The Encryption Code
While encryption can protect data from hackers and companies from security breaches, many companies have yet to adopt this type of data protection. Why? Let’s blame it on a handful of misconceptions about the technology, according to two database security practitioners who work closely with companies on encryption implementations.
“We understand that the reason that some companies aren’t implementing encryption isn’t from lack of desire but from misconceptions about it,” said Sheryl Rajbhandari, solutions architect for Teradata, a division of the Dayton, Ohio-based NCR. “They can really get caught up in [the misconceptions].”
Rajbhandari and Hans Meijer, a consultant for Protegrity USA, Inc. in Stamford, Conn., reported that misconceptions stem primarily from many of the security consultants who have set up businesses in recent years. These consultants, who have actually steered clients away from encrypting data, have based their decisions on a number of factors (including cost, complexity, and other issues), according to Rajbhandari and Meijer.
The security regulations are intimidating; some documents are at least 30 pages long. So a chief information officer makes the natural assumption that the actual security tools and implementations will be at least as daunting.
Rajbhandari and Meijer also noted that most firms view security as an expense, which doesn’t contribute anything to the bottom line. As a result, they only employ those basic security measures required by regulation. Even then, if there’s no imminent threat of a security audit, implementation might be delayed.
Surprisingly, Teradata and Protegrity have discussed encryption with many firms that have worked with smaller, newer security companies rather than with more established, veteran consultants, according to Rajbhandari. Here are five major misconceptions that Rajbhandari and Meijer see in their work in the industry.
Misconception No. 1: Encryption is costly.
Among the biggest misconceptions, according to Rajbhandari and Meijer, is the cost of encryption. These two experts talked to firms that expect encryption to cost at least 10 times more than it actually does, Rajbhandari said. Meijer added that companies with databases from different vendors expect encryption to be even more expensive, depending on how many different databases they have.
Meijer explained that Protegrity has an encryption application that works across a variety of databases, so translation software or entirely different applications aren’t needed for each.
Another reason for the misconception about cost is not knowing what needs to be encrypted in order for data to remain secure. “You need to think logically about what needs to be encrypted,” Rajbhandari said.
“A clear understanding of the potential damage from data theft will quickly put the initial investment costs in alarming perspective,” she added. Fines, required notifications, and negative publicity from security breaches can force companies into bankruptcy or into undesired business restructuring. Some business experts have said that the data breach sustained by CardSystems Solutions, Inc. in Atlanta was a major reason for the recent sale of the company.
Rajbhandari and Meijer estimated that companies spend millions of dollars recovering from internal data theft. External theft adds additional countless dollars. Many state laws require that customers be notified if there is a data breach that could have compromised their data (even if there’s no evidence that it ever was), as in the much-publicized incidents of lost data tapes by financial institutions, Marriott International Washington, D.C., and others during the past year. The cost of encryption should be considered in that context.
Misconception No. 2: Following standards and rules guarantees data protection.
Many companies believe that if a company follows data security standards and other compliance rules then their data will be secure, according to Rajbhandari and Meijer. However, many of the regulations recommend security procedures and best practices rather than require certain procedures. Even following the law will leave security holes.
“A lot of companies are doing only what they need to in order to pass a [security] audit,” Rajbhandari said. Even regulations that require encryption do so to make sure the corporate database can be encrypted. But these rules don’t discuss protection of incoming company data.
They recommended evaluating security risks in the overall architecture. This includes network, user access, and database permissions. The experts advise thinking inside out instead of outside in. Start by securing the data at rest, and then secure the data in transit all the way to the client. Securing with hardware involves firewalls, software encryption of the communication between the database and client, and strong password rules for application users.
Rajbhandari and Meijer added that if a Web-based application is used, it is also important to secure the communication between the Web application to the client and apply strong authentication into the Web application. Encrypted data is still at risk of being exposed to network traffic sniffers or spyware. Statistical attacks can be made successfully on encrypted data if powerful encryption algorithms are not used.
Securing access to data can also ensure that network traffic comes from valid TCP/IP addresses during approved work hours. This lessens the chance that hackers can access user authentication (user IDs and passwords) for hardware, software, and sensitive data. Both Rajbhandari and Meijer recommended that companies use active monitoring software to recognize valid, acceptable network traffic.
Misconception No. 3: Data encryption will require more capacity and storage.
The third major misconception is that adding security will increase data storage and capacity requirements. The actual amount of additional space depends on encryption needs. Not everything needs to be encrypted, according to Meijer.
Even with sensitive information, such as credit card data, not all columns need to be encrypted for security. A credit card might have separate columns for the card number, expiration date, cardholder’s name, address, and other information. Only the first two columns actually need to be encrypted to secure the data, Meijer said.
In practice, data overhead for encryption adds less than 5 percent to storage needs. This is achieved when a thorough analysis of the sensitive data is made and when only key fields can be encrypted. By increasing disk size to 73 GB, the majority of Teradata and Protegrity customers systems can accommodate the 5-percent disk increase without any additional hardware.
Misconception No. 4: Adding encryption reduces performance.
Knowing what needs to be encrypted for security reasons can also limit loss of performance, according to Meijer. Some companies don’t want to see any slower performance of systems once encryption is added, but that’s simply not possible unless a company adds more processing power, Meijer said.
“By using Teradata’s parallel architecture, all hardware components are working to encrypt/
decrypt data simultaneously,” Rajbhandari said. As a result, performance degradation is minimal. In a recent case, the average change in performance was less than 2 percent in testing. The parallel architecture is efficient because it executes all physical nodes and logical processor units.
Misconception No. 5: Encryption will put a strain on the network.
The fifth misconception is that adding encryption will put a tremendous strain on database performance during queries and loads. Again, the additional strain on the database depends on the amount of encryption that is actually required, which is usually less than companies expect, according to Meijer.
Another way to reduce strain on the network from multiple queries is to understand the system impact where the application’s data model searches for sensitive data—in columns that may require the data model to be redesigned.
One approach is to investigate whether any area of the sensitive data column can be exposed, according to Rajbhandari and Meijer. An analyst or administrator can then use that exposed area as search criteria—and the rest of the sensitive column could remain encrypted.
By understanding the realities and the misconceptions regarding implementation and encryption usage, those chief information officers charged with protecting customer data could find the solution easier to implement/use and more affordable than they thought, Rajbhandari and Meijer said.
Phillip Britt, president and CEO of S&P Enterprises, Inc., is a business writer who covers key topics in the information industry. His e-mail is email@example.com. Send your comments about this article to firstname.lastname@example.org.