Encryption Isn't Everything
By Jill R. Aitoro | Tuesday, December 11, 2007 | 01:37 PM
By Jill R. Aitoro | Tuesday, December 11, 2007 | 01:37 PM
Shannon Kellogg, director of government and industry affairs at RSA Security, recently recounted a decision by a federal agency to encrypt everything (systems, emails, devices) to avoid the dreaded security breach that so many other agencies have reported. Apparently, after the decision was made, a contractor working with the agency (Kellogg declined to name the agency or the contractor) accessed sensitive information while on the network, saved it on a USB memory stick -- and then walked out the door. Kellogg didn’t say if the agency reported any data loss – but who's to know? Exposure is exposure, and the risks still apply.
This story certainly isn't unusual, but it bears repeating because this plays out in every agency routinely. Among the most important lessons that can be learned may be to avoid knee-jerk reactions to security threats -- such as believing an encrypt-everything policy will insulate you from security breaches. Such policies are, by definition, reactionary – not strategic. Encryption – like any security strategy – works in specific circumstances, but should not be the end-all-be-all security policy.
And this lesson comes from a security vendor.
Comments
The knee-jerk reaction to encrypt everything not only provides a false sense of security as noted in the article, it introduces other risks which are not understood or are being ignored. For example, the encrypt everything approach unnecessarily complicates data management because, as we know, not all data is sensitive or requires encryption. Besides the immediate issues (i.e. false sense of security, missing (Data At Rest) DAR on removable media, etc.), has anyone looked forward? The downstream impact to encrypting everything means information and records management tools, techniques, and processes will be less effective. Federal agencies struggle to provide timely, accurate, and complete responses to legitimate information requests now when data are stored in clear, searchable formats. Imagine how accurate authorized information disclosures will be in the future when searches return "zero results" because the data are encrypted. And, as time progresses, the keys used to encrypt the data become unavailable to decipher the encrypted text. Critical data with historical national significance will be forever lost.
Linda Gnarnel | Friday, February 01, 2008 | 04:50 PMWell, they encrypted ALMOST everything...
Encryption of hard disks (Data at Rest) is fine, but doesn't solve the whole problem, as this example illustrates. Policy-enforced encryption of removable storage devices - including USB sticks - might have helped here, as it helps to address the issue of Data In Motion security. Encryption WITH device control is even better; the contractor would not have been allowed to move data to the USB stick (or any removable storage device) without expressed, policy-based permission to do so. Further, even if the user had permission to save to removable storage, there would have been an audit trail of the entire transaction - user, file name, file size, date and time, origin, destination, etc. - to monitor trusted user behavior (many data breaches originate inside the organization). Mr. Walthall has a point - the bad guys are always looking for ways to compromise the security of The Box. The best recourse is to make it so difficult as to make them go to another Box.
FYI - There is no security on any of these computer systems that can't be worked around. If you put all your important information in a box that plugs into the wall you are a fool.
Jimmy E. Walthall | Wednesday, December 12, 2007 | 11:35 AMABOUT THIS BLOG
Allan Holmes on what's happening and what's being discussed in the world of federal information technology.
feed