I'm sure many of you have had mixed experiences with encryption techniques, architectures, and implementations that, in the wake of Heartbleed and the Dual_EC_DRBG scandal, point out the importance of getting encryption right -- and the costs of fixing problems when an implementation is weak, wanting, or compromised.
In those circumstances, the ability to patch or migrate your solution and rekey your data quickly is imperative. But, sadly, the reasons for encrypting data are often mandated, not part of a funded security initiative, and much more expensive than expected. If your organization -- like many others -- is searching for ways to make encryption cost-effective, easy, and scalable, the answers to this list of frequently asked questions may point you in the right direction.
What should I encrypt? There are three key questions to answer. What data needs protecting? (Often you will find that your data protection requirements grow over time.) What form (unstructured files, databases, logs, etc.) is the data in? And where is the data located -- in a datacenter, on your mobile device, in the cloud, or in a remote location.
How should I encrypt? Organizations will typically come up with a matrix of answers and, along with that, a complex web of potential approaches to achieve their encryption requirements. For example, organizations may be required to encrypt their data on a number of different applications. Their options per application will vary, and you could end up with multiple solutions for meeting one requirement.
What about the keys? Some encryption options are native to a platform, yet they lack a key (no pun intended) requirement -- key management -- that most encryption solutions must have to be compliant. We have found that, while encryption is often easy, the complexities of good key management are what organizations struggle with most. If you encrypt data with a key and leave that key with the data weakly protected, you might as well not encrypt it at all.
What risk are you removing? Encryption is often thought of as the ultimate weapon to protect data, but in practice, many implementations fall short on actually protecting data. Data has no defenses for itself; it must rely on the defenses of the environment in which it lives. If an organization encrypts its data with a self-encrypting disk, it is removing the physical risk of theft or data loss. It may have many privileged users and processes that interact with its data, but ensuring that encryption removes the risk is crucial.
Will it be cost-effective? The implementation and maintenance costs of encryption across multiple environments, use cases, and applications can add up quickly. It's not just the cost of licenses, but the operationalization of it, as well. Organizations need to ask themselves the following questions: Do I have to change code? Do I need multiple OS support? Do I need to get a key management solution?
Many Fortune 500 companies face issues with databases and file servers that require encryption because of a regulation called MAS, out of Singapore, that promotes sustained, non-inflationary economic growth through monetary policies and macro-economic surveillance of emerging trends and potential vulnerabilities. One chief security architect came to the realization that it would cost approximately $2.4 million in licensing and more 24 months to integrate encryption into just one custom application. To no surprise, he quickly did the math and found this unappealing.
What's the bottom line? Look for encryption platforms that offer lower total cost of ownership. You will find it easier to get the budget you need and create a secure way of doing business by allowing multiple ways to encrypt your data without having to change the way you run your business.