Putting things into perspective :) Encryption...
Back it up a bit! Purpose of encryption – (a) access controls and (b) confidentiality
Let's understand the battle surrounding whether to encrypt
data or not. Let's understand why we need encryption in the first place.
Encryption was originally used to make absolutely sure data would remain
confidential to people that shouldn't access the information. If you can't read
the data because you don't have the key to the data, then we presume you don't
need access.
Encryption, therefore, protects data whenever we (a) lose
control over who can read the raw data or (b) where the raw data is located.
Control landscape includes encryption (and now we understand why)
Understanding this, we can see why the most common regulations
and standards require encrypting sensitive data. This can be healthcare
information, privacy information, financial data, Defense data, etc. This
requirement gets written into law and legally binding contracts. Organizations
don't have a choice whether they are supposed to encrypt certain types of
information or not.
Understand why people don't use encryption (system cost, software cost, user cost/experience)
There are several reasons why people don't want to do it.
The software costs money. There may be a perceived performance impact. There may
be a perceived impact on user experience. Maybe the thought of encryption
sounds intimidating or complex.
Bruce Schneier wrote attack the system as well as the algorithm (and he's right)
Many years ago, Bruce Schneier wrote a book titled Applied
Cryptography. In this book, he explains the purpose of cryptography and how
to correctly apply it to solve business problems. Afterward, he wrote another
book titled Secrets and Lies where he explains the effective use of
encryption is much more than the math that goes into protecting data. Think
about that. It's more than the algorithm. It's all of the supporting pieces of
the process. It's the system itself in which the encryption is used, that
represents the available angles of attack. Consider a door with a world-class
lock. It's in a house with a giant window in the front. Do I attack this the
lock, or smash the window? This is what happened in the Capital One breach.
Encryption is hard. Why? Encryption is hard because it's
more than just choosing a strong algorithm to protect the data. I must ensure
that the use of the algorithm doesn't inadvertently open doors around my
encryption. I must constantly review and validate the configuration of the
endpoints, application configuration, access controls, auditing processes, and
so many other items could prevent attacks similar to what happened with Capital
One.
Caveonix integration with HyTrust… (validate the system and use of the algorithm)
This is why our company Caveonix jumped at the opportunity to integrate with HyTrust. You must validate the use of encryption because it's
required, and you must validate the system itself to ensure there is no way
around the encryption. This is why Caveonix chose to integrate with HyTrust as
part of IBM's approach to securing Financial Services. Together, Caveonix and
HyTrust can do both.