Have you felt “shaken and stirred” with all the recent cyberattacks lately? Equifax, state election systems and the SEC have all been hit in the last few months and there’s more to come. The question is whether the key ingredients of communication, smart key management, and intelligent access control are all mixed to achieve the ‘perfect cocktail’ to an effective encryption strategy.
Whether using an ATM, sending an email, shopping online or managing a multi-level enterprise, encryption and cryptography are a part of our everyday lives. If organizations are not implementing an effective encryption strategy their most sensitive data and infrastructure are vulnerable to fraud, identity theft, corporate espionage, and a variety of other digital threats.
Communication and collaboration are the first essentials steps to creating the perfect cocktail for an effective encryption strategy. During the development phase, there is a transformation of culture within an organization. The transformation consists of an understanding that cybersecurity and risk are now part of the business function. Creating a risk engaged culture is critical to the evolution of cybersecurity and must involve participation from the IT Department, stakeholders, C-Suite, and non-IT employees. Implementing a proactive vs reactive mentality will help create responsibility and accountability.
Choosing what data to encrypt will vary based on company size, industry, and the sensitivity level of data. Classifying the data into predefined groups will help determine the treatment and handling of sensitive data.
Implement and continuously audit smart access control policies and procedures. Implementing a proper Identity Access Management control strategy is another essential component for an effective encryption strategy. By allowing select file permissions for employers or stakeholders the distribution of sensitive or confidential information is on a need-to-know basis. Additionally, organizations have a specific set of policies and procedures to follow when adding a new employee or partner to the list of people who have access to certain information. It is critical to restrict the number of people who share sensitive data with others.
A good cocktail usually consists of a well thought out recipe so why wouldn’t you do the same for key management? Laying down a good foundation for an effective encryption strategy requires good key management practices but encryption protocol can only be effective when encryption keys are properly secured. Proper key management ensures that every encryption key an organization uses is securely stored, protected, and retrievable. Key management protocols are designed to help protect encryption keys from loss, corruption, and unauthorized use. A variety of policies can be implemented to ensure the safety of keys, including changing the keys on a consistent basis and careful management of who has access to them.
- Key management is not simple: If encrypting data, somebody must manage the keys, and you must have key recovery procedures in place.
- Within large businesses, key management processes must be capable of being distributed across multiple business functions with the same standards, rules and quality levels.
- Have one point of contact for cryptography; don't spread it among operational users.
- Ensure the central key repository is well-protected.
- Decide whether your outsourcer will have any role in key management, such as key pair generation, recovery of keys and escrow access.
- Decide whether you will have a "two person" rule for aspects of key management.
- Decide whether information security should manage keys, as well as encryption policy. In practice, during development, key management is the responsibility of the project, but handed over to security at implementation.
Source: The Corporate IT Forum's Information Security Service
In addition, the use of Hardware Security Modules (HSMs), physical computing devices that safeguard and manage digital keys for strong authentication and provide cryptoprocessing, are often a requirement for enterprise organizations.
How Can We Help?Finding the right solution provider for your organization is critical. Companies often share valuable and sensitive data with a variety of vendors including traditional software companies, cloud-based SaaS, online software providers, payment processors, accountants, attorneys, and management and marketing consultants. Encryption practices oftentimes are not equal in their effectiveness and need to be flexible to implement and configure your Data Protection Policies for maximum protection and efficiency. Prime Factors EncryptRIGHT provides the key ingredients for a ‘perfect cocktail’ to an effective Encryption strategy.
Contact us today and let us know how we can help or if you have additional questions about any of our other data security solutions!
To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.