Tuesday, 2 October 2007

Encryption and Key Management

I'm pretty busy this week, last week I was traveling around, meeting and greeting new customers, busy, but not having to think too much. This week I've had to re-learn some stuff I haven't done for a little while, and unlearn some stuff that I've worked with up until now.

I don't want to go into detail on things you can look up on Wikipedia. Encryption is done using algorithms, symmetrically in streams or blocks, or asymmetrically. In fact, talking of Wikipedia, there is a very good diagram of the different types of ciphers available here which saves me going into any more detail on this point too. Another area I don't really want to get into are the modes of block cipher operation, although they are a very interesting introduction to the next level of encryption for those who are interested.

So what do I want to talk about then? Well, I've represented a number of companies in this area in my time. I've worked with RSA, nCipher, Vormetric and currently Ingrian Networks. They all do it differently, apart from when they do it the same. I've also partnered with Utimaco and recently spoken with some of the team at Voltage, so you could say I've tried to cover encryption as broadly as possible, if not in depth, as this post probably proves.

If any of you know anything about any of these companies you will know that each of them concentrates in one particular area. It's not my position to criticise, nor to compare. Other than to say that I've ended up in a position where my skills are best placed in a market with great momentum, I will not comment on the strength of various solutions by name.

What none of these solutions has managed to do is create an all encompassing encryption solution. What most companies would like to do is buy one system of encryption for laptops, desktops, servers and email. They would also love this to achieve full data protection. If you've read any of Rich's posts recently, you'll know this doesn't work, you need the full works. Rich is doing a far better job of explaining this at present than I can hope to, so I'm going to stick to my little corner of data centric security and bow to his superior experience in these matters. I'm also planning to speak to him about it sometime this week, perhaps I should record the call and post it here.

What works well for laptops does not work well for desktops. Laptop encryption cannot rely on a central repository of keys for encryption, because they are mobile. A key must be kept on the local machine, and the only way to protect it is with a password. Therefore, laptop encryption can only ever be as strong as a password. In a fixed desktop and server environment, encryption can be administered centrally, and we can use asymmetric encryption to protect files.

In a database environment, file encryption does not protect from internal RDBMS users, i.e. the 'rogue DBA' we hear so much about. Row and column encryption is a far more effective way of protecting databases and applying proper controls. None of these solutions can protect email, and a special email encryption gateway is required for this, which brings up all the issues of end point protection, data leakage, and everything Rich has been talking about recently.

The method of encryption rarely matters, if the maximum strength algorithm and a large enough key are used, any method should be as good as another. The keys and algorithms are not the whole story for these methods however. Laptop encryption relies on a password, but the business drivers tend to be around speed of encryption, so algorithms are closely guarded. Desktop/server file encryption relies heavily on access controls and policies, as does database encryption. These are usually client-server encryption solutions, an agent residing on the machine to be encrypted on, keys kept on a key management hardware device - usually FIPS compliant, or available in a FIPS compliant option.

Email encryption has all of the issues of access control and key management, policies, plus the added complexity and overhead of having to encrypt, store and decrypt a large number of small files. I wrote about elliptic curve cryptography recently, and this looks like a great solution in this area, but not something that scales back to databases or file encryption, or laptops.

The real key to encryption is... just that, the key. With a symmetric key, if it is discovered, data can be breached, so asymmetric keys are preferable, where the private key can be protected. The private keys then become extremely important to an organisation, and very tough to manage, however any algorithm can be used, any method of encryption or access control/policy can be used. Key management is the killer app in the encryption space.

No comments: