Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
1/31/2018
09:00 AM
Joe Cosmano
Joe Cosmano
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Data Encryption: 4 Common Pitfalls

To maximize encryption effectiveness you must minimize adverse effects in network performance and complexity. Here's how.

Employing data encryption is a no-brainer, as it supports the defense-in-depth strategy that organizations must embrace to stop bad actors from accessing sensitive network files. However, outside of the extra layers of protection data encryption can provide, there are also tradeoffs in network performance and complexity that might arise when organizations aren’t approaching encryption thoughtfully. Here are four pitfalls to avoid as you begin encrypting content.

Pitfall One: Proprietary Algorithms
It may seem counterintuitive to the way many effective security strategies are designed and implemented, but relying on standardized algorithms to encrypt sensitive data is actually safer for organizations than tasking their own IT staff or developers with crafting a unique encryption algorithm or even authentication system. The reason for this is that cryptography is its own specialization that requires an advanced degree of scientific and mathematical precision. While specific individuals from in-house security teams may have this highly specialized set of skills, dedicated cryptographers have devoted their sole attention to crafting industry-standard algorithms like IDEA 128-bit and ARC4 128-bit – more attention than an IT generalist or cross-functional developer could devote given the wealth of other projects in their purview.

Pitfall Two: Full Disk Encryption
While it is essential to ensure that data is encrypted while at rest and in motion, considerations must be made for the systems that manage that encryption.

Full Disk encryption, for instance, is designed to prevent access to sensitive data if a device or its hard drive(s) are removed. When the device is on, and a user is logged in, the sensitive data is available for anyone who is logged in – including bad actors who may have a backdoor into the system. In a roundabout way, this highlights challenges with key management. No matter how strong the crypto, if the key that provides the ability to return the content to plain text is available to adversaries, its game over.

Pitfall Three: Regulatory Compliance
Across most industries, rules regarding data collection, sovereignty and storage are extensive and usually mandated by legislation at the local and federal level. While regulations like HIPAA, PCI, CJIS and CIPA go far in detailing the costs of noncompliance, they are less instructive in telling businesses how to avoid it. In fact, many of these regulations don’t mention data encryption at all, even though encryption can prevent many of the most egregious regulations from taking place. These laws may represent a good starting point for mapping out a security strategy, but teams need to be diligent about going beyond just the standard “checklist” of protocols and standards many of these mandates provide.

Pitfall Four: Decryption Key Storage
Even after teams have gone about extensively encrypting their data, many developers make the mistake of storing the decryption key within the very database they are hoping to protect. After all, encryption is a means for protecting data even after bad actors have infiltrated the data base. If the key to decrypt all that data is basically hiding “under the doormat” right on the other side of the network gateway, all those efforts to encrypt are basically worthless.

As a result, many teams are exploring "Key Encryption Key," "Master Encryption Key" and "Master Signing Key" encryptions that they store elsewhere to protect enterprise data – a step that may seem excessive to some, but provides an all-important level of assurance that minor missteps don’t curtail major security operations.

Joe Cosmano has over 15 years of leadership and hands-on technical experience in roles including Senior Systems and Network Engineer and cybersecurity expert. Prior to iboss, he held positions with Atlantic Net, as engineering director overseeing a large team of engineers and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...