Guest Column | August 11, 2014

How To Combat Encryption Sprawl

By Richard Moulds, VP Strategy, Thales e-Security

Combat Encryption Sprawl

Encryption isn’t new, but it is gaining new momentum. Used for decades in the financial and defense industries, encryption is on the rise again due in part to recent privacy concerns, aggressive data breaches, and laws regarding the disclosure of those breaches. Organizations from small to large are now seeing encryption technology not just as a nice-to-have but as a must-have.

Encryption has historically been used very narrowly to protect specific kinds of data. Now, though, it is being more ubiquitously deployed. For example, Google and other major email service providers are now encrypting email for their users. Online retailers could not stay in business without encryption. The proliferation of mobile devices has expanded attack surfaces, requiring enterprises to use encryption within their Internet IT systems.

As a multitude of encryption tools are deployed to protect a wide variety of data, these tools tend to create security silos. While a silo is better than no security, it creates added complexity to the security landscape and increases the risk of inconsistency and fragmentation — otherwise known as “encryption sprawl.” The growing popularity of cloud services only deepens the problem. If encryption were standardized, this would not be an issue. Though there are a few widely used encryption algorithms like RSA and AES, the silo effect remains. It’s important to understand what is available and what your organization requires in terms of data security to ensure an encryption strategy that offers the maximum in data protection.

Key Encryption Considerations

Three important questions arise in light of the many encryption silos that exist:

  • How do you measure the quality of the encryption in the individual silos?
  • How do you apply consistent policies across the silos?
  • How do you protect the data as it moves between or outside the silos?

When it comes to measuring the quality of individual encryption technologies, building sound encryption technologies is not easy. Thankfully, there are certifications specifically focused on encryption and other cryptographic systems, most notably the suite of Federal Information Processing Standards (FIPS) where products undergo evaluation by independent labs.

Turning our attention to consistency of encryption policies across silos, the critical issue is key management — a notorious pain point. In a recent survey, respondents were asked to rate the level of pain associated with key management in their organization, where a score of 1 represented a low level of pain and a score of 10 represented a severe level. More than half of respondents scored the pain at 7 or above, and more than a quarter at 9 or above. Part of that pain arises from the scrutiny that key management tasks understandably face from a security point of view. After all, managing secrets, keeping them secret and only providing them to legitimate users for approved functions is not easy. But some of the pain is operational; the distribution, archiving and replacement of keys has the potential to stop business processes or, worse still, destroy data forever if it is done wrong. As more encryption is deployed, this situation is only going to get worse. As the number of keys to be managed increases, organizations are starting to seek ways to manage them that are much more centralized, with standardized policies and procedures. This is a big shift — key management is effectively morphing from being a feature of whatever encryption product was being used into being a product and market in its own right. An important catalyst to centralized key management is the arrival of the Key Management Interoperability Protocol (KMIP), which is a standard that enables all kinds of keys to be stored, distributed and backed up in a standard protocol, with the eventual aim that it will be possible to administer keys from disparate encryption systems using a centralized, shared system — essentially, Key Management-as-a-Service.

Finally, how can data be secured as it moves between silos? Protecting data in storage or on laptops mitigates some of the risks of losing “data at rest,” but sooner or later that data moves; it is accessed by an application, shared between users or even sent to a different organization. This typically means that data is decrypted before it moves, and even if it flows over secure channels, it still creates points of vulnerabilities, “air gaps” where clear-text data can be picked off. The reason is simple: encryption deployed in silos means that applications in one silo can’t make sense of data that was encrypted in another. “End-to-end” encryption that spans multiple silos is a worthy goal, but once again this comes down to key management and a centralized approach whereby disparate silos can access keys and therefore access data shared from elsewhere. There are examples of where this works, for example in the area of mobile payments, but general-purpose examples are hard to find. Knowledge Is Power

Perhaps a golden age of enterprise data protection management will arrive one day, but until then, encryption sprawl is going to happen to one degree or another. A future-focused strategy that includes centralized policy and controls, key management and use of certified solutions can contain the sprawl. Understanding where your data is and what level of protection it needs is paramount to securing critical business data.

As vice president of product management and strategy, Richard Moulds contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales. He has worked alongside the Ponemon Institute for 10 years developing the annual Global Encryption Trends Study.