Encryption for Data Protection

A Q&A with Patrick Townsend of Townsend Security
Encryption is one of the best defenses against data loss, giving an organization some assurances that unauthorized interlopers won’t be able to access encrypted information, no matter where it resides. Moreover, in some cases the organization may not have to notify the victims of a breach because encryption provides safe harbor. Yet many organizations still choose to not encrypt their data, at their peril. I spoke with Patrick Townsend, CEO of Townsend Security, about the benefits of encryption and key management.

Can you please explain, for a layperson, the value of encrypting PII data?
From a security perspective, encrypting PII is simply a baseline, fundamental protection that most people would expect of businesses in today’s world. If hackers are trying to steal data that’s stored on servers, it will be unusable so long as it’s encrypted. Nobody is immune from data breaches, but encryption makes sure the information is properly protected. To be able to tell your customers that you’ve protected their sensitive data, that even in the case of a breach they won’t be exposed is a wonderful thing.

What are some of the main reasons organizations decide to not encrypt their data?
Five or six years ago people had the attitude of ‘I’ll just pay the fine if we have a data loss—it’s not a big deal.’ Well, no one thinks that anymore. We now know that companies suffer hugely with the legal liability of data breaches—there’s a lot of litigation, fines and other associated costs. Today, the problem is the perception that encryption is difficult, complex, time consuming and expensive. The reality is that these days all of the major companies have done important work in this area and encryption is not as expensive or difficult as it used to be.

If an organization encrypts their information, do they still have risk? Is there any foolproof method for encryption?
No one in the security industry will ever tell you that there’s such a thing as perfect protection—and if they do, you probably shouldn’t trust them. Encrypting your data is a substantial improvement in your security posture, it’s an industry-wide best practice, but it’s not perfect. And encryption in and of itself is not enough. You need to manage and protect the key. We see a lot of situations where people store keys on the same server where their data is stored. If you’re not doing it right, you won’t get the real benefit of extra protection. Our analogy is that when you leave your house or apartment and lock the door you don’t leave the key in the lock. That being said, I think key management plays a greater role in data breaches than we realize.

How can a risk manager proactively protect sensitive data and choose an encryption provider?
A good practice that’s reflected in a number of compliance regulations is to start by knowing where sensitive data is stored. It seems obvious but a lot of companies, especially mid-sized companies, have many servers and applications and they don’t know where the sensitive data is. Getting an inventory is the first step before you make any technological decisions. Then you can at least start prioritizing and addressing your issues accordingly. In the areas of encryption and key management there are well-proven standards and certification processes you can rely on when you look at vendor solutions. The last thing I’d say is to look for a vendor that can provide technology you can use out of the box, which is something you couldn’t do ten years ago.

It’s been reported that NSA can now crack encryption. How might NSA be doing this? Do they have backdoors into the various vendor encryption products, or super computers that simply run trillions of calculations?
I can only speak for our company, and tell you that we don’t implement any of the suspect encryption algorithms that have come to light recently. Our system doesn’t have any backdoors or ways to be compromised, we own all of our source code which has been independently validated by a security lab, and we have no access to our customers’ encryption keys even when they’re stored in the cloud, so it’s our belief that our product is not subject to this concern. To me, the vulnerability really seems to be around key management, so I’m not personally concerned about this particular issue. With encryption, I don’t think it’s feasible to use a brute force attack—I don’t care how many computers you’re using. All of us who work in the security industry stay closely involved with a worldwide group of academic cryptographers who are evolving the algorithms. We continue to benefit from their work, basing our solutions on it, so there should be a level of confidence that things are being done the right way.

Any other thoughts?
I think a lot of folks are interested in cloud security, especially now with so many cloud providers out there. All of the things we’ve talked about apply in spades to data stored in the cloud. You want to make sure that the encryption is properly vetted to protect you from any added risk.

In summary…
When a client says “we’re encrypting all of our sensitive data” the expectation is—and it needs to be verified—that they’re applying this best practice across the many locations in which organizations may store, transmit and share PII data. This can include mobile devices (laptops, iPhone, thumb drives); email; online transactions; data-at-rest (corporate databases); backup tapes; and online storage solutions (cloud). However, due to cost or complexity some organizations might decide to forgo encryption in certain settings. This places the organization, employees and customers at unnecessary risk.

Safeguarding Data: Encryption, Tokenization and Hashing

A Q&A with Winston Krone of Kivu Consulting
Encryption is a best practice that helps safeguard private data “at rest” (in the database). However, most companies don’t deploy encryption. Instead, they might say they use “compensating controls” instead of encryption, which include the tokenization or hashing of data. To find out more about the differences between encryption, hashing and tokenization and the relative advantages and disadvantages to each approach, we spoke with Winston Krone, managing director of Kivu Consulting, which offers investigation, discovery and analysis to businesses facing data breach incidents.

Can you explain the difference between encryption verses hashing or tokens? What are the limitations of the hashing model?
Conceptually, they are three very different things with three very different purposes.

  1. Encryption is masking or hiding the data by changing the format so that it’s unreadable or indecipherable unless you have the means to decrypt it, so the data remains in place but gets scrambled or hidden. In a situation like a hospital where the organization needs to hold onto the data, this is the obvious method.
  2. Tokenization is a process where you’re trying not to possess the data, as with merchants who use credit card numbers, so instead of encrypting the information you store it away and assign it a key—think of it as a safe deposit box.
  3. Hashing means taking the information and running it through a mathematical formula or algorithm. There are different algorithms for different types of hashing, but whether it’s a single Social Security number or your name or the Gutenberg bible you’re hashing, you will end up with a unique code of numbers to represent the data. As with tokenization, the company doesn’t need to hold the data. The biggest limitation of hashing is that there are certain types of data that shouldn’t be hashed—especially if it’s data you need to access regularly. Data with finite values such as Social Security numbers shouldn’t be hashed because hackers have already created rainbow tables of all of the possible combinations. Another problem we see is that people who use hashing don’t always purge the system of non-hashed data.

Why would some companies choose to use hashing rather than encrypt their data at rest?
Hashing is a cheaper method, and encrypting data is challenging. You can’t just encrypt something and leave it at that. You have to take care of the keys—the term is “key management.” Otherwise, hackers can crack in to the keys, basically giving them access to the bank. The other issue is that encryption is changing over time—methods from ten years ago are now unsafe so if you’re encrypting data you need to keep track of how old it is. Finally, securely encrypting data in databases that are constantly in use is a significant technological challenge.

One benefit of encryption usage is that, should you have a future data breach incident, the data (in theory) is useless to the bad guy and therefore still protected. At the same time, it gives you legal “safe harbor” and license not to report the breach incident. Can the same argument be made for hashing/tokens?
It’s not the same argument. Of the methods, only encryption will help you avoid the state notification laws in a data breach situation. The other issue with tokenizing is that you still have to protect the whole token system under the credit card industry regulations so it’s not a simple alternative to encryption or the cheap panacea people thought it might be.

What else might executives need to know about their data security?
In an era of shrinking budgets and personnel cuts, it’s easy to tell the CEO that the company is encrypting data or using “encryption-like” techniques. The executive needs to ask the hard questions, about what type of encryption is being used because the IT folks might not understand the legal issues at hand. The decision of whether to use tokenization or hashing or encryption is not just a technical or cost issue—it’s very much a legal issue, so it’s a good idea to have counsel involved. The legal reasons for the method you choose may ultimately outweigh the cost.

In conclusion …
Going forward, many companies are actively trying to comply with various state and federal regulations to reasonably safeguard the private customer data in their care, custody and control. Unfortunately, it has been our experience that encryption—especially for data at rest—is one of the most challenging areas of data security for most of our clients. Proper encryption—in email, online transactions, backup tapes, laptops and corporate databases—is only deployed by a minority of companies (less than 10 percent), for many of the reasons that Mr. Krone mentioned. The truth is, IT budgets and technological barriers get in the way and clients often avoid best practices and pursue more cost-effective alternatives.

No more posts.