Encryption is worth doing the right way. Here are some things to think about for your company’s encryption strategy.
It’s common knowledge among security professionals today that one of the most important components of any data security strategy involves encryption. Encryption is an incredibly powerful tool in protecting the security and privacy of data. But it is not a silver bullet, and, if implemented poorly, it can actually cause more problems and data security risks that it prevents. Failing to use encryption properly adds costs and complexities and can also put an organization at risk of severe data loss.
Whether data is stored on a mainframe, in local data centers, or remotely in the cloud, there are several key steps to take before you start encrypting your data. Here are some of the issues to address before implementing a data encryption strategy:
Data segregation
Not all data is equal. Therefore, it does not all require equal protection. It is usually prudent to encrypt all sensitive or private data. However, there is a performance cost related to encrypting data, so other data that does not contain personally identifiable information or business trade secrets can pass through systems unencrypted, especially when speedy performance is a higher priority than security. Some data stored in off-site data centers or in the cloud should be encrypted regardless of its content, especially if it is infrequently accessed. Determining what data should be encrypted for security and what should be left unencrypted for performance and efficiency should happen before implementing an encryption system, followed up with the use of encryption software that allows you to choose all or specific fields for encryption.
Data breach notifications
Automated alerts should be implemented that can notify security teams of unauthorized attempts to access the mainframe and other systems. These alerts can be triggered after multiple failed logins, login attempts from users in unrecognized locations, and other suspicious user activity. These alerts should be supplemented by manual security audits to verify that the system is not being accessed by anyone without proper credentials. To accomplish these manual audits, there will have to be a log of when each user credential is used to access what data.
Key management systems
Another critical issue to consider before encrypting data is determining how the encryption keys will be managed. This includes how the keys will be secured and backed-up, and what is to be done if primary keys are compromised or corrupted. Key management is as much about protecting encrypted data from potential thieves as it is about protecting against data loss. If encryption keys are stolen, the data could be accessed by people who shouldn’t see it. However, if the keys are lost, the data will not be accessible to anyone–even its rightful owners. Therefore, storing keys apart from the data they decrypt and backing them up offsite are crucial components of any encryption strategy. Using an encryption key management tool before encrypting your data will help protect your business from data loss.
Access controls
Setting strong, compartmentalized access controls before encrypting data means your organization will have a better management over who is able to access encryption keys and decrypt data. Encrypted data is very secure, but if unauthorized personnel can log in to accounts that store the encryption keys then the data is not much more secure than if it was left unencrypted.
After all the other critical security issues of data segregation, breach notifications, key management, and access controls are in place, your organization will be ready to start encrypting its data. If you want to learn more about securing your on-site and cloud data, read more about the enterprise and mainframe encryption toolkit, MegaCryption — and if you want to get started right away, request a free trial today.