2014 marks the 25th anniversary of the creation of the World Wide Web. From its earliest beginnings, users have demanded security for their sensitive information and web sites have universally responded by supporting encryption protocols such as SSL/TLS to encrypt data as it moved across the wires.
Since those early days, encryption has come a long way. Its use is no longer limited to the companys web site. With data privacy legislation, data breach disclosure laws, organized crime and more recently, concerns over state sponsored cyber-attacks and government surveillance, the use of encryption has become pervasive, a last line of defence if the data is encrypted, who cares if it gets stolen.
Respected media outlets have refereed to 2014 as the year of encryption. That sort of prediction raises concerns even for people that have been working with encryption technologies for years; those in the banking sector and governments know what the implications are, but for the rest of us this is a step into the unknown.
The rise of encryption technology is now proliferating within many organizations at a prodigious rate. Encryption is deployed in the cloud and on premise; for protecting data at rest, data in motion and data in use; in databases, on memory sticks, in email, in storage networks; the list goes on.
The trouble is that in almost all cases these encryption deployments will rely on point solutions which, although they might use familiar sounding encryption algorithms (AES, RSA etc.), are far from compatible, creating security pockets that are tied to individual applications or elements of IT infrastructure. Inevitably, at an enterprise-wide level, organizations will suffer from fragmentation and inconsistency, or encryption sprawl.
Encryption sprawl can be a major headache for any organization. Sprawl drives up the costs of managing the myriad of encryption devices, it increases the risk of error, makes compliance and forensics more painful and limits flexibility all at a time that resources are under pressure to do more with less.
So just how can an organization prevent encryption sprawl? Here are three top tips:
Understand your environment - discovery, consistency, certification
Even if encryption sprawl in your organization is unavoidable, at least focus on consistency and quality. Keep a record of where encryption is being used and define an internal set of approved algorithms (NIST 800-131 is a good start) and avoid proprietary algorithms completely. Where possible, select products that have a formal security certification where the implementation of product has been independently validated (the FIPS 140 validation program is the most widely recognized).
And finally, make sure that these disparate encryption systems are kept up to date and patched correctly. The recent Heartbleed vulnerability illustrates this need very well. Taking these measures wont do much to address the inefficiency of sprawl but they will at least help you know where you stand, avoid basic vulnerabilities and prepare you for the next step.
Original post:
Is your encryption getting out of control?