Buying encryption? Five good questions to ask before you do – We Live Security (blog)

Posted on by

General Data Protection Regulation (GDPR) together with the growing number of data breaches are the most pressing reasons why small and medium businesses are implementing data protection technologies including encryption.

However,with limited time and themarket flooded by various products, it can be a difficult task for companies owners and decision-makers to find the right fit for their needs.

If you are faced with the decision yourself, avoid pitfalls in selecting an encryption product by asking the following questions:

This might seem like a pointless question with an obvious answer; systems are more liable to theft when away from the office. But making this distinction and keeping it in mind is the right place to start and when you have settled on a solution, be sure to test its effectiveness at managing problem scenarios for your remote users.

All major endpoint encryption products offer the means to manage remote systems, but look carefully at the requirements. Most need either an open incoming connection to a demilitarized zone (DMZ) on your server, or a VPN connection. All involve a higher level of IT skills that can add additional costs and, in orderto function, may require the user to initiate the connection; not much use with a rogue employee or stolen laptop.

A well-designed product will give you the remote management necessary without creating additional security problems, requiring specialist knowledge, or adding expense to the project.

Being able quickly tovary security policy, encryption keys, features and operation of endpoint encryption remotely, means that your default policy can be strong and tight. Exceptions can be made only when and where they are needed, and reverted just as easily. If you cant do this youll be forced to leave a key under the doormat, just in case tearing holes in your policy before deployment is complete.

The answer might be crucial if a company computer with full-disk encryption gets stolen while in sleep mode or with the operating system booted up. Its even worse if those systems come with the pre-boot password affixed on a label or tucked in the laptop bag. If a remote lock or wipe function is not available, then the system is either unprotected or secured only by the OS password, with the encryption being bypassed in either case.

Similarly, it is important to know whether the solution has been designed to accommodate the typical use cases that would otherwise unravel a well designed security policy.

With an array of writeable devices that people use for their everyday work, it is almost impossible for the admins to whitelist each and every one of them, and decide whether its permissible to read from, write to, or not access the device at all.

It is much easier to set a file-level policy distinguishing between files that need encryption and those that dont and keep these protected every time they move from workstation or corporate network to any portable device.

In other words, if you connect your own USB stick, it wont force you to encrypt your private data; anything coming from the company system, however, will be encrypted without the keys being held on your device.It is a simple idea, but one which makes any device safe, without the need for whitelisting.

In the end you need to figure out if the solution you want to use is easy to deploy. If the setup of the solution takes hours or even days and needs additional tools for its operation, it might cause new headaches for company sysadmins and create new security risks. Aim for an easy-to-deploy solution that doesnt require advanced IT expertise and preservesboth finances and yourhuman resources. If the user experience mirrors that easy deployment, then IT staff wont be further taxed by user lockouts, lost data and other frustrations.

All validated, commercial encryption products have been more than strong enough for many years, yet a significant proportion of the recorded data breaches involving lost or stolen laptops and USB drives happened to organizations who had bought and deployed encryption products.

Reading the case notes for these incidents reveals that being able to fit the solution toyour environment, working practices and making encryption easy for everyday users as the real challenges.

Author Ondrej Kubovi, ESET

Read the original:
Buying encryption? Five good questions to ask before you do - We Live Security (blog)

Related Posts
This entry was posted in $1$s. Bookmark the permalink.