|
 Strong encryption can secure data - at rest, in use, and in motion
What's the most pressing challenge facing IT security specialists going forward?
One answer to that question comes from a recent CSI/FBI survey in which data protection was singled out by participants—even above and beyond other crucial challenges, such as regulation compliance and identity theft. Nor is it hard to see why. Business data is now the fundamental enabler and chronicler of all operations, tracking and quantifying the success or failure of strategies, solutions, processes, and services. Protecting that data from all threats and prying eyes—both internal and external—is therefore absolutely mission-critical.
Furthermore, consider the many potential consequences, should either the data or its security be compromised. Key intellectual property, used as a competitive differentiator, could be stolen from the organization, resulting ultimately in a loss of revenues or market share. Compliance regulations come into play in this  context as well; in cases where data security strategies are inadequate, and millions of records of sensitive information are obtained by inappropriate parties, such regulations may specify stringent legal and fiscal penalties, both of which would adversely affect the bottom line. Customer and partner confidence in the organization's transactional security could easily be threatened, jeopardizing key business relationships. The financial costs of addressing data security shortcomings, both in terms of labor and technology, would likely be nontrivial. In a worst-case situation, the overall resilience of the organization could be damaged or even destroyed.
Of course, moving toward a comprehensive data security solution requires understanding the many roles data typically plays. Part of the challenge lies in the fact that data itself can be said to fall into three classes: data at rest, data in use, and data in motion.
Data at rest concerns data in a comparatively static state; examples would include data on storage, tape, or USB drives used for archival or backup purposes. Data in use is applied or modified more continually, such as in the case of word processing documents and spreadsheets updated on a constant basis. Finally, data in motion describes data in a state of network flow; e-mail is perhaps the foremost business example, but others would include instant messaging, peer-to-peer networks, and transactional data collected by Web servers.
Arriving at a holistic data security strategy requires considering and addressing the domain-specific issues in each case, then federating them in such a way that data security can be achieved across all three categories.
Managing Keys Is Central to Encryption-Driven Security Strategies
One core element used by data security solutions today, of course, is encryption. Through strong encryption algorithms, data can be compressed and hidden from any potentially prying eyes, both inside and outside the organization. Even if, for instance, a laptop containing millions of records of sensitive medical information should be stolen, those records would still be inaccessible to the thief if they were thoroughly encrypted. Many assets presently in use in IT infrastructures, such as tape drives, enterprise-class applications, disk subsystems, and end-user devices, incorporate some form of encryption as a result. In every case, keys are required both to encrypt and decrypt the data. Key management is therefore a crucial element of the overall data security strategy for the organization.
Unfortunately, holistic, federated key management is difficult for many organizations to achieve. In part, this is because the different IT assets cited above tend to implement key management in isolated ways; each asset thus becomes an island unto itself, and managing the many keys used in those many contexts is far from simple or, if administered individually, cost-effective. Just as holistic security requires more than isolated point solutions, holistic data security requires more than isolated key management schemes broken down by technology category. As the enterprise grows, deploying more and more technology in the pursuit of more and more business goals, the need for some form of centralized key management will grow in direct proportion.
And while this problematic situation is particularly applicable to the enterprise, it applies in other market categories as well. In fact, a case could be made that for smaller markets, the problem is still worse. Most key management technologies are currently associated with enterprise-class solutions purchased and deployed by only the largest organizations; this means that mid-market, growing businesses commonly classified as SMBs are often more challenged than the enterprise to achieve data security, because they lack solutions which target their unique needs and contexts.
The Essential Features of Federated Key Management
In every case, centralized key management would ideally involve a number of central functions, optimized to deliver data security through managing keys at every stage in the key lifecycle. For instance, support for strong cryptography would clearly be necessary. High availability for cipher/decipher operations, through an optimized design that makes the most of computational resources, would also be essential. In the pursuit of regulation compliance and in support of legal discovery, special features focusing on key retention and usage would be useful.
Does this description map well to customer needs? A 2007 survey by the Enterprise Strategy Group would appear to support that premise. When asked about the impediments to encrypting confidential data, respondents said that the top three concerns were performance implications, cost, and concerns with key management—in that order.
In a perfect world, then, centralized key management incorporating these and other features could be extended across disparate forms of technology, ranging from operating systems to middleware to storage—linking these domains via a federated key management solution, and automatically extending the benefits of the solution to new assets as they are deployed in each domain. Such a solution would be available to both enterprise-class and smaller market customers, addressing each market's needs in specific ways, and furthermore, would be performance-enhanced to minimize the business impact involved in decrypting and encrypting data in all three operational categories.
Thus, regardless of its size, or the complexity of its technical infrastructure, the organization could secure data at every stage in its lifecycle by optimizing and integrating key management.
In the weeks to come, IBM will be announcing a key lifecycle management solution designed to address these and related complexities. For IBM customers concerned with data security as a central element of an overarching, holistic security strategy, this solution may well be of considerable interest.
|
