When Should You Encrypt?

Use Encryption Wisely

Contrary to what many encryption vendors might like you to believe, encryption isn’t always a good thing. Like any other security control, encryption requires policies, processes, and available resources for implementation and day-to-day management.

Encryption should be seen as an additional layer in your security controls framework. Use it when it serves a specific purpose, including:

Protection against weak passwords. This is only an option if you plan to protect files and folders instead of an entire hard drive. Use of weak passwords to access systems with full disk encryption is often futile, since the password used to login to the computer is usually used to unlock the encrypted drive.
Protection for data in motion. Any time sensitive data moves out of an area of adequate security to one less secure (or not secure at all), it should be encrypted.
Protection for data stored in mobile devices.
When regulatory constraints make it a good idea (i.e., HIPAA, GLBA, FACTA, etc.)

Unlike many other technologies, encryption is not a setup-and-forget solution. It requires careful though during design and continuous management. Some of the challenges associated with implementing encryption in an organization include:

Key management. Keys for accessing encrypted data should be centrally managed. This provides access to systems left behind by employees no longer with the company or who have forgotten their encryption passwords.
Password reset management. Users often forget their passwords. This isn’t a huge problem with application or Active Directory passwords, for example. They can be reset directly by a help desk. But what about passwords for PBA. Without the correct password, the employee cannot even boot the system. Make sure a centrally managed encryption solution provides for encryption password resets without support personnel actually required to “touch” the computer.
Performance. There is always a slight drop in performance when an encryption solution is installed on a server or an end-user device. Make sure you understand how the hardware you use and the installed applications might be affected. For organizations with systems that are not end-of-life, systems not more than two or three years old, encryption should not be a problem. But test anyway.
Cost. Then there is cost. Even if the solution you select is free, costs associated with managing the solution must be considered. Like any other business purchase, weigh the risks of not implementing encryption against total cost of ownership.

Encryption Solutions

For the purposes of this section, I categorized several encryption solutions based on cost—free or not free.

Free solutions

TrueCrypt. TrueCrypt is one of my favorite open-source solutions. It provides container, volume, thumb drive, and full disk/PBA encryption. You can also recover an encrypted drive that won’t boot or with a lost password. However, TrueCrypt is not centrally managed, requiring hands on support for major issues.
Bitlocker. For Windows Vista systems, Bitlocker is an option for full-volume encryption. Although it can be centrally managed via Active Directory, there have been reported problems with key synchronization. Test before you adopt.
EFS. EFS is a free encryption solution that ships with most current versions of Windows. It is somewhat centrally manageable, but not at a level acceptable for medium to large businesses. You can use it as a substitute for or in support of Bitlocker. For example, Bitlocker only encrypts the bootable volume. Other volumes require another encryption method.

Fee-based solutions

All of the following solutions can be centrally managed, with good support for password resets. All but Postini, an email-only encryption solution, provide encryption for multiple purposes.

The solutions listed above are intended to support encrypted data in place, on mobile devices, or in email. But what about SSL, VPN, or secure FTP? We’ll look at these in more detail in the next section, together with popular solutions.

Showing page 2 of 2

prev1

2

A Security Manual for Small/Medium Businesses

A how-to manual for implementing reasonable and appropriate security in small/medium business, using clear, non-technical explanations of how to integrate emerging standards (PCI DSS, HIPAA, etc.) into security spending decisions.

1. Introduction to SMB Security
2. Security Planning: Data ownership and classification
3. Security Planning: Data Storage and Sharing
4. Security Planning: Regulatory Considerations
5. Endpoint hardening and defense: Overview of layered security
6. Protecting desktop computers
7. Protecting laptop computers
8. Choose Encryption Wisely
9. Designing Network Security
10. Locking Down the Network With Access Controls

Bright Hub - Science & Technology Articles, Buyer's Guides, How-To Tips and Software Reviews

Business: Entrepreneurship | Office Accounting | Home Office | Messaging & Outlook Tips | Project Management

Computing & Hardware: Linux | Mac OS | Windows OS | Hardware | Enterprise, SMB & Personal Computer Security

Engineering Technology: Civil Engineering | Marine | Mechanical | Electrical Engineering

The Environment: Environmental Science | Green Computing | Green Living | Renewable Energy

Health & Wellness: Alternative Medicine & Natural Healing | Diet, Nutrition & Healthy Eating | Fitness & Exercise Health Care Technology

Internet: Google Apps & Tips | Security & Privacy | Web Development

Money & Finance: Investing | Personal Finance

Multimedia: Audio | Digital Video Editing | Desktop Publishing | Digital Photography Tips & Tricks

Science: Aviation | Genetics, DNA & Molecular Biology | Medical Science | Space & Aerospace

Video Games: Console Gaming - Xbox, Nintendo, Playstation | MMO & MMORPG | Nintendo Wii | PC Gaming Tips & Game Reviews

Choose Encryption Wisely (Page 2 of 2)

Use Encryption Wisely

Encryption Solutions