Why data encryption is no substitute for comprehensive security

by Jonathan Yarden | Jun 01, 2006 8:53:00 PM

Tags: Cyberthreats, Strategy, Viruses and worms, Jonathan Yarden, data encryption, security

Takeaway: Jonathan Yarden asserts that data encryption can actually increase security risks if you apply it without considering how it will affect other IT functions. Find out why he stresses that data encryption is only one of the tools in a comprehensive Internet security setup.

In all my years in the computing industry, I have seen a number of technologies come, go, and resurface. Without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.

Part of the problem may be that many IT pros get their information about data encryption from security vendors. None of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive corporate security architecture. For instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. You probably won't hear this in any security vendor seminar because they want to sell products—I just want to educate you.

Know when to use data encryption

Data encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. In fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.

A striking example of the misuse of data encryption is when IT pros use encrypted file systems where this type of security is simply not needed. Windows and almost all major operating systems can support data encrypted file systems, but most corporations would be hard pressed to find a general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant when applying updates and patches. Also, backups are a must because, if you lose the decryption keys, your data is lost.

There are specific cases where it makes sense to use data encryption. However, many IT pros decide to use data encryption because they assume this means they will have "improved" security. For example, a company that implements a VPN system using IPSEC isn't immune from a worm or virus if its virus scanner only inspects e-mail at the firewall border. A solution is to enforce virus and worm scanning at the e-mail server, as well as at the network perimeter; this guarantees that internal e-mail messages are properly scanned for malicious content.

Reconsider using SSL to pass sensitive data online

Many IT pros incorrectly assume their data are secure if they submit information using SSL. These two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. However, once the data is received and decrypted on the other side of the SSL connection, you no longer have any real control over it. Or, if your Windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.

The general belief of SSL providing security is precisely why many of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. The real question is: What happens to the data afterwards?

Encrypt e-mail using archivers

Secure e-mail is another area where corporations need some education. Most corporations do not need the level of e-mail security provided by PGP or built-in public key encryption in most e-mail systems.

When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text e-mail. When the recipient gets the e-mail, they decrypt the archive using a previously established decryption password. While this is far from perfect, it's generally secure enough to lower the risk to minimal levels.

Summary

I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Print/View all Posts Comments on this article

WinZipTobyChaloner  | 06/05/06

Really?rickk@...  | 06/05/06

Interesting.....Jaqui  | 06/05/06

CaliforniaDBA-MI  | 06/05/06

even on email encryption alone is not enoughschwana  | 06/05/06

Lawmakers...rickk@...  | 06/05/06

Well . . . yes.apotheon  | 06/05/06

True, but . . .apotheon  | 06/05/06

Depends on what you define as Securitytngamecockfan  | 06/06/06

Try security without encryptionmp29960  | 06/12/06

I agree with some of the pointsadmin@...  | 06/12/06

Any encryption can be brokenDr_Zinj  | 06/12/06

Keeping Honest People Honest...admin@...  | 06/12/06

...but it still does its jobNathank@...  | 06/12/06