Tip

Storage encryption prevents identity theft

The issue of encrypting stored information is surfacing again, thanks to incidents like a recent theft at a large bank, in which four servers containing names, addresses and social security numbers of thousands of mortgage and student-loan customers were stolen. Such crimes aren't cheap: According to the Attorney General, identity theft alone costs the U. S. Economy an estimated $50 billion a year.

However, using storage encryption technologies presents some challenges. In order to deploy encryption of stored information, IT customers require several features:

  1. Secure storage and availability of keys used to encrypt stored data, perhaps for as long as ten years.
  2. Protection of stored data against unauthorized modification, or, at a minimum, detection of such modifications.
  3. Availability of software for decrypting the data, for the same period of time. By software, we mean the code of the algorithm that was originally used to encrypt the data. Some customers may also want to be assured that the software for decryption would indeed work 5-10 years later, thereby requiring frequent testing.
Let us review the difficulties to achieve the above goals. Consider the first goal for availability of secret keys. Companies undergo mergers and acquisitions. The system administrators, who are the likely custodians of the secret keys required for decryption, might change jobs during these

Requires Free Membership to View

transitions, or the organization itself might move around, and the servers change hands. A simple approach is to store the key in the server. However, that defies a key goal, since if the key is in the server, the attacker can steal the server and break the coded secret keys. The attacker can try brute-force attacks since he has almost unlimited time. An interesting approach is used in IBM's ICSF (Integrated Cryptographic Service Facility), which stores the "master key" in a secured hardware module in the mainframe. The module destroys the secret key if it is accessed in an unauthorized manner. The master key is used to encrypt other encryption keys.

The second goal can be accomplished by implementing a data integrity scheme. The third goal is more difficult. Encryption technologies are aging fast. Encryption algorithms are being retired quickly to prevent brute force attacks that may be accomplished in a short time. Last July, NIST announced that DES encryption was inadequate for use in software products sold to the government. The aging of encryption algorithms may inhibit the availability of decryption software at a later time.

So the choices for IT customers are difficult. Customers need complete solution for their storage encryption, before they encrypt their critical information. Encrypted information may become useless if it cannot be decrypted. So in the absence of a complete solution, IT customers have the following choices:

  1. Accept the above exposures, and deploy encryption with as many features that address above exposures. Implement strict processes and procedures that address above exposures. This option may be necessary if your data is highly sensitive.
  2. Implement best practices to protect clear-text data without encrypting it. Such practices may include stricter access control and authorization processes. This option may be deployed especially if deploying encryption is significantly more expensive than the best practices, and the data is critical but not highly sensitive.
Dr. Vijay Ahuja is the president and founder of Cipher Solutions Inc., a professional services company that assists its clients in implementing storage security and offers customized seminars on storage and network security issues.

This was first published in February 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.