“Data Exploitation and Protection”
Gregory V. Boulware
Many IT and BI Professionals are dissatisfied with Interoperability and efforts of vendors and storage providers. The vendors have made it clear that they are interested in Encryption standards as opposed to cost and integration challenges. Encryption expansion is good but it isn’t the lone or ultimate solution. A critical application, at one point or another will need access to encrypted data. If an attacker can view unencrypted data in an application, more than likely, so can everyone else. In an enterprise-wide architecture, as well as a single personal node – unauthorized access is unacceptable – protection is sorely needed.
A reputable news and information media conducted a survey. Information Technicians and Business Intelligence Professionals were polled. 28% of the participants said they want to expand encryption use far beyond the minimum standard(s).
The creation of public interoperability standards would give open sourced communities a level playing field. Benchmarked with commercial product technologies, “Open Source” (free sharing of technological information; describes practices in production and development that promote access to the end product's source materials; the Internet; communication paths, and interactive communities) is not known as having the best managerial capabilities. Competition has proven to keep everyone on his or her toes. The resulting survey analytics and conversations with CISO’s (Chief Information Security Officer), an emphasis on encryption and compliance aren’t being used correctly and/or to its full extent. Organizations that utilize top applications are encrypting or planning to…right along side several firewall protection software applications. With the inclusion of VPNs (Virtual Private Networks), email, file and data systems, a breach can be devastating. These practices don’t really solve the protection problem. Albeit a risk reduction is evident.
A Chief Information Security Officer (CISO) is the senior-level executive within an organization. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and Information Technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. Typically the CISO's influence reaches the whole organization. Michael A. Davis reports top-level stats on encryption use by 86% of 499 business technology professionals say they feel pretty secure. His data is based upon an Information Week Magazine analytics state of encryption survey. Davis also states 14% of the respondents say encryption is pervasive on their organization(s). Ranging from integration challenges and cost, the lack of leadership is the reason for the dismal state of encryption affairs. “38% encrypt data on mobile devices while 31% characterise their use as just enough to meet regulatory requirements.” The compliance focus on encryption relieves companies from having to notify customers of a breach in the security of their devices. The Davis report continues to state, “entrenched resistance” isn’t a new phenomenon. A Phenomenon Institute survey in 2007 found 16% of U.S. companies incorporate encryption enterprise-wide networks, starting with tape backups. “Doing the bare minimum isn’t security,” cited Davis. “IT and BI pros face stiff resistance when they attempt to do more for technology users.”
Many company IT and BI personnel work to increase the use of encryption. Quick and easy access to data interests users more than their attention to security. Even with the use of flash drive(s), laptops, and other portable media, from the CEO (Chief Executive Officer) down to the front line user(s), encryption never enters their mind.
Interoperability (a property referring to the ability of diverse systems and organizations to work together; inter-operate; to work with other products or systems, present or future, without any restricted access or implementation) would make encryption management less expensive and easier to utilize. Statements by IT and BI pros endorse the use of encryption for files and folders (something that Microsoft is currently working on) eases performance and use while lowering cost is the key to better management. Many pros continue to wish for more regulation(s). A breach would require customer notification…this action would allow funding and management interaction, bringing more attention to regulatory intervention. “An enterprise-wide initiative as complex as encryption mainly to comply with regulations will generally result in a project that’s poorly planned and would probably end up costing more than a mapped out comprehension program,” according to the Davis report.
Tokenization (the process of breaking a stream of text up into meaningful elements called tokens) uses a service where a system is accessed to sensitive information, i.e., a credit card number. The system receives a “one-time token ID number.” An example of such is a 64-digit number used in applications whenever the credit card number is called by the system. The action includes database numbers as well. This change was implemented in 2007. Should the data be compromised (attacked or hacked) in any way, the manipulative tech-acoster would then have no way to reverse the 64-digit numbers back to the card…making a read verification virtually impossible. Several systems are designed to destroy the key (number) in emergencies. The action makes it impossible to recover the stored data on the system…inaccessable to all. This is a Chief Information Officers’ nightmare. Many companies are interested in single, specialized, and standardized encryption products. The product operates on a “single encryption platform,’ whereas, a single or central application will manage multiple forms of encryption code-keys. This platform promises to increase efficeincy and lower cost while providing security. The caveat for using this model is the use of a simple platform to handle email encryption and a backup function can be detrimental if ill planned and/or mis-managed. A company (and/or private-single user) would need multiple support as oppossed to having “all your eggs in one basket.” The way to go is the use of “Native Key Management” (provisions made in a cryptography system design that are related to generation, exchange, storage,and safeguarding - access control, the management of physical keys and access) on a given system. Consolidation in the encryption industry is a continuing development. It is an environment created where vendors of encryption sell multiple products as “uniformed platforms.” The unified – multiplatform approach is the future for encryption products as believed by some IT and BI professionals.
Another security issue is vendors of encrpytion experience difficulty managing code-keys from separate providors. They appear to trip over one another by way of competition and jockying from last to first in line. Vendors experience difficulty getting their separate standards on the same page. They continually fight over the details of operation and compliance and if “Free and low-cost products will move them out” – and take over the industry.
A central directory of code-keys is easy to manage. The updating and reporting is an essential and vital task for all IT and BI Professionals. Microsoft’s Active Directory (AD) could very well be the leading encryption huckster on the block. Microsoft’s AD installed base system(s) are manageable by way of group policy objects that are embedded within the application(s) and Operating System (OS) program(s). AD is the most used directory for businesses and PC users while plenty of IT and BI Engineers already know how to use and work with. All of Microsoft’s major encryption products offer(s) centralized management through AD, as well as it’s enterprise encryption technologies. What’s cheaper than free?
Window’s offer(s) portable and powerful disk encryption…email, folder, file, and database encryption is available for free. Who can beat that price?
User’s aren’t stopped from emailing unencrypted versions of folders and files – or from transferring data onto a portable device connected to the USB Port (Universal Service Bus)…it only works if the entity on the other end is using the same or a comparable email application, which many companies are non-compliant – (no one seems to be following protocol for data encryption policy). Interoperability within encryption and key management can be utilized based on the type of data storage and implementation – while we wait for standardization to shake its heavily laden wholly mane free of impediments. Data exploitation, hackers, and other attackers, i.e., mal-ware, spyders, pop-ups, etc., would have nothing but the aggravation and deprivation they cause to others. The use of encryption-interoperability…may not stop intruders, but it sure as hell will make intrusion difficult if not impossible.
Companies, organizations, and personal users need and should adopt a risk management approach…implement encryption.
Til next time…
Google Search, Bing Search, Yahoo Search, MSN Search, or Whatever Search engine you use...
"Gregory V. Boulware"