Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
1/31/2018
09:00 AM
Joe Cosmano
Joe Cosmano
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Data Encryption: 4 Common Pitfalls

To maximize encryption effectiveness you must minimize adverse effects in network performance and complexity. Here's how.

Employing data encryption is a no-brainer, as it supports the defense-in-depth strategy that organizations must embrace to stop bad actors from accessing sensitive network files. However, outside of the extra layers of protection data encryption can provide, there are also tradeoffs in network performance and complexity that might arise when organizations aren’t approaching encryption thoughtfully. Here are four pitfalls to avoid as you begin encrypting content.

Pitfall One: Proprietary Algorithms
It may seem counterintuitive to the way many effective security strategies are designed and implemented, but relying on standardized algorithms to encrypt sensitive data is actually safer for organizations than tasking their own IT staff or developers with crafting a unique encryption algorithm or even authentication system. The reason for this is that cryptography is its own specialization that requires an advanced degree of scientific and mathematical precision. While specific individuals from in-house security teams may have this highly specialized set of skills, dedicated cryptographers have devoted their sole attention to crafting industry-standard algorithms like IDEA 128-bit and ARC4 128-bit – more attention than an IT generalist or cross-functional developer could devote given the wealth of other projects in their purview.

Pitfall Two: Full Disk Encryption
While it is essential to ensure that data is encrypted while at rest and in motion, considerations must be made for the systems that manage that encryption.

Full Disk encryption, for instance, is designed to prevent access to sensitive data if a device or its hard drive(s) are removed. When the device is on, and a user is logged in, the sensitive data is available for anyone who is logged in – including bad actors who may have a backdoor into the system. In a roundabout way, this highlights challenges with key management. No matter how strong the crypto, if the key that provides the ability to return the content to plain text is available to adversaries, its game over.

Pitfall Three: Regulatory Compliance
Across most industries, rules regarding data collection, sovereignty and storage are extensive and usually mandated by legislation at the local and federal level. While regulations like HIPAA, PCI, CJIS and CIPA go far in detailing the costs of noncompliance, they are less instructive in telling businesses how to avoid it. In fact, many of these regulations don’t mention data encryption at all, even though encryption can prevent many of the most egregious regulations from taking place. These laws may represent a good starting point for mapping out a security strategy, but teams need to be diligent about going beyond just the standard “checklist” of protocols and standards many of these mandates provide.

Pitfall Four: Decryption Key Storage
Even after teams have gone about extensively encrypting their data, many developers make the mistake of storing the decryption key within the very database they are hoping to protect. After all, encryption is a means for protecting data even after bad actors have infiltrated the data base. If the key to decrypt all that data is basically hiding “under the doormat” right on the other side of the network gateway, all those efforts to encrypt are basically worthless.

As a result, many teams are exploring "Key Encryption Key," "Master Encryption Key" and "Master Signing Key" encryptions that they store elsewhere to protect enterprise data – a step that may seem excessive to some, but provides an all-important level of assurance that minor missteps don’t curtail major security operations.

Joe Cosmano has over 15 years of leadership and hands-on technical experience in roles including Senior Systems and Network Engineer and cybersecurity expert. Prior to iboss, he held positions with Atlantic Net, as engineering director overseeing a large team of engineers and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
iboss has created the first and only web gateway as a service specifically designed to solve the challenge of securing distributed organizations. Built for the cloud, the iboss Distributed Gateway Platform leverages an elastic, cloud-based node architecture that provides advanced security for todays decentralized organizations with more financial predictability. Backed by more than 110 patents and patents pending, and protecting over 4,000 organizations worldwide, iboss is one of the fastest growing cybersecurity companies in the world. To learn more, visit www.iboss.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-8656
PUBLISHED: 2018-05-22
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
CVE-2017-2609
PUBLISHED: 2018-05-22
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
CVE-2017-2617
PUBLISHED: 2018-05-22
hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.
CVE-2018-11372
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User Panel ToId parameter.
CVE-2018-11373
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" User Panel ToId parameter.