Thursday, 17 April 2008

Data security pop quiz

If you are a regular reader of this blog, or indeed someone who reads end of this sentence, you will know by now that I am a keen student of encryption. I hesitate to say expert, because I am nothing of the sort. I am the equivalent of the commentator at a Kasparov v Karpov chess match, or maybe even just one of the audience. Still I enjoy encryption, data integrity, data security and all that gubbins, immensely.

It is with great regret then that I have to announce that most people aren't using it for the right thing. I have to defer to Fred Cohen slightly on this one, as I have done many times in the past, but just think for a moment why you encrypt things. If you are a CISSP or other security professional, go back to basics, look at your C, your I and your A. Now tell me why we encrypt. Is it:
a) because it stops our data being viewed by people who we don't want to see it?
b) because it stops our data leaking outside our organisation?
c) to protect from the DBA?
d) because it keeps data secret?
e) none of the above.
If you answered a, you are probably a customer of one of the encryption vendors, who have sold you a policy engine, key management system and encryption bundle, all under the auspices of PCI - and there is an argument to say that this is A Good Thing.

If you answered b, you need to go back to school, this is Availability, not Confidentiality, you need DLP. c? Well, no, as I wrote earlier in the week, this doesn't happen. I still don't know of one encryption product which can successfully protect against the DBA, separation of duties maybe, making it harder to attack the data for sure, but complete protection, no-one can do.

d - correct, have a sweetie, this is the security 101 answer. But in reality, even this is wrong. I plump for e, because at the end of the day, encryption is only as strong as the latest algorithm, which is only as strong as the latest supercomputer, which is ever stronger according to Moore's Law.

So, is encryption useless? Not at all. There is a lot to be said for deterrent measures, for making things next to impossible in substitution for impossible. Along with data integrity, encryption provides a powerful tool for electronic data transfer between two points where trust is a requirement but not guaranteed. Where availability of data is a concern then encryption is a must too, otherwise the data loses its value quickly.

Chris Hoff describes information as 'data with a value', which is so smart I even wish I'd said it. Widespread availability of that data can reduce its value quickly, in simple terms: if everyone else knew what I know, I wouldn't be able to charge for it. Integrity of data adds no value unless we are certain of origin. The origin can be questioned far less if the data is encrypted: if I sign a piece of cleartext information, because it can still be read, it can be intercepted, changed, re-signed and re-sent. If this was encrypted, it cannot be read, changing it changes the signature, which then cannot be accepted at the end point, so the original message must be re-sent.

So maybe data isn't the be all and end all that many vendors pretend it is, certainly not in PCI anyway, but without it, your data isn't valuable information. Hence why you have 'data breaches' not information breaches I guess, once it's breached, it's already too late.

No comments: