How long will it be safe?
Even with all the new encryption technology, vulnerabilities still exist. Encryption keys once thought to be safe, like MD5, SHA-1 and SHA-256, were eventually cracked. How long will the current 3DES or AES 256-bit encryption keys last?
"With any encryption algorithm, at some point there will be enough number-crunching capacity to work through it," says Curtis Preston, vice president of data protection at GlassHouse Technologies.
Using the fastest computers on the planet, how long would it take to crunch these numbers and come up with the code? "With 40-bit encryption, the answer is a couple of weeks," Preston says. Some people believe that 256-bit keys like 3DES will become obsolete within five to 10 years. "But right now, it's fine," he says. "AES 256 goes an order of magnitude beyond that.
"As long as you're using something at or beyond 256-bit encryption," Preston adds, "you're fine."
Have a key-recovery plan
While encryption products can improve security, they also introduce additional management tasks, especially for companies using multiple encryption products. Always include a strong key-management approach, including quorum-based recovery.
"Encryption products that don't provide a means of recovering keys are asking for trouble, particularly in a disaster recovery scenario where files may be lost or disorganized," Forrester analyst Galen Schreck wrote in a January report. "Quorum-based recovery allows a certain number of parties ... to present their credentials and recover encryption keys."
Also, tape libraries shouldn't have to maintain the mapping of encryption keys to tape volumes. It adds another point of management and complicates long-term key escrow.
It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in the event that the originals are lost, Schreck says.
And don't forget the human aspects of key management, says Eric Ouellet, an analyst at Gartner. "You may actually have controls that already exist that you can leverage, like better authentication or better separation of duties, or better access control" with databases or applications, he adds. "If you focus on those areas, then you don't necessarily need to deploy encryption everywhere."
Employee access and separation of duties should be a top priority. "Maybe the encryption technologies work fine, but does someone have access to a file that they shouldn't have access to? Or do they have a key to get access to that data? If so, you've just compromised your system," Ouellet says. What's more, systems administrators should not be system users, and auditors should not be able to grant themselves access or privileges. "Anything that would cause a conflict of interest would not be allowed," he says.