As compliance regulations start mandating encryption and key management, we are seeing more and more companies stepping up their data security policies. One important thing to realize is, that just because you are implementing encryption, it doesn’t necessarily mean that you are doing it correctly and will meet regulations such as PCI DSS, HIPAA/HITECH, State Privacy Laws, etc.
We have compiled a list of the top ten encryption pitfalls that your enterprise needs to be aware of.
1) Encryption Key Management
Encryption requires a proper key management strategy. This means protecting and isolating encryption keys from the data that they protect. For most companies this means using a proper key management solution across all of their servers and applications. Townsend Security offers Alliance Key Manager to help meet key management and compliance regulations.
2) Completeness and Compatibility
It’s not uncommon for some encryption solutions to only implement a partial specification of AES encryption. There are nine encryption modes (five for business data) that can be used with AES encryption. An incomplete solution that encrypts with one mode — such as CBC — will leave you unable to decrypt with another mode like ECB. This incompatibility makes transferring encrypted data from one server to another difficult or impossible. Townsend Security’s Alliance AES Encryption is NIST-certified on all five modes for business data.
3) NIST Certification
As regulators refine the requirements for encryption and key management, the certification of products to NIST standards is more important. The recent 2009 HITECH Act makes specific reference to the NIST standards for encryption and key management. Many vendors of encryption solutions ignore NIST certification leaving their customers exposed to these evolving regulations.
The impact of encryption on servers and applications is often an unpleasant surprise as companies implement their data security plans. There are large differences in the performance of vendor solutions. The performance impact of encryption can delay or derail data security efforts.
5) Application Modifications
Implementing encryption at the database level often involves some application redesign and modification. This requires work by companies and their vendors. This work is often unplanned and unbudgeted, causing financial and human resource problems. It is important to make sure your application modifications are minimal.
6) Quality Assurance and UAT Testing
When applications and databases are modified to implement encryption, there is a need to re-certify them for accuracy, reliability and performance. Many companies find this effort larger than the effort to implement encryption.
7) Data Leakage to QA and Test Environments
Every company that maintains business applications must keep a set of data available to the developer and user acceptance teams so that changes can be adequately tested. Often the data used in these test environments contains sensitive information. Good practice requires proper protection of this information using encryption, masking, or tokenization.
8) System and Compliance Logging
A common question asked by auditors is “How do you know who decrypted a credit card number?” Unless your encryption solution has integrated compliance logging, you may not know who is viewing sensitive data in your database systems. Compliance logging is often overlooked by vendors of encryption systems, leaving companies perplexed in the event of a data loss. Townsend Security offers Alliance LogAgent for the IBM i or Syslog-ng as both an application or appliance.
9) Key Access Controls
Encryption and key management access controls are essential to an encryption strategy. Can you specify who has access to the HR encryption key for payroll processing? The ability to restrict the use of encryption to specific users and groups is an essential security control.
10) Virtual and Cloud Platforms
Encryption and Key Management in VM and Cloud environments pose special challenges. The PCI SSC virtualization group indicates that security concerns are much higher in these environments. Currently there is no standard for implementing key management in the cloud environment.
In conclusion, there are many factors involved when choosing the right encryption and key management solution for your enterprise. Additionally, once chosen, it is also important to make sure that it is implemented correctly. For more reading on encryption and PCI, we have written a white paper titled Encryption Key Management Requirements for PCI.