This week brings part two of the "Data Privacy for the Non-Technical Person" series. Last week we determined what constitutes personal information that needs to be protected. This week Patrick Townsend, Founder & CTO, talks about how organizations are protecting sensitive information, how encryption and key management relate to each other, and what happens when encryption is not done correctly. If you are jumping in mid-stream, you can read part one here. Additionally, you can download our podcast titled "Data Privacy for the Non-Technical Person" to hear our conversation in its entirety.
How do organizations protect sensitive information?
They use a number of techniques. Some of them are pretty obvious. Businesses use anti-virus software and software to detect intrusions on their network, as well as making sure they have a secure web site if they are taking sensitive information from you over the internet. And then they do some things that most people might not be aware of. A business that is trying to protect your personal information will do some things that are procedural in nature – for example a lot of companies will now make sure all new employees have a background check.
Companies are also doing things that help make their data very difficult to steal. Encryption, which is the process of taking a credit card or social security number and turning it into and encrypted value, makes stealing data near impossible.
Companies who are really trying hard to protect information of their customers and employees are deploying a variety of tools. Encryption is probably one of the more important ones and it is one of the more difficult technologies to deploy, but certainly all of the major companies that you might do business with over the Internet will be using encryption to protect your data.
Encryption and key management have been talked about a lot lately. How do they relate to each other?
Encryption and key management go together. They are very complimentary technologies. When you encrypt a credit card number, you have an encryption algorithm that takes your credit card number and turns it into something totally different. But another important input into that process is a secret key. Many people think that the encryption algorithm itself is some kind of secret mechanism, which isn’t the case. Encryption is well understood. There are standards for it and it is readily available. What is really the secret that prevents losing data is the encryption key – just like the key to your front door is what protects your house. An encryption key works very much in the same way. Companies that use encryption really have to create a key that is very unique and very strong, and they have to protect it so that it doesn’t escape into the wild. Anyone that has the encrypted data and the encryption key, really can get the sensitive data back. In the real world of protecting data with encryption, measures are taken to protect the encryption key – that is the real secret that people are trying to protect in a business environment.
What happens when encryption is not done correctly?
There are many ways that encryption can be done poorly or incorrectly. We see that sometimes around the area of encryption key management. For example, storing an encryption key on the same platform where the data that it is protecting is just bad practice. Sometimes you hear the term “integrated key management” or people say “we are storing the encryption key in a database file and we have locked that database file down.” These are really poor practices and, in fact, cannot meet compliance regulations about encryption key management. So, that is just one example of encryption that is done badly.
Other examples are just using non-standard or proprietary encryption. The CUSP mode of AES encryption, for example, is not a standard mode and is a proprietary protocol that can’t be a part of true compliance. It is just another example of running off the rails in terms of best practice for encryption. A company that is purchasing encryption technologies should really examine their vendors carefully. I always point back to NIST certification because it is the bottom-line indication you have that the encryption product is a good quality solution.
Here is another interesting thing that I think people sometimes forget. If you have a data loss, it is going to be your problem, not the vendors problem. Even though you may have acquired a solution that is not right, it is still going to fall on you. It is going to be your headache to solve, your customers that are upset, and your financial loss when data gets out. The loss of trust from your customers and employees is also difficult too. For all these reasons, I think paying attention to encryption technologies is a good idea.
Stay tuned for our next and final installment in this series. Download our podcast “Data Privacy for the Non-Technical Person” to hear more of this conversation.