GSN February Digital Edition
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• It is accessible if is it accidentally<br />
or deliberately released?<br />
As you catalog your data, start<br />
with your data centers on-premise<br />
and then move to your cloud and<br />
virtual environments. Examine data<br />
in storage, file servers, applications,<br />
databases, and even removable media.<br />
Don’t forget data that travels<br />
across your network. Remember,<br />
when data leaves your organization’s<br />
borders, you lose control of it.<br />
Protect your data<br />
The place to start here is data in<br />
motion. The availability of greater<br />
bandwidth has allowed us all to<br />
exchange information faster and<br />
more frequently. Unfortunately, the<br />
growth of huge volumes of oftensensitive<br />
data transmitted across<br />
networks presents real risks ranging<br />
from malicious attacks to unintentional<br />
transmission errors. Therefore<br />
sensitive data in motion—<br />
whether it’s moving across your<br />
network or traveling between your<br />
data centers—must be encrypted.<br />
There are two main types of network<br />
encryption for Ethernet networks:<br />
integrated or dedicated.<br />
Integrated encryption capability<br />
within routers is sometimes called<br />
‘onboard encryption’ or Layer 3 (Internet<br />
Protocol Security – IPSec)<br />
encryption. Dedicated encryption is<br />
hardware-based and is referred to as<br />
Layer 2 encryption.<br />
In general, dedicated encryption<br />
is the preferred way to protect data<br />
in motion. Compared to Layer 3<br />
(IPSec) encryption, Layer 2 networks<br />
can be secured and encrypted<br />
with dedicated appliances without<br />
any loss of speed and performance,<br />
minimal management, and greater<br />
reliability. This results in a comparatively<br />
lower cost per gigabyte.<br />
But data in motion is only part of<br />
an effective data protection strategy.<br />
After all, data is not only at risk<br />
when in motion, but also when at<br />
rest on your servers or in storage.<br />
For storage and media, the choices<br />
are generally straightforward – usually<br />
an “encrypt all or nothing“ approach.<br />
For servers, there are many<br />
different options that enable you to<br />
encrypt dynamically. You can encrypt<br />
specific files or folders, have<br />
applications that make custom encryption<br />
decisions, encrypt specific<br />
columns of structured data, or encrypt<br />
entire disks. These choices,<br />
and the rules that can be applied<br />
along with them, are a vital part of<br />
your in-depth data defense.<br />
Manage your protection<br />
33<br />
In addition to employing strong<br />
encryption, it’s vital that your cryptographic<br />
keys are treated with the<br />
same level of care. Remember, the<br />
only way to decrypt or unlock encrypted<br />
data is through the accompanying<br />
keys.<br />
Indiscriminately protecting these<br />
keys counteracts the entire process<br />
of encryption and creates a false<br />
sense of security. Therefore, the security<br />
deployment should utilize<br />
best practices for both encryption,<br />
as well as key management.<br />
For maximum security, dedicated<br />
hardware key management protects<br />
sensitive cryptographic keys from<br />
attack. Its high security design ensures<br />
the integrity and protection of<br />
encryption keys throughout their<br />
lifecycle. Storing cryptographic keys<br />
and certificates in hardware that<br />
wraps multiple levels of security<br />
eliminates the risk of loss or theft,<br />
and is the only definitive method<br />
of ensuring and enforcing trusted,<br />
granular security policies.<br />
By thoroughly understanding<br />
these three steps to encrypting data,<br />
you have the foundation for any<br />
successful data protection strategy.<br />
Shawn Campbell is VP of Product<br />
Management, SafeNet Assured Technologies.<br />
He can be reached at<br />
Shawn.Campbell@safenetat.com