Many IT and BI professionals are not satisfied with interoperability and the efforts of storage vendors and providers. Vendors have made it clear that they are interested in encryption standards rather than cost and integration challenges. The expansion of encryption is good, but it is not the only or definitive solution. A critical application, at one point or another, will need access to encrypted data. If an attacker can see unencrypted data in one app, chances are everyone else can too. In an enterprise-wide architecture, apart from a single personal node (unauthorized access is unacceptable), protection is very necessary.
A renowned news and information outlet conducted a survey. Information Technicians and Business Intelligence Professionals were surveyed. 28% of respondents said they want to expand the use of encryption well beyond the minimum standards.
Creating public interoperability standards would give open source communities a level playing field. Compared to commercial product technologies, “open source” (free exchange of technological information; describes practices in production and development that promote access to the source materials of final products; the Internet; communication pathways and interactive communities) is not known for having the best manageability capabilities. Competition has proven to keep everyone on their toes. The resulting survey analysis and conversations with CISOs (Chief Information Security Officer), an emphasis on encryption and compliance are not used correctly and/or to their full extent. Organizations that use the best applications encrypt or plan… along with various firewall protection software applications. With the inclusion of VPNs (virtual private networks), email, file and data systems, a breach can be devastating. These practices do not really solve the problem of protection. Although a risk reduction is obvious.
A Chief Information Security Officer (CISO) is the top-level executive within an organization. The CISO directs staff in identifying, developing, implementing, and maintaining processes throughout the organization to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. Typically, the CISO’s influence reaches throughout the organization. Michael A. Davis reports high-level statistics on the use of encryption by 86% of 499 business technology professionals who say they feel fairly secure. The data from him is based on a survey of the State of Crypto analysis from Information Week magazine. Davis also states that 14% of respondents say encryption is pervasive in their organization(s). From the challenges and cost of integration, a lack of leadership is the reason for the dismal state of crypto fairs. “38% encrypt data on mobile devices, while 31% characterize their use as sufficient to meet regulatory requirements.” The enforcement focus on encryption saves companies from having to notify customers of a breach in the security of their devices. The Davis report goes on to assert that “entrenched resistance” is not a new phenomenon. A 2007 Phenomenon Institute survey found that 16% of US companies embed encryption networks throughout the enterprise, beginning with tape backup. “Doing the bare minimum is not safety,” Davis was quoted as saying. “IT and BI professionals face stiff resistance when trying to do more for technology users.”
Many company IT and BI staff are working to increase the use of encryption. Quick and easy access to data interests users more than their attention to security. Even with the use of flash drives, laptops, and other portable media, from the CEO to frontline users, encryption never crosses their mind.
Interoperability (a property that refers to the ability of various systems and organizations to work together, to interoperate, to work with other products or systems, present or future, without access or implementation restrictions) would make encryption management less costly and easier to use. Statements from IT and BI professionals support the use of encryption for files and folders (something Microsoft is currently working on) which makes performance and usability easier, while reducing cost is the key to better manageability. Many professionals continue to want more regulation(s). A breach would require a notification to the client… this action would allow interaction between finance and management, drawing more attention to regulatory intervention. “A company-wide initiative as complex as encryption primarily to comply with regulations will generally result in a poorly planned project and will likely end up costing more than a planned understanding program,” according to the Davis report.
Tokenization (the process of breaking a text stream into meaningful elements called tokens) uses a service in which a system is accessed to obtain sensitive information, ie a credit card number. The system receives a “unique token identification number”. An example of this is a 64-digit number that is used in applications every time the system calls the credit card number. The action also includes numbers of databases. This change was implemented in 2007. If the data were compromised (attacked or hacked) in any way, the tech-acoster manipulator would have no way to revert the 64-digit numbers to the card… making a read verification virtually impossible. Several systems are designed to destroy the key (number) in an emergency. The action makes it impossible to recover data stored on the system… inaccessible to everyone. This is the chief information officer’s nightmare. Many companies are interested in unique, specialized, and standardized encryption products. The product operates on a “single encryption platform”, while a single or central application will manage multiple forms of encryption code keys. This platform promises to increase efficiency and reduce costs while providing security. in a given system. Consolidation in the crypto industry is an ongoing development. It is an environment created where crypto providers sell multiple products as “unified platforms.”
Another security issue is that encryption providers experience difficulties managing third-party code keys. They seem to bump into each other in competition and maneuvering from last to first in line. Vendors experience difficulties getting their separate standards on the same page. They continually fight over the details of operation and compliance and whether “free and low cost products will drive them out” and take over the industry.
A central directory of code keys is easy to manage. Updating and reporting is an essential and vital task for all IT and BI professionals. Microsoft’s Active Directory (AD) might well be the leading encryption peddler on the block. Microsoft AD installed base systems can be managed through Group Policy Objects that are embedded in operating system (OS) programs and applications. AD is the most used directory by business and PC users, while many IT and BI engineers already know how to use and work with it. All of Microsoft’s major encryption products offer centralized management through AD, as well as its enterprise encryption technologies. What is cheaper than free?
Windows offer(s) offer powerful and portable disk encryption… email, folder, file and database encryption is available for free. Who can beat that price?
Users are not prevented from emailing unencrypted versions of folders and files, or from transferring data to a portable device connected to the USB (Universal Service Bus) port…it only works if the entity on the other end is using the same or similar email application, which many companies do not comply with (no one seems to be following the protocol for data encryption policy). Interoperability within encryption and key management can be used depending on the type of data storage and implementation, while we wait for standardization to shake its mane fully loaded and unencumbered. Data exploitation, hackers and other attackers i.e. malware, spyware, pop-ups etc. would have nothing but the annoyance and deprivation they cause others. Using encryption interop… may not stop intruders, but it will surely make intrusion difficult, if not impossible.
Businesses, organizations, and personal users need and should take a risk management approach… implement encryption.
Until next time…