Encrypting Data
It is difficult to generalize what data should be encrypted. Much depends upon which rules govern business conduct. "Unfortunately for corporations, it is a maze of regulations and legislation, depending on where you do business and what business you are in. It would not surprise me if on a global level we get to a place where we say: Are you in business? Do you have customers? Employees? Then you need to be encrypting your data," says Dasher.
Defining a policy, therefore, is very centric to the business type. Elgamal believes among the most important questions an organization should answer is what content matters. "For an example: what could an officer in the company get in trouble for? A lot of times people wait until a problem happens and then they try to fix the security," observes Elgamal. "I think the better route is to look at similar companies, in similar vertical industries and see what people have gotten into trouble for. This can help organizations decide how certain kinds of content should be handled." He also thinks that the policy should be tiered. "If it is data that is extremely critical, you want something that will come back to the user that says, 'you cannot do that from your email client'. Under other circumstances, you may want the server to know to encrypt it, and continue to send."
Kennedy agrees with the multilayer approach. "Companies should provide explicit controls to their users to allow them to specify messages to be encrypted. Behind that, it's important that organizations implement gateway policies that automatically detect and encrypt sensitive information. Our typical recommendation is to start with simple policies-the low-hanging fruit-and then refine over time as business needs dictate." Often IronPort customers opt to look for things like social security numbers (SSN), credit card or other account numbers, and tags that are included in highly confidential documents. If in a regulated industry, there will typically be some specific policy turned on (e.g. for healthcare: a HIPAA policy looking to match HIPAA-relevant medical terms in combination with a personally identifiable marker like SSN). "Over time," says Kennedy "that policy can be refined as necessary to evolve with the business needs and either get more or less aggressive."
Getting the policy right has been made easier by vendors, such as Vontu-recently purchased by Symantec Corporation-that offer pre-set of categories of packaged, already thought out policies. "It is a great pairing," says Dasher. Vontu is evaluating the message to see if it needs encryption and if it does, then it hands it over to our PGP systems to encrypt and then send along."
Making the technology do the work is clearly seen as desirable. "In a perfect world, you want the machines themselves to understand that the content contains sensitive information. Therefore, it has to be encrypted by policy that either informs the user that the data needs to be encrypted before it goes out or it encrypts the data at the server by itself. It can be done either way. Server to server encryption protects against the public network issue or we can encrypt between a user and a server or between a user and a user. All of these are possible, but the policy must set the level of sensitivity of the content and what the enterprise needs to do about it. A complete email encryption system needs to support all of these."
Encrypting Data
Encryption Drivers |
Encrypting Data |
Encryption ROI |
Moving Forward |
Cost of a Data Breach |
Data Loss Prevention and Encryption