Virtually every regulation that comes down the pike requires organizations to encrypt some data. The Health Information Portability and Accountability Act and the latest enhancements in the HITECH Act not only suggest encryption of electronic protected health care information but also provide real protection from prosecution if information is encrypted according to prescribed methods. Implementing encryption can help manage regulatory compliance risk.
State laws from Massachusetts and Nevada also feature encryption as a critical control. The Massachusetts regulation (201 CMR 17) requires encryption of protected identity data when transmitted on untrusted networks, wireless networks and portable devices. The Payment Card Industry Data Security Standard requires in-place encryption of payment card data. Unfortunately, while encryption is a critical part of every compliance program, there is no magic pill to make it easier to choose encryption products or manage keys. It's critical to ensure that you don't shoot yourself in the foot by encrypting data that even you can't recover.
Every company that tackles the problem of encryption wishes that there were a product that would deal with transmission, storage and email. However, the sooner you face the fact that there isn't a product that offers all three of those functions, the sooner you will solve your problems.
Encryption implementation problem No. 1: Get everyone on the same page
Before we dive into solutions to common problems, let's consider one of the most annoying enterprise problems -- inconsistency. With every encryption challenge, there are many choices. Unfortunately, this often leads to many different encryption approaches being used across even small companies. This is problematic because different people using multiple products can lead to weaknesses due to inferior encryption methods or flawed configuration and use. If everyone uses the same product to encrypt files for transmission, for example, but different people select old-style WinZip encryption vs. Advanced Encryption Standard 256 (AES-256), one use will be significantly weaker than the other.
The important point to remember is that careful selection of products and the standards for their use are critical to effective protection and limiting compliance risk.
Encryption challenges and solutions
Let's take a look at a few of the problems to be solved and some popular, effective answers:
Wireless encryption: PCI guidelines and state laws require you to encrypt protected data over wireless networks. There really are only two acceptable solutions: Wi-Fi Protected Access version 2 (WPA2) or a virtual private network over an unencrypted network. Do yourself a favor, and use WPA2 at a minimum.
Portable device encryption: There are many freely licensed and commercial products that provide strong encryption (e.g., AES-256 encryption) for the file systems on thumb drives and removable disks. Bear in mind, however, that security of these products depends on your choice of password. On the flip side, if you plan to decrypt these files in the future, you will need to remember the password somehow. For most of us, that probably means an encrypted database of keys and passwords that's kept in a physically secure location. The database itself will need to be protected by the strongest password or key.
File transmission encryption: Most companies with compliance requirements need to exchange protected data with partners. This data needs to be protected while it traverses the Internet and when it sits on servers prior to and following the transfer. You have two choices to make in file transfer: the protocol or program to transfer the files and the encryption of the files themselves. While there are other options, by far the most popular choice for file encryption is Pretty Good Privacy. The recipient establishes a public/private key pair, shares the public key with the sender and the sender encrypts the file to the public key. The other decision is whether to use FTP or an encrypted protocol such as SFTP. Choose the latter. Even though the files are unlikely to be cracked, FTP exposes the account password to the Internet and may contribute to other exposures.
Many companies choose appropriate algorithms and products to meet their cryptography requirements, only to undermine their effectiveness by engaging in substandard key management. While whole books are written on this topic, here are four ways you can avoid common pitfalls:
- Assume you will need to change keys. In fact, when you establish passwords, wireless keys and public keys, design key changes into your processes. Tell your employees and partners that keys will change.
- Archive keys for all long-term storage.
- Choose strong passwords.
- Use products that help you manage keys.
The information presented here is all about standard practices that most companies should use to manage regulatory compliance risk. The essential message is that in order to comply, you must encrypt. In order to be effective, you need to use encryption consistently and with appropriate controls. The more you learn about encryption, the better you will be in choosing products, establishing standards and limiting compliance risk.