Encrypting data, whether mandatory or not, takes time, money and expertise. It requires considerable resources from IT operations because encryption software can be expensive, and managing encryption keys can be complicated. It also takes significant processing power and can slow computing performance, but vendors continue to seek ways to mitigate this impact.
Debate persists as to whether mandatory encryption will make IT operations more secure in the long run. Nonetheless, a growing number of regulations require -- or tacitly encourage -- encryption, making it an increasingly popular tool for securing sensitive data.
| What is encryption?
Table of Contents
Encryption is the process of using a complex mathematical operation, called an algorithm, to alter data so only those with the decryption key (another algorithm) can read it. It is used to protect the confidentiality of information, such as financial data, patient health data and other personally identifiable information. For that reason, encryption and compliance are closely related. Encryption products typically protect data either in storage, traveling over a network, or at the application level.
Mandatory encryption standards are evolving and becoming stronger as earlier standards are broken. Pretty Good Privacy, a commonly used standard, uses a 128-bit encryption key. Another widely used encryption standard, Advanced Encryption Standard (AES), emerged out of a competition organized by the National Institute of Standards and Technology and was adopted by the U.S. government. For data transmitted over a network, Secure Sockets Layer (SSL) encryption secures the connection between a browser and server. That said, SSL encryption cannot patch the holes created by insecure software.
The term strong encryption refers to encryption that is considered unbreakable. That definition became the subject of considerable controversy in recent years as some governments tried to control the use of strong encryption with schemes to require copies of the keys. There are also export limitations for AES data encryption.
| What is generally required for encryption?
Table of Contents
Deploying encryption generally requires encryption software to generate algorithms, powerful computing capability and expertise for configuring network components and managing keys. As mandatory encryption standards and other security measures become more complex, a central public key management system is typically needed.
The volume of encrypted data stored and transported makes it time consuming for individual encryption keys to be used for all senders and receivers. To simplify the process, a public key infrastructure (PKI) system was developed, allowing authorized users to gain access to data and networks once they have received a digital ID and access approval. The Department of Defense has urged more PKI use and less network anonymity.
| What should
or should not be encrypted?
Table of Contents
In recent years, a growing body of regulations has emerged to protect a variety of data. While many of these rules do not create mandatory encryption standards, they often encourage it. For encryption purposes, data is commonly categorized by its location. Data at rest generally includes information stored in files on desktop and laptop computers, storage devices, databases, file servers, CDs, personal digital assistants and backup tapes or drives. Some analysts consider data at rest particularly vulnerable because more information can be exposed in a single attack.
Data in transit refers to data traveling across public or private networks. Security professionals widely recommend encryption for any sensitive data flowing over wireless networks. The term data in use is also sometimes used, meaning data that is being processed.
Even when it comes to laptops and removable storage devices, there remain differences of opinion about encrypting data. Some organizations tend to encrypt all data because it can be faster than sorting through all portable devices to figure out what really requires encrypting and it ensures that the devices are covered under the encryption safe harbors of data breach disclosure laws. On the other hand, there are several arguments for encrypting only select data on portable devices, including the cost, performance impact and the possibility that people will gain a false sense of security about data that requires protection.
Some security professionals advise against encrypting stored data when there is no specific need because it can be complicated and costly, and it can affect computing performance. What's more, as mandatory encryption standards evolve and data must be moved from one standard to the next, it can be subject to new vulnerabilities in the transition. Understanding wireless encryption options is essential to deploying a secure wireless network.
There are different schools of thought regarding how much data should be encrypted in an organization. A base line approach starts with encrypting personally identifiable information because of data protection regulations in many states. Beyond regulatory concerns, an organization must consider the nature of its business and whether any additional data protection regulations apply. It should determine its exposure risks by identifying the type of data it has and where it is located. Financial data and patient health data, for instance, are heavily regulated. Businesses that don't encrypt this information run the risk of fines if the data is exposed.
In many circumstances, encryption is no longer an optional technology. It is not uncommon for businesses to begin an encryption key management process with backup tapes. Others encrypt the information at highest risk first, which often means beginning with data stored on mobile devices. Protecting data with mobile device encryption is critical, although encryption key management blunders can render deployments useless.
| What is the
role of encryption in compliance?
Table of Contents
A growing body of regulations and standards has been established in recent years to protect the confidentiality of data and combat identity and financial theft. In 2003, California became the first state with a data breach notification law. As of July, 45 states plus the District of Columbia, the Virgin Islands and Puerto Rico had security breach notification laws requiring companies to disclose information about data breaches that involve personal information, but most of these laws provide exemptions to the disclosure requirement if the stolen data is encrypted. Compliance with the Massachusetts data protection act requires that sensitive personal information stored on laptop computers or transmitted electronically be encrypted in certain contexts. Nevada also toughened its data protection law with cryptographic and Payment Card Industry requirements this year.
Federal data protection regulations are on the rise as well. The 1996 Health Insurance Portability and Accountability Act (HIPAA) has been a strong motivator in the health care industry for deploying encryption. HIPAA does not explicitly create a mandatory encryption standard, but it mentions encryption as a measure for protecting both data at rest and in transit. The 1999 Gramm-Leach-Bliley Act (GLBA, officially titled The Financial Modernization Act) requires companies to conduct a risk analysis to determine whether encryption is necessary to meet compliance obligations.
The 2002 Sarbanes-Oxley Act (SOX, officially titled the U.S. Public Company Accounting Reform and Investor Protection Act) requires public companies to have internal controls over information security, and mandates encryption for data surrounding financial reporting. It also requires that companies have policies for managing encryption keys. Earlier this month, the U.S. House of Representatives passed the Data Accountability and Trust Act (DATA), H.R. 2221, the first step toward a comprehensive federal data breach notification law.
The industry-established Payment Card Industry Data Security Standard (PCI DSS) requires that cardholder data be encrypted during transmission over public networks. Canadian and European Union personal data protection laws also have implications for enterprise encryption practices.
| What are the penalties for noncompliance?
Table of Contents
Failure to comply with state and federal data protection regulations can result in significant fines. In addition to monetary penalties, GLBA, SOX and HIPAA provide for civil and/or criminal penalties in some instances of noncompliance.
Businesses subject to PCI DSS not only face fines for noncompliance but also risk losing their right to process payment cards.
Let us know what you think about the story; email firstname.lastname@example.org.
This was first published in December 2009