folders, have applications that make custom encryption decisions, encrypt specific columns of structured data, or encrypt entire disks. These choices, and the rules that can be applied along with them, are a vital part of your in-depth data defense. Manage your protection 33 In addition to employing strong encryption, it’s vital that your cryptographic keys are treated with the same level of care. Remember, the only way to decrypt or unlock encrypted data is through the accompanying keys. Indiscriminately protecting these keys counteracts the entire process of encryption and creates a false sense of security. Therefore, the security deployment should utilize best practices for both encryption, as well as key management. For maximum security, dedicated hardware key management protects sensitive cryptographic keys from attack. Its high security design ensures the integrity and protection of encryption keys throughout their lifecycle. Storing cryptographic keys and certificates in hardware that wraps multiple levels of security eliminates the risk of loss or theft, and is the only definitive method of ensuring and enforcing trusted, granular security policies. By thoroughly understanding these three steps to encrypting data, you have the foundation for any successful data protection strategy. Shawn Campbell is VP of Product Management, SafeNet Assured Technologies. He can be reached at Shawn.Campbell@safenetat.com
Page 1 and 2: Government Security News FEBRUARY 2
Page 3 and 4: NEWS AND FEATURES U.S. Transportati
Page 5 and 6: Security Career Option #47: Critica
Page 7 and 8: Enterprises just can’t afford to
Page 9 and 10: harm human health and the environme
Page 11 and 12: New generation. New possibilities.
Page 13 and 14: PMR even further, by ‘shingling
Page 15 and 16: Former Mexican President says count
Page 17 and 18: 800 people die each year in acciden
Page 19 and 20: t prepares for dramatic two-year gr
Page 22 and 23: Perimeter Protection/Intrusion Dete
Page 24: Exciting News from the News Leader
Page 27 and 28: een spared to ensure a no-hitches i
Page 29 and 30: INCORPORATING INCORPORATING THE THE
Page 31: their whereabouts before the explos
Page 35 and 36: Siemens and IBM team on next genera
Page 37 and 38: Oil & Gas sector needs long-term th
Page 39 and 40: FAA announces nearly 300,000 operat
Page 41: The News Leader in Physical, IT and

GSN February Digital Edition

Create successful ePaper yourself

Delete template?

Save as template?