Encryption is an increasingly important set of technologies that enables customers to safeguard private data in computers, across public or private networks, or in other machine-readable forms.
There is much more data at risk of being compromised than ever before. This, in conjunction with the increasing cost of a data breach, measured in both "hard" dollar terms like legal settlements, and "soft" costs such as loss of customer loyalty, makes the intelligent use of encryption and other data-protection technologies increasingly necessary for organizations of all sizes.
For the small- and medium-sized market, the ideal data encryption approach would be both affordable and easily integrated into a comprehensive data backup and business systems continuity solution. It would include powerful, standards-based encryption, and offer a robust key management function.
Imagine a bank with 20,000 customers, most with multiple accounts and bank cards. Every night, the bank makes a complete tape backup of its core information servers. The tapes are then placed in a storage box. Sometime during the day, a van driver from the tape storage firm drops off an older set of tapes (no longer needed), and picks up the box of new tapes.
Any such practice could lead to tapes being mislaid or stolen from loading docks, being accidentally dropped off at the wrong sites, or being lost or stolen from the delivery van, among other things. Once the tapes are in the wrong hands unencrypted data is easily compromised.
Fortunately, encryption functionality can be easily integrated into an organization's backup processes, protecting all data on the company's servers and backup devices, and all data taken off site for archiving.
Keys and key management
A key is a piece of information, or parameter, that controls the operation of a cryptography algorithm. Modern encryption algorithms typically use either symmetric or asymmetric keys. Asymmetric key encryption uses a pair of keys, called a public key and a private key, and is best suited for protecting data that has a wide audience -- such as web sites with secure access established for many users.
Symmetric key methods use the same key for both encryption and decryption. Symmetric keys are excellent for use with devices and appliances in which the need to share keys is very limited. This is typically the case with data backup devices, for which one specifically does not need to allow many parties access to the key.
If you lose your house key, a locksmith can pick the lock mechanically and help you regain access. If you lock your keys in the car, there are many specialized tools that can help you open the door. But any encryption method that allowed this kind of "alternative access" in the event of a lost key would be fatally insecure. These days, most encrypted data is essentially indecipherable to thieves and completely lost to the owner in the absence of the necessary key for decryption. This puts enormous pressure on the owner to not forget the key. It's important to pick a "strong" key, often many, many characters long, which makes it harder to guess, but also harder to remember. And writing the key down brings its own obvious security risks.
Implementation methods
Data encryption can be incorporated into your workflow in a variety of different ways, each with its own advantages and disadvantages. When implementing data encryption on a network, there are four basic ways to approach the process:
File system encryption on a server. File system encryption is probably the easiest to implement. But this type of encryption places very heavy CPU demand on the server, which often makes it impractical for a busy Exchange or SQL server because of the computing power required.
Additionally, server file system encryption doesn't allow for centralized management - rather, it must be implemented on a per-server basis, and managed only with respect to that system. And in a multiple-OS environment, this kind of file system-based encryption may not be available for each OS used.
In-line encryption. In-line encryption is typically performed by a dedicated hardware "appliance," and is fairly simple to implement. The appliance normally has two network connections, with plain text coming in through the network, and cipher (encrypted) text coming out of the device. Encryption appliances can protect all the data that's in line be saved on backup media. And the servers and backup devices can operate at their own speed, as if there was no encryption being performed.
But this RAT trojan methodology is a poor choice for some firms. In-line devices require lightning-speed hardware to operate, pushing the typical cost up. And in the event of a real disaster, a new unit must be procured before any file or system restoration can occur.
Backup media encryption. The most commonly used type of encryption takes place on the backup media - either on the server driving the tape backup device (for example, the media server in a Veritas environment), or on the tape drive itself.