The eMag Link Monthly Articles
July Edition
View previous articles
Advanced Encryption Methods Secure Confidential Data During Transport
Advanced Encryption Methods Secure Confidential Data During Transport*
One needs to look no further than the latest headlines to recognize that concern about the security of sensitive or confidential information is at an all-time high. Every individual in the country recognizes that he or she is vulnerable. Patients worry about the privacy of their health history. Consumers want assurance that their financial data and credit ratings are protected. Americans of all ages are anxious about the confidentiality of personal identifiers like their Social Security numbers.
In response, growing numbers of organizations are seeking reliable methods to protect the private information entrusted to them - not to mention safeguarding their own reputations and financial stability as trustees of that information. Most realize that data being transported from one location to another is at the greatest risk and, increasingly, acknowledge that encryption is an essential step for securing this information.
To this end, data center professionals are committed to evaluating "best practices" to minimize the opportunity for data loss or theft. Some are utilizing encryption programs embedded in individual backup software packages, while others are adopting the next generation of applications that provide single, unified encryption for diverse types of data. These forward-thinking organizations have discovered that this approach to encryption eliminates the need for the data center to manage multiple proprietary keys that could become lost or outdated. In addition, a cohesive approach increases corporate confidence that the encryption measures adopted by the data center provide adequate protection.
Government tightens security regulations
The responsibility for safeguarding highly confidential information lies with every corporation, law firm, health center, nonprofit organization and government institution that handles any form of confidential data. The consequences of security breaches can be devastating. At the very least, a company's image is tarnished and confidence in its reliability is shaken. At worst, erring organizations face not only lingering mistrust, but must also contend with fines, penalties and lawsuits.
In an effort to address these concerns and bring this very real problem to heel, both the public and private sectors are investigating strategies to ensure the highest levels of security for all types of confidential information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) holds healthcare organizations liable for the privacy of patient information. Likewise, the Sarbanes-Oxley Act of 2002 (SOX) implemented stringent accounting and financial reporting policies to protect consumers from corporate financial misconduct or securities fraud. And some states like California also implemented legislation - SB 1380, or the California Security Breach of Information Act - requiring organizations that maintain personal data about individuals to inform those individuals if the security of their information is compromised.
With their consciousness raised by these regulations, companies from coast to coast are scrutinizing internal policies governing the management and handling of confidential data. Organizations acknowledge that the procedures they use to gather this information must be secure. But they also recognize that data is most vulnerable during transportation - for archiving, or when it is being shared with other parties during discovery and litigation, for example.
A rash of mishaps have been reported over recent months, driving security concerns to even higher levels:
- In May, a data analyst employed by the Department of Veterans Affairs (VA) took electronic data from his office, storing it on his personal laptop and external hard drive in violation of VA policies. During a burglary, the computer equipment - as well as identifying information like Social Security numbers affecting about 26 million of veterans - was stolen.
- A few weeks later, a laptop computer containing confidential information about IRS employees was lost in transit during a flight in the western United States. The laptop contained information on 291 employees and job applicants, including their fingerprints, names, Social Security numbers and dates of birth.
- Citibank was forced to inform 3.9 million customers this spring that computer tapes containing personal data had been lost. The tapes were in a box shipped via UPS from the Northeast to a credit bureau facility in Texas. Data on the tapes included account information, payment histories and Social Security numbers.
- Earlier this year, Bank of America was forced to make a similar announcement. The company reported it had lost computer data tapes containing personal information on 1.2 million federal employees - including some U.S. Senators. It is believed that the backup tapes were likely stolen from a commercial plane. The lost data includes Social Security numbers and account information that could make these individuals vulnerable to identity theft.
- Time Warner also revealed that tapes containing data, including names and Social Security numbers, on 600,000 current and former employees disappeared on March 22. The unencrypted data was being shipped to an offsite storage center operated by Iron Mountain Inc.
Cost of security breaches is high
The ramifications of these incidences are likely to be far-reaching. To begin with, organizations guilty of breaches are found to be in noncompliance with state and federal regulations regarding data security. In most instances, governing agencies levy fines and penalties for these types of violations.
The expense doesn't stop there. Victims often instigate civil or class action lawsuits. Organizations found negligent will be required to pay compensatory damages and bear the burden of the costs of litigation, which typically run into the millions of dollars. Plus, those held responsible for the violations may also have to foot the bill for customers who subsequently are forced to subscribe to credit monitoring and restoration services.
Organizations liable for security breaches also incur costs as they assess what went wrong and re-evaluate the protective systems they have in place. They may need to add staff in order to manage the fallout from the violation - working with customers to assuage their concerns, for instance. Plus, they will need to re-engineer the security systems found to be ineffective.
Some settlements also require that the responsible company engage external auditors to conduct periodic assessments over a specified period of time - often several decades. These hired guns are directed to investigate all aspects of the liable party's security system - and recommend corrective action when required.
Organizations also pay a steep price in terms of lost good will. News of data loss or theft is bad PR. A company's good name is eroded, costing it current customers and future business.
Evaluating encryption methods
Data center professionals are on the front lines of this battle. As keepers of the data, they are constantly seeking better methods to ensure that all privacy and confidentiality objectives are met.
The escalating concern about loss and theft has convinced the vast majority of data centers that any data they transport must be encrypted. As they evaluate various approaches, they must consider symmetric versus asymmetric cryptography, or a combination of the two. The older, symmetric approach is based on a single password-key, where both encryption and decryption is done with the same "key" As a standalone technique, this approach is generally recognized as less secure because if the key falls into the wrong hands, the security of the data is immediately and completely compromised. Hence, key management is a major concern for all systems that use this type of cryptography.
Asymmetric, or public key infrastructure (PKI), encryption is more complex. Unlike symmetric cryptography, there is a public and private component to the encryption process. During this process, the originator devises both public and private digital encryption keys that are created by a hash of the data that is to be protected. The public encryption "read" key can then be made public while the private decryption key is kept secret. In a sense, the public key locks the data, while the private key unlocks the data. The private key is sent to the recipient separate from the actual data, or it can simply be stored until the data is decrypted. Data security experts note the benefits to PKI are fourfold, as represented by the acronym CAIN:
Confidentiality Protection of data against unauthorized access/disclosure Authenticity Verification of an individual identity (PIN/PASSWORD) Integrity Protection of data against unauthorized modification or substitution Non-Repudiation: Combination of confidentiality and authenticity that is provable to the 3rd party.
Unified encryption methods simplify security process
At the same time, data center professionals must assess the level of encryption they wish to employ. Recent versions of some back-up software, for instance, utilize encryption methods that are inherent to the program itself. When files are backed up, the program automatically launches an internal encryption sequence.
While representing a step in the right direction, this application-level approach can be complicated, since every program has a different and distinct encryption key. Data center professionals must manage multiple keys, matching each to the appropriate version of each specific program in order to eventually decode the data.
Innovative encryption applications have been developed, however, to make the process simpler. This next generation offers single, unified encryption for diverse types of data. These applications, like MediaMerge/TapeSecure from eMag Solutions or CopyCrypt from OpenTech Systems, allow each data center to write its own singular encryption key, which decrypts all format or files, and is proprietary to the originating corporation or organization. With that in place, a small computer system interface (SCSI) device automatically encrypts data during duplication at no additional costs and with no delay.
The encrypted data is then securely transported as needed, with the key being sent separately from the data. Once on site, the recipient uses a decrypt or "read" key to access the data during retrieval. This approach provides enhanced security by eliminating the need for multiple keys, thereby reducing the opportunities for loss. In addition, data centers are able to streamline operations by simplifying the management of encrypted data.
The end result? The organization minimizes the chance for any type of problem or breach to occur - which, in turn, boosts confidence in the data center's handling of data security.
Forward-looking data centers have also begun to evaluate an even more advanced technology: native tape-drive based applications with greater capacity that may double, triple or even quadruple the throughput offered by current systems. While only recently introduced, many experts note that this next generation confirms the industry's commitment to data protection.
Of course, pressure on data center professionals to bolster the security of transported data will only grow. Corporations, law firms and other organizations that handle confidential personal information will adopt increasingly stringent standards. The burden of evaluating encryption methods will fall to data center professionals, who must carefully consider whether each alternative has the ability to ensure regulatory compliance and reduce exposure to risk. At the same time, they must weigh the administrative burden and cost of each alternative, selecting applications that provide the necessary security, while simplifying the management of the encryption process.
* The following article was authored by Chuck Bokath of eMag Solutions and and appeared in the June issue of The Data Center Journal.com.
Back to top