Encryption's Tough Rewards

4:20 PM -- Encryption can be both a godsend and a nightmare for enterprises as they seek to protect sensitive information or comply with regulations. While it helps protect your data, encryption can also be a weapon that enables rogue users to hide illicit activity or anonymously leak sensitive information to the outside. But whether you're implementing encryption or trying to fight through it, it's important to know where your sensitive information is located and how it is used throughout your organization.

The simplest and most common uses of encryption are the ones that protect data in transit, such as HTTPS, SSH, and VPNs. But these aren't the only uses.

When dealing with Microsoft Windows servers, for example, I prefer to encrypt all of their internal communications using the built-in IPSec functionality. It can be enabled to automatically encrypt when it's supported on the remote side, or it can be restricted to a particular IP address.

A great scenario for this latter option is when a Microsoft Internet Information Server (IIS) located in a DMZ must communicate with a backend database on the internal network. IPSec can be enabled just for those two servers, so that if another machine is compromised within the DMZ, it can't be used to sniff the application to database server traffic.

Data at rest is an even greater opportunity for encryption, especially when you consider how much data leakage has occurred because of lost and stolen laptops, PDAs, thumb drives, and backup tapes. If encryption had occurred before these devices or media went out their doors, these companies might have saved billions of dollars in lost business and customer notification costs.

Choosing an encryption solution that fits enterprises' needs can be difficult, though. Is volume-based (usually called full disk encryption) needed, or is file-based encryption enough? Personally, I like to err on the side of caution and go for volume-based. This approach covers the areas where temporary files get written and saved by naughty applications like Microsoft Outlook.

Another question in enterprise encryption strategy is key escrow. What happens if a user forgets his password, gets hit by a car, or leaves the company on bad terms? There must be a method to access the company data on his hard drive -- you need an additional recovery key or password. Solutions such as PGP -- and even BitLocker and EFS from Microsoft -- provide this functionality so that IT shops won't be left in a bind.

Encryption can be used against your company as well. If a disgruntled employee is looking to leak data out of the company, the easiest way to evade data leakage prevention (DLP) tools is to encrypt the data so the DLP solution can't inspect the contents of the file or email.

Some DLP products can detect high amounts of entropy -- a measure of randomness which tends to be higher in compressed and encrypted files -- in a transmitted file, helping to flag malicious activity. But this approach often leads to false positives, which may eventually lead the security admin to ignore the alert altogether.

Encryption does have its downsides, but don't let that dissuade you from pursuing a solution for your enterprise. Just be aware that you will have to consider many issues -- including network and system performance, visibility to network monitoring devices, and ease of use -- before you choose a technology.

There are headaches associated with designing and implementing encryption successfully. But it's definitely better than the alternative: suffering a major data breach.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading