Pin Me

Choose Encryption Wisely

written by: Tom Olzak, CISSP•edited by: Bill Bunter•updated: 5/7/2010

Encryption is a big topic, much bigger than can be fit into a section of a small, business manual. This article provides enough information about the how, what, and why of encryption that an owner or manager of a SMB knows when it’s reasonable and appropriate to encrypt information.

  • slide 1 of 5

    What is Encryption?

    Very simply, encryption changes readable information (plain text) into unreadable information (cyphertext). Two basic methods are used—symmetric and asymmetric.

    In symmetric encryption, both the sender and the recipient of cyphertext share a key. The key, together with an encryption algorithm, is used to both encrypt and decrypt the message or document. Asymmetric encryption uses a key-pair. A key-pair is typically assigned to a person or organization. One of the keys is public, known to anyone who wants to encrypt content and send it to the key owner. The other key is private, known only to the key-pair owner.

    Details about how each of these processes works are outside the scope of this section. For more information, see How Encryption Works.

  • slide 2 of 5

    What to Encrypt

    You can apply encryption in a number of ways, including:

    • Creating a container. Many encryption products allow you to create an encrypted container on a hard drive or other storage device. Anything placed into the container, which usually looks like a typical drive or folder, is encrypted. Only someone with the proper password can access container contents.
    • Full disk encryption. When you don’t to worry about whether your users are placing sensitive information into an encrypted container, consider full disk encryption. Most encryption products supporting full disk encryption allow for both pre-boot authentication (PBA). With PBA, the user must enter a password before the operating system loads. If PBA is not used, the OS loads normally and provides access to the encrypted drive or volume. Full disk encryption with PBA is the best way to protect laptops.
    • On-demand encryption. If you trust your users, you might simply provide an encryption solution and allow them to encrypt files and folders as they see fit. As we’ll see later, however, this is usually a bad idea.
    • Email encryption. Email messages often contain sensitive information. In-house or hosted encryption services provide both user initiated encryption and auto-encryption. Auto-encryption is based on phrases or patterns in a message. For example, 222-22-2222 is a familiar pattern indicating a social security number.
    • File transfers. Like email, many documents or data files contain sensitive information. Also like email, this information should never leave the protection of your network, especially when traveling over the Internet, without being encrypted. Consider either a secure FTP solution or SSL.
    • Interactive sessions over insecure media. This is a fancy way of describing an external connection, usually over the Internet, over which sensitive data are passed. Encrypt any session that fits this description. SSL is the most popular solution.
    • Wireless network connections. Under no circumstances allow your users to connect to wireless networks, including hotspots in coffee shops, without encrypting the connection. Remember that wireless communication casts your information out into the ether, making it available for anyone with a wireless card in their laptop or handheld device. The best solution for Wi-Fi is VPN, and it doesn’t have to break the bank.
  • slide 3 of 5
    Data encryption involves time and resources. Be sure you have a good reason to encrypt and an adequate encryption management program.key management password reset encryption cost truecrypt bitlocker efs pgp skyrecon utimaco postini
  • slide 4 of 5

    Use Encryption Wisely

    Contrary to what many encryption vendors might like you to believe, encryption isn’t always a good thing. Like any other security control, encryption requires policies, processes, and available resources for implementation and day-to-day management.

    Encryption should be seen as an additional layer in your security controls framework. Use it when it serves a specific purpose, including:

    • Protection against weak passwords. This is only an option if you plan to protect files and folders instead of an entire hard drive. Use of weak passwords to access systems with full disk encryption is often futile, since the password used to login to the computer is usually used to unlock the encrypted drive.
    • Protection for data in motion. Any time sensitive data moves out of an area of adequate security to one less secure (or not secure at all), it should be encrypted.
    • Protection for data stored in mobile devices.
    • When regulatory constraints make it a good idea (i.e., HIPAA, GLBA, FACTA, etc.)

    Unlike many other technologies, encryption is not a setup-and-forget solution. It requires careful though during design and continuous management. Some of the challenges associated with implementing encryption in an organization include:

    • Key management. Keys for accessing encrypted data should be centrally managed. This provides access to systems left behind by employees no longer with the company or who have forgotten their encryption passwords.
    • Password reset management. Users often forget their passwords. This isn’t a huge problem with application or Active Directory passwords, for example. They can be reset directly by a help desk. But what about passwords for PBA. Without the correct password, the employee cannot even boot the system. Make sure a centrally managed encryption solution provides for encryption password resets without support personnel actually required to “touch" the computer.
    • Performance. There is always a slight drop in performance when an encryption solution is installed on a server or an end-user device. Make sure you understand how the hardware you use and the installed applications might be affected. For organizations with systems that are not end-of-life, systems not more than two or three years old, encryption should not be a problem. But test anyway.
    • Cost. Then there is cost. Even if the solution you select is free, costs associated with managing the solution must be considered. Like any other business purchase, weigh the risks of not implementing encryption against total cost of ownership.
  • slide 5 of 5

    Encryption Solutions

    For the purposes of this section, I categorized several encryption solutions based on cost—free or not free.

    Free solutions

    • TrueCrypt. TrueCrypt is one of my favorite open-source solutions. It provides container, volume, thumb drive, and full disk/PBA encryption. You can also recover an encrypted drive that won’t boot or with a lost password. However, TrueCrypt is not centrally managed, requiring hands on support for major issues.
    • Bitlocker. For Windows Vista and Windows 7 systems, Bitlocker is an option for full-volume encryption. Although it can be centrally managed via Active Directory, there have been reported problems with key synchronization. Test before you adopt.
    • EFS. EFS is a free encryption solution that ships with most current versions of Windows. It is somewhat centrally manageable, but not at a level acceptable for medium to large businesses. You can use it as a substitute for or in support of Bitlocker. For example, Bitlocker only encrypts the bootable volume. Other volumes require another encryption method.

    Fee-based solutions

    All of the following solutions can be centrally managed, with good support for password resets. All but Postini, an email-only encryption solution, provide encryption for multiple purposes.

    The solutions listed above are intended to support encrypted data in place, on mobile devices, or in email. But what about SSL, VPN, or secure FTP? We’ll look at these in more detail in the next section, together with popular solutions.

A Security Manual for Small/Medium Businesses

A how-to manual for implementing reasonable and appropriate security in small/medium business, using clear, non-technical explanations of how to integrate emerging standards (PCI DSS, HIPAA, etc.) into security spending decisions.
  1. Introduction to SMB Security
  2. Security Planning: Data ownership and classification
  3. Security Planning: Data Storage and Sharing
  4. Security Planning: Regulatory Considerations
  5. Endpoint hardening and defense: Overview of layered security
  6. Protecting desktop computers
  7. Protecting laptop computers
  8. Choose Encryption Wisely
  9. Designing Network Security
  10. Locking Down the Network With Access Controls