High-profile data breaches at companies such as major corporations and the usual assortment of state government agencies and educational institutions have highlighted the value of encrypting data. Yet, breach numbers continue to spike and big losses are becoming more common; according to Verizon's 2009 Data Breach Investigations Report, which looks only at breaches that resulted in stolen data being used in a crime, the total number of records breached in Verizon's 2008 caseload—more than 285 million—exceeded the combined total from 2004 to 2007. Apparently the market is now so saturated with stolen data that the price of each record has dropped from a high of $16 in 2007 to less than 50 cents today.
But the intensifying number of successful attacks isn't the most distressing part of data breach reports: the Identity Theft Resource Center reports that only 2.4% of the companies involved in all reported breaches utilized encryption. The vast majority of the exposed data was open to attack, a sad fact that likely delighted data thieves. The Verizon report echoed these findings, noting among other issues that roughly one-third of retailers who had suffered a data breach were transmitting payment card data unencrypted over public networks.
There's no arguing that data encryption is a strong detriment and a last, best line of defense when other security measures fail-so why do many companies continue to be extremely reluctant to use encryption, opting not to deploy it at all or to use it in a piecemeal fashion that provides extremely limited protection? Reluctance to invest wisely in data security is one reason, but in most cases companies fear that encryption is impossible to manage in a distributed enterprise, will slow network performance, will impact availability of data for use in critical business processes, result in irretrievable data if something goes wrong with the encryption scheme and other myths, some of which were valid decades ago when encryption technology was in its infancy, all of which can be managed with the right policies and procedures.
In a perfect world, every business would encrypt sensitive data throughout its lifecycle. In this world, we have to admit that true end-to-end protection may be challenging to achieve in a large, complex, multi-entity environment. Of course that doesn't mean data should be left unprotected, the key here is to use a risk-based methodology to determine the proper level of protection for the different classes of data collected, stored and used by an individual company. Risk-based planning balances security with the pragmatic business needs and IT challenges.
Data that is resalable for a profit-typically financial, personally identifiable and confidential information—is obviously high risk data and requires the most rigorous protection; other data protection levels should be determined according to its value to your organization and the anticipated cost of its exposure—would business processes be impacted? Would it be difficult to manage media coverage and public response to the breach? This risk-based approach allows you to select the parts of the data flow that will need stronger protection.
One simple way to determine a risk profile is to assign a numeric value for each class of data; high risk = 5, low risk = 1. Use the same values to grade the odds of exposure. Then multiply the data value by the risk of exposure to determine the risk levels in your enterprise. Use this information to select the parts of the data flow that will need the strongest level of protection.
Data Field | Value | Exposure | Risk Level |
Credit Card Number | 5 | 5 | 25 |
Social Security Number | 5 | 4 | 20 |
CVV | 5 | 4 | 20 |
Customer Name | 3 | 4 | 12 |
Secret Formula | 5 | 2 | 10 |
Employee Name | 3 | 3 | 9 |
Employee Health Record | 3 | 2 | 6 |
Zip Code | 1 | 3 | 3 |
After classifying the data, map how it flows into, through and out of the company. Begin by locating all the places data resides including applications, databases, files, data transfers across internal and external networks, etc. and determine where the highest-risk data resides and who has or can gain access to it. Here again, high risk data residing in places where many people can/could access it is data that needs the strongest possible protection.
Once you understand what data needs what levels of protection, and know where that data moves or resides, the overall process of configuring and maintaining a robust encryption solution is vastly simplified.
Managing data security using a risk-based process also addresses another prevalent business concern, that encryption will cause performance degradation. Assuming the business is using a modern encryption solution on systems that are not already overburdened, a risk-based approach will avoid trying to encrypt every single byte of data so that performance should not be an issue. If you align your encryption scheme with the enterprise's data risk-management profile you are unlikely to perceive the computing resources needed by the encryption solution (roughly 2%-5% for standard uses).
Modern enterprise class solutions are designed to make the best use possible of available computing cycles and will also take advantage of background processing to help ensure that encryption has virtually no impact on network performance or users. In fact, encryption should be all but transparent to users, if your security policies are granular and well thought out. If so, and if performance is still not what it should be, begin troubleshooting by looking carefully at enterprise use patterns. What applications are accessing the database or data warehouse most often? Are your users performing sophisticated data analysis on a regular basis, or just viewing reports? Where are the bottlenecks? Once you have a good feel for what the problems are, you can investigate optimization techniques to perk up the performance of your database or data warehouse.
The other issue that comes up quite often is concern about loss of data if the encryption key is lost in a server crash or other incident. This issue is successfully addressed with proper key management, which includes a secure key recovery process. A solid key management solution and process is a critical part of the enterprise's data protection plan.
Compliance standards like PCI DSS have been tightening their encryption requirements with each revision and logic tells us that broad use of encryption will increasingly be required, so now is a great time to develop a risk-based plan to manage data security. Bonus: a risk-based prioritization plan also produces cost savings and may result in an enhanced enterprise security profile. For example, a comprehensive understanding of where all the sensitive data resides usually results in a project to reduce the number of places where critical data is stored, reducing the number of necessary protection points and resulting in better security (less data scattered around the enterprise ecosystem) and a reduced investment in data protection costs. Risk-based data security plans also eliminates the costly triage security model which is ineffective whether you're triaging based on compliance needs or the security threat of the moment.
All security spend figures produced by government and private research firms indicate that enterprises can put strong security into place for less than 10% the average cost of a breach. Risk-analysis based data security plans up the ante even further, enabling enterprises to adopt a balanced approach towards protecting critical information across the enterprise, delivering enhanced security and reduced costs with the least impact on business processes and the user community-and frustrating malicious hackers. What's not to like?