Tuesday, 9 October 2007

The Keys of Encryption

Every so often, someone else writes something which makes me want to write a bit more down my own avenue. Often that person is Rich Mogull, and yesterday he wrote "you should write some more", which makes me want to write some more. Bad intro to what I hope is a familiar subject.

Everyone involved in security in any way at all, except maybe the bloke in the uniform in Tesco's car park, knows about CIA. We are taught to think about every situation in terms of Confidentiality, Integrity and Availability. I've talked before about how business thinks in terms of "Availability, Availability, Availability, confid... ooh, look, I can make money out of Availability."

But I'm not here to go 'ptchah' and 'humbug' at the business people, not this time anyway, not when I am one. No, I'm here to talk about the right way of doing things. Rich talked recently about encryption, a subject close to my heart. I commented that encryption is only about one thing - confidentiality.

This is true, and it's all it ever can be about. This is why I don't understand why there are so many companies (competitors of mine now I'll admit) trying to do new things in encryption, when really, there's nothing to it. No-one cares how you build a better mousetrap. They care how easy it is for them to forget about it and make sure it does its job.

My analogy

The only way encryption will ever do its job, however, is surrounded by proper controls. I have a very clear picture in my head when it comes to data security. Think of a block, a plain wooden block, the colour of pine perhaps, nothing special or fancy. That is my data. When I encrypt, I might chop it up, re-arrange it, paint it blue, chop it another way, paint it yellow and end up with something that is rather different to that which I started with.


My block, although now no longer a block, nor pine coloured throughout, is still my block. If I chose to clean off the paint and reassemble in the original order, I would still have my block left. Indeed, if I leave my block out in the street in such a configuration, the chances are that an infinite number of monkeys will come along, and one will solve the riddle of the block.


Crazy? Yes, of course. The point being that encryption alone will not keep you safe forever. Not with all those monkeys out there. No, what you need is a physical control. So, I put my chopped and coloured block in a lockable box, and allow only one key to open that box. Ah, grand, it's all safe and sound. The only time I open the box is when I get my key out and look inside. Then I can build the block and look at it without anyone else being party to my beautiful block, and its blockness. Bliss.


BUT... what if I fall asleep, and one of the monkeys rifles through my pockets? What if I just leave the key out on the mantelpiece for anyone to come and pick up? Yes, the monkey gets the block again. Actually, in reality, the situation is rather worse as the action of being a legitimate user applies access controls, which control the decryption key. So, just being able to open the box means the monkey can see the data. My beautiful block is exposed to the world.

The best way to ensure against all of this is to manage your keys properly of course, but key management also requires good user controls. User controls require not only good authentication, authorisation and accounting, but audit, and immutable audit trails at that.

Reporting and management

All the reporting and management gubbins around these important security systems are just a way to sell to the business. I say 'just', obviously security wouldn't go anywhere if we couldn't sell it. More's the pity.

Further to this, read Rich's posts on DLP/ILM, etc., they are fantastic. I sometimes feel like he's writing them just for me they are so good.

No comments: