View our Webinar "Top 10 Encryption and Key Management Pitfalls"
We’ve heard a lot of different excuses and reasons for a company to decide not to encrypt sensitive data — ”it’s not in our budget”, “a data breach won’t happen to us”, etc. For the companies out there who are taking responsibility to protect their customers’ sensitive information with encryption, we also often see these companies fall prey to a few common pitfalls that make their encryption strategy weak. A weak encryption strategy isn’t much better than having no encryption strategy at all. Here are the top 10 encryption pitfalls to avoid in order to implement strong encryption:
1. Failure to Asses Risk
We are still finding today a lot of organizations and companies that have not implemented any type of data protection at all. When we talk to a company taking credit cards and not encrypting that credit card information, we know that they've not properly done risk assessment on what it means to fail a PCI-DSS audit or have a breach when you're not meeting PCI-DSS standards. The risks associated with a data breach not only include fines paid to the government, but also the cost of credit monitoring for your customers with compromised data, loss of trust from stakeholders, and damage to your brand name.
2. Encryption Key Management
Once you start an encryption project you’ll be faced with the one, core technical requirement: protecting the encryption keys. One of the biggest causes of audit failure for encryption is not adequately protecting those keys. Getting a secure, FIPS 140-2 compliant key management device in place to protect your encryption keys will help you avoid having to go back and re-do your encryption project using proper key management.
3. Client Side Support
Does your vendor supply you with all of the tools you need to implement encryption and key management? Choosing a vendor the provides poor client-side support can be a huge detriment to your encryption project. That is why it’s important to choose a vendor that will provide sample code and applications that snap into client-side environments to make your encryption project faster and easier.
4. Virtual and Cloud Environments
Today, security is the number one concern for companies migrating to the cloud. The principles of encryption and key management remain largely the same, but the question of how to manage keys for encrypted data in the cloud is still debated. Hosting encryption keys “in-house” is currently the most common model. Even if you’re managing your encrypted data in-house, be aware that you may choose to move to a virtual cloud environments in the future, and you will want to make sure that your encryption strategy and key management strategy can migrate with you to the cloud
5. NIST and FIPS Certifications
Industries that deal with sensitive client information such as credit card numbers, social security numbers, and private health information must adhere to regulations (some of them governmental) in order to protect individuals’ personal and sensitive information. These regulations follow recommendations by the National Institute of Standards and Technology (NIST). When protecting data at rest, you should be using Advanced Encryption Standard (AES) encryption, which is a standard put forth by NIST. You should also look for a key management device with FIPS 140-2 validation, also a NIST standard.
6. Performance - What are the Performance Impacts?
It’s possible to encounter serious performance impacts when you implement encryption. That’s why we not only recommend you use only AES and NIST certified solutions, but that if you’re the IT person dealing with the encryption, that you do some preliminary testing of the encryption on a sample database the same size as the actual database you will be encrypting. Your encryption and key management vendor should be able to help you do this with ease.
7. Ease of Use
An encryption and key management solution that is difficult to use can lead to a slowed project, unexpected costs, and delays. This can be a huge roadblock, especially if you are struggling to address a data protection problem or meet deadlines imposed by compliance regulations. To avoid ease-of-use problems, look for a solution with a GUI interface designed to run on your platform and allows you the necessary points of access to your encrypted data and encryption keys.
8. Data Leakage to Quality Assurance (QA) and Test Environments
Segmenting your critical data apart from non-critical data is an important step in preventing leakage of the critical data onto unprotected environments such as testing and development environments. Simple employee mistakes make up a large portion of data breaches that occur every year. Knowing which servers your sensitive data is located on and making sure that data doesn’t accidentally get moved to and unsecured location is critical.
9. System and Compliance Logging
Most compliance regulations including PCI-DSS recommend if not require some sort of system logging of your critical data. Whether it is file integrity monitoring or system logging to collect and store security events, these tools help you to catch changes to your database in real time. This is actually one of the most important parts of data security, and many data breaches can be immediately detected with system logging.
10. Budget Should Not Be a Barrier
When implementing encryption and key management, trying to save money by skipping steps will cause you a great deal of grief. Conversely, your encryption and key management vendor should be able to offer you a NIST certified, scalable solution at an affordable price.