Encryption and Its Supporting Cast of Characters

Author: Kevin Kampman

April 2008

At the recent Ohio Information Security Conference, I spoke on the topic of encryption. The key point made during the presentation is that encryption alone is insufficient to protect information; it is a control that requires a number of supporting capabilities to implement effectively.

This cast of supporting characters, and their responsibilities, include

• Authentication – Insuring who you are dealing with, an identity or principal.
• Authorization – Understanding what that principal is allowed to do.
• Network Security – Making sure that your infrastructure provides a secure transport for sensitive data, irrespective of higher level protections. An example would include proper network encryption and access controls.
• Help Desk Processes – Providing capable, cautious, layered support services that verify authenticity. This is particularly important, considering that social engineering will target these. Layering, or escalation, insures that verification will match the risk associated with a particular credential.
• Provisioning – The initiation and termination of credentials and entitlements, based upon timely authorization.
• Policy Monitoring – Definition and enforcement of policies for the use of encryption.
• Client and Server Management – Controls over access to platforms and applications. Encryption won’t help if a server or application is compromised in such a way that authorization is defeated.
• Certificate Authorities – Control point for the issue and revocation of digital certificates. Often used in conjunction with a registration authority, that verifies the authenticity of a principal or identity.
• Key and Data Recovery – A function that provides for the recovery of encrypted information in the event that the original encryption key is lost.
• Key Management – The process and procedures specifically designed for the management and protection of keys, including archiving or destruction, according to the organization’s retention policies.

In combination, these provide an effective approach to the use of encryption as a way to protect information at rest and in transit. However, it is important to recognize that encryption is not always the best or most appropriate means to insure the confidentiality of information. The Payment Card Industry, for example, cites alternatives such as not storing the information, or only storing a subset of the information as effective protection strategies.

For this reason, an organization should look at its overall risk profile when deciding which controls and combinations of controls are most effective. Specific attention should be given to user awareness training, as well as programs for the sourcing, acquisition, transfer, storage and decommissioning of hardware and storage media. As devices such as USB memory sticks and mobile storage become more ubiquitous, these should be evaluated in terms of an overall information protection strategy. Platform and application software should also be protected to insure that information is not inadvertently disclosed, or made unavailable due to the loss or compromise of required operational characteristics.