By Pat Correia, senior product marketing manager at McAfee Inc.
I was pleased to participate in ITWorldCanada.com’s recent #EncryptITWC Twitter chat and it was great interacting with IT experts and users alike over the hour! It was a great discussion around understanding the importance of encryption when it comes to protecting sensitive and confidential data from being viewed by unauthorized eyes.
One theme that emerged from the social media conversation was around the question, “How do I choose an encryption solution?” It’s important to note that any solution you choose should align with your company’s security policies – and incorporate newer aspects of IT, like bring your own device trend– so that you can drive efficiencies in your IT infrastructure and keep your end-users productive and happy.
With this in mind, here are some questions you should be asking when it comes to encryption.
1. What is encryption and what level of encryption do I need?
Encryption is based on cryptography and it’s often described as having two key elements: (1) a “crypto engine,” and (2) an encryption key. Think of it as analogous to a car: you need the engine to drive down the road, but you first need a key to get the car engine started.
Encryption essentially makes your data – and the filename used to locate your data – impossible to read via computer. Without the correct software, and the encryption key that is used to read that data and file name, the data will appear to be just random bits. An end-user typically enables encryption by logging in with a User ID and Password. The user does not have to worry about keys and how the crypto module is operating, as it’s all seamless.
The encryption standards and/or certifications you should look for are the generally accepted ones such as the Federal Information Processing Standard (FIPS 140-2), Common Criteria (government-specified) and the recently introduced Intel AES-NI Certification, which is for Intel’s Advanced Encryption Standard – New Instructions. Think of Intel AES-NI as a turbo function – specific instructions in the CPU that make encryption operate so fast that end-user productivity isn’t impacted.
2. What data do I need to encrypt? And where is my encrypted data?
Encrypting all your data is one way to go, but sometimes not very practical from a cost and resource perspective. Typical categories are IP, financial, personally identifiable information (PII), client and partner data. If you are partnered with a company, they may need to encrypt as well; for example, in working with government entities, the contractor and sub-contractor may both need to protect sensitive information. Typically, encrypted data is stored in all the obvious places: cloud, servers, desktops, laptops, tablets and smartphones. This also includes CDs and DVDs, USB flash drives and important emails.
3. Should encryption handle data at rest and data in motion?
Yes. An example of “data at rest” would be data residing on your laptop’s drive. One example of “data in motion” would be email. Generally, a data protection solution has encryption and some form of Data Loss Prevention (DLP) to handle both types of data.
4. How do I manage these devices?
Typically this is done through a management console – and hopefully it’s the same one used for other security software currently within the IT environment. The encryption keys and password recovery are managed here as well – the more automated the sequence and workflow is, the better off IT will be. Depending on the rate of employee turnover, the endpoints will be continuously in transition, meaning that any security encryption solution must be smart and efficient.
5. How can my IT department best deploy an encryption solution?
When choosing an encryption solution, check to make sure it is sufficiently comprehensive and automated to reflect the existing IT workflow. The solution should also identify and check the endpoint and verify its health level. Generally drives can supply information from their S.M.A.R.T. logic. The long name describes the function – Self-Monitoring, Analysis and Reporting Technology.
For example, if S.M.A.R.T. status reports the hard drive is going to fail, do you really want to encrypt it? Therefore the encryption solution should support S.M.A.R.T. to reduce the likelihood of costly and inconvenient issues arising. These are features that help simplify the IT team’s day-to-day functions. And the more automated the sequence, the better – the console should be able to automatically identify and deploy to new endpoints, especially considering that there are now methods to encrypt laptops in minutes. Also, if your IT department is thinking of Intel vPro platforms or already has them, then the encryption solution should be able to enable special features which can reduce your cost of ownership, e.g. securely wake up your endpoints in off hours, patch them and put them back to sleep. This can be done even on Wi-Fi now!
6. Can I prove my endpoints are encrypted?
You’re going to be audited eventually, either by internal or external groups. To simplify things, ensure the solution you select offers a dashboard view of your security posture through the console.
Thanks again to ITWorldCanada.com!