Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Encrypting Data
Widgets & RSS FeedsMore than a decade ago, two researchers from Carnegie Mellon University published a study called, Why Johnny Can’t Encrypt. In this study it was “discovered” that the average, educated, email proficient user did not know how to use encryption technology. A follow on study several years ago, entitled Why Johnny Still Can’t Encrypt found little improvement. If a similar study were to happen today, a different conclusion might be drawn.
“Historically the encryption challenge was one of deployment and for a time performance,” concedes John Dasher, director of product management for PGP. “In the last few years, however, we have reached the point that if it was wanted, you could encrypt everything because it no longer is a burden. It is transparent to the end-user.” Dasher thinks that in the long term encryption might end up the rule rather than the exception. “Today people focus on sound policy on what needs to be encrypted to satisfy everything from their own internal IT policy to compliance and regulation. But eventually, we will absolutely be encrypting the majority of data.”
Dasher is not alone in his predictions. Luther Martin, security architect for Voltage Security and author of Introduction to Identity-Based Encryption notes, “In the past, the big obstacle was that encryption was hard and expensive, but this is no longer true. Our Identity-Based Encryption (IBE) in particular is very easy to use.” Martin goes on to give an example of Voltage Security Network (VSN), a security as software service, that enables users to securely communicate while storing secure emails in their own inbox, and communicating with anyone without the need for recipient-side software. “We are at a point now with encryption that it just works. Users can simply hit send secure. It’s like magic now. If you go back in time three or four years, it was very complicated.” The VSN service has been very successful for Voltage. Announced just earlier this year, the company says 35,000 users signed up in the first six months.
While significant improvements in usability have been made, Taher Elgamal, chief technology officer for Tumbleweed, emphasizes that encryption does not necessarily mean your need for security has been fully satisfied. “Encryption is not a silver bullet. Encryption basically shifts the problem from the data to the encryption key. So that rather than having to protect the whole message, you only have to protect a smaller key. If you forget to protect the smaller key, then you have not really done anything. The improvement is a lot of the systems commercially available today handle the key appropriately, so that people cannot accidentally leak the key.”
Overall, encryption technology vendors today are excited by the improvements being made. “We’ve seen the market transition from the complexity and limited reach of public key-based to new approaches, which greatly simplify the user experience,” says Kevin Kennedy, product manager for IronPort Systems. “We’re now in the midst of another technology transition—more subtle, but just as important—from Web-based pull to clientless push. This is critical because it eliminates sender requirements to manage complex Webmail infrastructures and allows a re-integration with recipient workflow rather than returning to a server to view messages.”
Kennedy also believes, in terms of overall usability, the technology is in a much better place now than five years ago. “We can now send a message to anyone, knowing nothing about their endpoint, and be confident that they can open and view that message on their system with a few clicks and without installing anything. Additionally, integrated product offerings and hosted key management services like the Cisco Registered Envelope Service have cut the time and cost for deployment and eliminated the need for complicated onsite key servers. That’s a remarkable accomplishment!” exclaims Kennedy.
“Key management has historically been the hardest part about encryption,” acknowledges Dasher. He notes an example of a company that has purchased a security system, and everything works well, until they need to communicate with a business partner, but they cannot open the secure messages. “What PGP has done is to make that transparent. There are a number of ways to address that scenario: the partner can have their own copy of PGP solution, or they can use our Web Messenger, which allows them to get a message via the Web, so that they do not have to install anything on their machine.” In late November, PGP announced Secure Delivery, PDF Messenger, which securely delivers encrypted PDFs that can be opened using a standard PDF reader such as Adobe Acrobat Reader. “There is a range of options to account for the inevitable case where you want to securely communicate with someone that does not have your security infrastructure. People want to securely communicate without having to install something,” states Dasher.
Encryption Drivers
These usability advances come just in time, as compliance and other drivers are requiring the technology to help organizations meet ever-increasing regulations. Gartner’s 2007 Magic Quadrant for E-Mail Encryption notes that similar to previous years, most organizations “embarking on larger-scale email encryption projects continue to consist primarily of governments, military contractors, financial companies and healthcare-related companies.” The author’s note that the majority of the remaining users are coming from specific functional groups, such as HR or finance; or are needed confidential communications with third parties, such as clients or partners. “The big driver today is still compliance,” agrees Martin. ”If you were to use Google’s utility tool that reveals Google Search results and checked for encryption, you would find that there were few hits until about a year ago and then it took off. There is a huge interest in it.“
As compliance needs grow, so do the business opportunities for encryption vendors and beyond. “IronPort and PostX began working together to deliver encryption solutions in targeted verticals. After IronPort acquired PostX, we launched email encryption and Data Loss Prevention (DLP) capabilities as integrated features on the IronPort Email Security appliance and have seen incredibly strong, cross-vertical adoption of this product,” notes Kennedy. So while Gartner notes the usual list of encryption users in this year’s report, it will be interesting to see if that list expands next year. “There’s a growing market awareness for the need to protect sensitive information in email with the combination of DLP and email encryption. Now that getting encryption is as easy as checking a box to enable the feature and going through a single configuration screen—and the pricing is attractive—we’re seeing an up swell of interest well beyond the verticals that have historically been the encryption strongholds.”
The need for mobile encryption is growing too. “Mobile devices have really changed the landscape and continue to,” observes Dasher. “The Ponemon Institute recently interviewed companies that had security breaches and this year 49 percent of companies that had breaches, had a mobile device involved in that breach. This is up from 37 percent last year.” It makes sense, as mobile devices have become not only popular, but also important business tools. “People are carrying around more and more data, on smaller and more powerful devices and we expect to see that continue.” PGP has offered a BlackBerry solution for a number of years as RIM has been the de facto enterprise mobile platform, but Dasher notes that recently PGP is receiving more and more requests for Microsoft Windows Mobile in the enterprise.
Driven by the impact of data breach penalties and awareness, DLP is a popular topic. Brian Burke, a research analyst from IDC comments: “In today’s enterprise, employees, even with the best intentions, often inadvertently leak sensitive information via email such as customer or employee information, regulated content, or intellectual property. Organizations should invest in technologies that enforce corporate policies, stop data leaks and provide secure delivery of sensitive messages.”
According to Elgamal the industry numbers suggest that 80 percent of data leakage is unintentional. “There have been examples of where the data breach was intentional. Nothing can prevent everything 100 percent, but the thing that goes hand-in-hand with encryption, is understanding what is it that we are trying to encrypt.” To do this Tumbleweed, as do other vendors, recommends tying corporate policy to encryption practices. Tumbleweed’s MailGate capabilities extend data leak and content filtering functionality to enforce multiple policy actions on messages containing sensitive information based on user context, corporate rules and delivery methods like encryption. “This functionality goes beyond the limited reporting capabilities of other content filtering vendors, yet at a fraction of the complexity and cost. Through innovation of the user interface, the new MailGate automatically filters certain confidential information, including specific credit card, social security, and CUSIP (banking/trading) numbers with a simple checkbox, making the enforcement of policies surrounding this data a best practice,” notes Elgamal.
Encrypting Data
It is difficult to generalize what data should be encrypted. Much depends upon which rules govern business conduct. “Unfortunately for corporations, it is a maze of regulations and legislation, depending on where you do business and what business you are in. It would not surprise me if on a global level we get to a place where we say: Are you in business? Do you have customers? Employees? Then you need to be encrypting your data,” says Dasher.
Defining a policy, therefore, is very centric to the business type. Elgamal believes among the most important questions an organization should answer is what content matters. “For an example: what could an officer in the company get in trouble for? A lot of times people wait until a problem happens and then they try to fix the security,” observes Elgamal. “I think the better route is to look at similar companies, in similar vertical industries and see what people have gotten into trouble for. This can help organizations decide how certain kinds of content should be handled.” He also thinks that the policy should be tiered. “If it is data that is extremely critical, you want something that will come back to the user that says, ‘you cannot do that from your email client’. Under other circumstances, you may want the server to know to encrypt it, and continue to send.”
Kennedy agrees with the multi-layer approach. “Companies should provide explicit controls to their users to allow them to specify messages to be encrypted. Behind that, it’s important that organizations implement gateway policies that automatically detect and encrypt sensitive information. Our typical recommendation is to start with simple policies—the low-hanging fruit—and then refine over time as business needs dictate.” Often IronPort customers opt to look for things like social security numbers (SSN), credit card or other account numbers, and tags that are included in highly confidential documents. If in a regulated industry, there will typically be some specific policy turned on (e.g. for healthcare: a HIPAA policy looking to match HIPAA-relevant medical terms in combination with a personally identifiable marker like SSN). “Over time,” says Kennedy “that policy can be refined as necessary to evolve with the business needs and either get more or less aggressive.”
Getting the policy right has been made easier by vendors, such as Vontu—recently purchased by Symantec Corporation—that offer pre-set of categories of packaged, already thought out policies. “It is a great pairing,” says Dasher. Vontu is evaluating the message to see if it needs encryption and if it does, then it hands it over to our PGP systems to encrypt and then send along.”
Making the technology do the work is clearly seen as desirable. “In a perfect world, you want the machines themselves to understand that the content contains sensitive information. Therefore, it has to be encrypted by policy that either informs the user that the data needs to be encrypted before it goes out or it encrypts the data at the server by itself. It can be done either way. Server to server encryption protects against the public network issue or we can encrypt between a user and a server or between a user and a user. All of these are possible, but the policy must set the level of sensitivity of the content and what the enterprise needs to do about it. A complete email encryption system needs to support all of these.”
Encryption ROI
Investing in encryption is a necessity for certain verticals, but tangible return on investment (ROI) can be difficult to determine. So how can you tell if your efforts are paying off? “Applying typical risk management methodologies to security often fails,” believes Martin. “In the risk management model you define a risk to be a probability of an event multiplied by the loss you get if that event happens. In security, you really do not know the chance of the loss. It is very had to get anywhere close to an accurate estimate. If you get hacked—what is the loss that comes with that? If you apply the classic risk management model to security it often produces puzzling results.” In support of his point, Martin cites David Soo Hoo, a Stanford University Ph.D. who analyzed the ROI for various security technologies with some surprising results. “Soo Hoo’s study reveals that organizations should not run a firewall, but that you should encrypt—because your data is everything and encryption is an easy way to protect it. “Nobody is going to say: ‘yes, let’s tear out our firewall because this analysis says we should’. You are really managing uncertainty with security more than risk.”
Because financial services, healthcare and government are so heavily regulated, encryption becomes a cost of doing business, but what of other industries? “Others will only resort to encryption if something in particular has happened,” says Elgamal. “Another set are companies that share intellectual property between them and other entities, perhaps overseas for example, and they need to exchange information. The ROI on something like that is fairly simple, if the intellectual property leaks out you potentially have lost hundreds of millions. There have been a lot of examples of that. However, the reality is that most people wait until something happens first.”
The cost-benefit of encryption can be found in reducing risk. “Usually the ROI is based on the costs of the potential exposure,” states Kennedy. He says the numbers quickly add up when considering fines and penalties associated with the myriad of different state and federal regulations, the brand damage costs associated with embarrassing incidents being reported, the real costs of corporate espionage risks, and the exposure to lawsuits from employees and customers for mishandling of sensitive communications. “Exposure is simply unknown and limitless, as email continues to become the lifeline of businesses today. Avoiding this exposure means either reverting to FAX and express postal delivery or implementing email encryption. Most businesses understand the benefits of email, so email encryption is the enabling path to accelerating business while limiting exposure.”
Dasher acknowledges that trying to determine encryption ROI has been tricky. But notes that it is getting easier to quantify the cost of a breach. “Buying, deploying and maintaining a sound security platform is far cheaper than dealing with a breach. It is not even a contest. Another interesting outcome from this year’s Ponemon study is they are now able to see, quantifiable customer turnover due to a breach. It is no longer about just the IT guy, or the security guys saying we have to do this for compliance. Now it is the VP of marketing or CMO saying: ‘I may not understand this stuff, but the last thing I want to spend precious marketing dollars on is brand damage’.” Indeed the recent Ponemon Institute study reports that “increased customer churn rates help drive lost business costs higher. In 2007, the average resulting abnormal customer churn rate was 2.67 percent, an increase from 2.01 percent in 2006. Greater customer turnover leads to lower revenues and a higher cost of new customer acquisition resulting from increased marketing to recover lost customer business.” The survey went on to reveal that “trust may be intangible and hard to quantify, but the result of breaking that trust is clear as the cost of lost business grew more than 30 percent since 2006.”
Moving Forward
Given the progress in encryption technology and the growing understanding of the return on investment for encryption, what will the coming years bring? “I think we will see more messages encrypted. You will see the penetration of hard disk encryption go up. You will see other things encrypted too, like credit card numbers within a database,” believes Martin.
Dasher likewise sees encryption expanding into other areas. “In the near term, from a trends perspective, if we are honest with ourselves we would say 2007 was the year of laptop encryption realization. Now that most companies have realized that if you have laptops or mobile devices they need to be encrypted, I think in 2008 two other realizations will set in. One: now that we did our laptops, what about all these thumb drives, and portable storage devices? These are even more at risk than the laptops because they are smaller, and cheaper and easier to lose. Two: related to that, we will also see recognition that it is not enough to protect the device, but more and more analyst are pointing out that the data itself needs to be protected, not just the device, because it is hard to know where the data will end up. Soon organizations will embrace this whole concept of enterprise data protection and recognize that it is really a framework that spans both departmental boundaries as well as data/device boundaries.”
Even though encryption has been around for a long time, it clearly has reached next generation, one that should be part of a layered approach to security. Kennedy notes that: “We’re seeing consolidation, as vendors integrate DLP and encryption capabilities as part of a comprehensive email security solution. This step for the first time makes it practical for email administrators to roll this out across the entire organization.”
All agree that encryption should be a part of a larger security strategy. Elgamal reminds that “encryption does not prevent people from reading things, if the recipient has the key to decrypt, it does not matter whether it was encrypted or not. It is important for people to understand what problems encryption actually solves and what else they need to do around it so that the system is complete.”
Dasher advises companies that have previously avoided encryption to take another look. “I think sometimes people say, we have not had a break-in, therefore we do not have any problems. But if you have someone making decisions about security, you do have problems. That is the beauty of having a product like the PGP encryption platform. It can take that policy that you so carefully developed and uniformly apply it. Rather than publishing a nice memo to your employee base that says, ‘here are our policies, you must follow them’. As soon as you rely on human beings to enforce your policy by definition, while well intentioned, they are not necessarily consistent. Don’t wait for a magical security policy, get started.”
