Why Encryption Alone Isn’t Enough
Co-Authored by Matthew Losanno and Emmett Jorgensen
I’ve stressed the importance of encryption in the past and, if you are an avid InfoSec follower, you will probably agree that encryption is important. Is it the most important aspect of data security though? I’d say it ranks high, very high even; however, often encryption alone simply isn’t enough. A lot more should go into the security of your confidential data than just encryption.
There are variables at work that often require security measures above and beyond encryption. The confidentiality of the data you are working with, state, federal and industry regulations, user habits, platforms and more all factor into the security measures needed to safeguard your data.
Imagine for a second that you wanted to beef up your home security system. You add a top of the line security alarm system, steel doors with steel frames and numerous locks, and the windows get barred. BUT you leave the key under the door mat…
This scenario seems silly; however, this essentially happens every day with passwords, but with a sticky note on the monitor. User habits like this seriously negate the effectiveness of encryption.
To be perfectly honest, if I had a 22 character password to remember with a minimum of 4 symbols, numbers, lower and uppercase characters I might be tempted to write it down too. It’s not realistic to expect the average user to remember that password. This is one of the reasons it is important to have other security measures in place.
Most state, federal and industry regulations only call for encryption of private or confidential data; however, these same states often impose severe fines for data breaches. It behooves an organization to take additional steps beyond encryption to ensure that their data is secure in order to avoid costly data breach fines.
If you can show that you have taken additional steps to safeguard your data (or your customer’s data), it often helps protect against data breach fines.
Confidentiality of Data
Some information is simply more important to protect. When dealing with personally identifiable information (PII), take extra steps to safeguard it and protect it from identity theft.
So what are some solutions? Start with good policy and policy enforcement. Then investigate endpoint security and remote management options.
Enforce regular password changes, but not so often as the user just has time to remember the password – this will provoke the user to write it down. Have the password strength relative to the data it is protecting. If the user is part of the graphics design team and they don’t see sensitive information (prior to a few weeks leading up to a redesign or product release) they won’t need 14-20 character passwords. A length of 8 or 10 might be sufficient. Go a step further and educate users on the simplicity of using passphrases rather than passwords if it helps keep sticky notes out of the equation.
Make it ‘easy’ to reset a lost password. Obviously the end user’s identity needs to be confirmed, but if the user has to jump through hoops, they’ll just write it down. Also, keep a list of recently used passwords so the user can’t cycle through two or three different passwords. There should also be some variance between new and old passwords; a one character difference doesn’t cut it.
In the case of mobile devices such as laptops and flash drives, the capability to destroy all the data is always a good failsafe. This is where a remote management application can be very handy. The password configuration management mentioned above should also be capable of being pushed out, as well as remotely forcing a change password.
If the drive becomes compromised simply erase or disable it. If the device has a hardware encryption controller, the AES key (used for decrypting the data) can usually be zero-ized. By deleting the AES key, the actual encryption needs to be attacked, where as the password was previously the easiest access point in many cases.
Disabling the device is another good feature, similar to an anti-theft device in a car. If the end user misplaced the device they can have the device disabled. This removes the password access point, or in the case of a device with an OS, prevent it from booting at all.
There are many other remote management features that can be used, such as forcing a network connection to use the device (or within a certain IP range) that can also add some security. This also ensures you know where the device is (at least by IP, but some applications can display that information on a map) and that it is where it is supposed to be.
Encryption protects the data, but a password protects the encryption for ease of discussion. A good password management policy will make the encryption work that much harder for you. A good remote management platform allows you to leverage additional security/ease of use features that make using stronger password policies easier on the end user (and less time spent fixing user support requests for you).