Encryption Planning - What Data Should You Encrypt?
Open a newspaper and chances are that you’ll see a story about a company or government agency suffering embarrassment because confidential data may have been exposed as a result of a lost or stolen laptop. The seemingly non-ending stream of such incidents has served to push the subject of encryption to center stage. But, while most companies know that they should be doing more to protect their data, many remain unsure as to what data they need to be protecting and how it should be protected. Do you need to encrypt the data passing over your wireless network? What about laptops? Smartphones? Databases? Backups? Email?
Were encryption to have no absolutely no overhead, the answer to these questions would be easy and obvious: yes, encrypt everything! But unfortunately, encryption does have an overhead. Data encryption products cost money, take time to set up and configure and may impact on employee productivity; the process of encrypting and decrypting data consumes computational resources; data can be lost if the key needed to decrypt it is lost; and finally, deploying an encryption solution will almost certainly result in an increase in calls to the Help Desk (“Help, I have lost my …. “). Consequently, it makes sense to only encrypt that data which can easily be encrypted or which is so sensitive that it needs to be encrypted. Here’s some thoughts about circumstances in which it may/may not be worth encrypting your data:
Email. Some people say that you should encrypt only sensitive email, others say that you should encrypt all of your email (if somebody is intercepting your email and sees that only some are encrypted, they’ll know which messages to target, right?). I hold a rather different view and consider email encryption to be unnecessary for most businesses, most of the time. Email encryption is a complex process which can cause problems for both senders and receivers – but, at the same time, the risk of somebody actually intercepting your emails are extremely small. Much pain, little gain. In my opinion, unless your are federally mandated to secure your email communications, you’d be better focusing your resources on other areas.
Wireless. Unlike email, the risks associated with wireless networks are high, but securing them is extremely easy. See our article on how to secure your wireless network for more information.
Laptops. Sooner or later, it’s more than likely that one of your employee’s laptops will be lost or stolen. The best way to ensure that the loss doesn’t result in data falling into the wrong hands is to use a whole-disk encryption solution. Fortunately, this is easy enough to do. Should you be using Windows Vista Ultimate or Enterprise, you already have everything you need to encrypt your data that is held on your laptops:BitLocker. Should you be using something other than Vista Ultimate or Enterprise, you’ll need to either upgrade or look to a third-party solution.
What about smartphones, tape backups, USB drives, etc.? To be able to decide where to use encryption, you need to start thinking about your data. Where is the data stored? How vulnerable is the data? What would be the business impact if the data were to be stolen? Once you have established the answer to these questions, you’ll then be in a position to start making some decisions about where you need to focus your energy and resources.
Remember, while some data may be critical, encryption may not be the best or only method to protect it. For example, you may be able to secure your backups simply by locking them in a secure storage area and, in the case of smartphones, you may feel that the built-in automatic lockout functionality provides adequate protection.
Consider too whether you can change the way in which data is handled. Do your employees really need to be transferring data to easily-lost USB drives? If they do not, simply blocking the use of USB drives may be the way to go. If they do, then you’ll probably want to start looking at encryption solutions (or, at the very least, insisting sensitive material be put into a password-protected zip file before being copied to a USB drive).
One final piece of advice: educate your employees. Make sure they understand why they need to be encrypting data and make sure that they understand how to use the applications you provide.