Cracking The Data Encryption Code

Two things jump to mind when it comes to encryption: It's a must-have for secure military installations, and it's a huge headache to implement among everyone else.

Encryption's reputation as a difficult, often unmanageable technology that can thwart productivity and frequently deliver negative ROI has hindered adoption in all but the most secretive government facilities. Most agency CIOs and the solution providers that serve them know just enough about encryption to steer clear of it if they can.

But the tide may be turning in encryption's favor as more agencies are required to safeguard their data and make improvements to decades-old technology for less daunting encryption rollouts.

Indeed, privacy regulations and stringent data-protection statutes are forcing organizations to tighten security, especially around information gathered on citizens. Compliance measures demand that data be not only rigorously secured but also readily accessible to key individuals and quickly available to oversight bodies.

Hence, more civilian agencies that work with government data are thinking broadly about how to plug encryption into centralized backup- and disaster-recovery efforts. Rather than just reactively adding encryption capabilities to particular storage applications or hardware devices, organizations are injecting encryption at the operating-system level. Many are also designating encryption as a vital part of sweeping enterprise architecture initiatives.

"We are now seeing moves toward platforms that can encrypt data at different parts of the lifecycle," says Paul Stamp, a senior analyst at Cambridge, Mass.-based research firm Forrester Research. "There is a real emphasis on building encryption into the data-handling process."

Specifically, encryption is creeping into efforts such as database development, along with file- and content-management endeavors. Mobile technologies, especially those tied to telecommuting and business-continuity plans, are also more likely to include encryption--which entails the scrambling of textual and other data into a format undecipherable without algorithmic keys to unlock the coded information.

"Encryption products have generally been add-ons or specialty products for many years. However, now we're seeing encryption being built into the OS and directly into the hardware-storage devices," says Lark Allen, executive vice president of Wave Systems, a Lee, Mass.-based company that delivers services and trusted-computing applications.

For example, Microsoft's Windows Vista OS features BitLocker, an encryption feature built on Vista's Trusted Platform Module 1.2, a microchip that facilitates secured application sharing. BitLocker is designed to provide both internal and mobile workers with access to encrypted data.

BitLocker will afford encrypted protection for third-party developers building applications on the Vista product line. Further, BitLocker is designed to avoid precluding authorized users from accessing encrypted data by presenting a simple recovery process that encrypted systems tend to lack.

"Microsoft has offered similar functions before, but where they've fallen down is in the off-loading of key management and other key aspects," Allen says.

Master Key

Nearly as old as language itself, encryption is, very simply, the process of converting messages into a form that cannot be read by anyone except for the person for whom the information was intended. Encrypted data must be decrypted before it can be read. The root of the word encryption--crypt--comes from the Greek word kryptos, meaning hidden or secret, according to cryptography experts at the SANS Institute. Ages ago, writers attempted to conceal messages by substituting parts of the information with symbols, numbers and pictures--the earliest form of encryption. Classic examples: the Assyrians, who used coded messages to protect their trade secret of pottery manufacturing, and the Chinese, who encrypted their processes for making silk.

Encryption has a long history in the United States. In 1790, Thomas Jefferson, with the help of a University of Pennsylvania professor, invented a wheel cipher that developed into the M-138-A Strip Cipher used by the U.S. Navy in World War II, according to sources at SANS.

But perhaps the most famous historical use of encryption was during World War II, when the Germans tried to safeguard their military secrets with the now-famous Enigma machine. Originally invented in 1933, the commercially unsuccessful Enigma was re-engineered by the Germans and became the workhorse of the Nazi military.

The Enigma machine proved very successful until its encryption methods were discovered by Polish mathematician Marian Rejewski, based only on some captured text and three months' worth of daily keys obtained through a spy. Continued Enigma breaks were based on developments during the war by Alan Turing, Gordon Welchman and others at Bletchley Park in England. Such were the rewards and risks of dealing with encryption.

But plaguing all efforts to encrypt data is the risk of losing the "key," or the method by which the intended recipient can decipher the message. In fact, the possibility of losing modern electronic crypto keys that allow companies to unlock encrypted data has held back widespread adoption of encryption products. So has the related need to rely on companies such as RSA Security and Protegrity to manage algorithmic keys, experts note.

"The only viable encryption solutions are the ones that assist in the recovery of stored data," says Kenneth LaFrankie, business development manager at immixGroup, a government reseller based in McLean, Va. "The most common user problem is the accidental lockout from a piece of equipment due to a forgotten password. Enterprises must be able to restore access to that information when something like this happens."

Indeed, the extent to which encryption makes its way into widespread recovery-and-backup applications hinges on restoration processes, says Gabriel Raia, senior vice president of sales and business development at Innerwall, a security software company in Colorado Springs, Colo. "Encryption can protect archives and other backup data. This benefit, however, needs to be measured against the risk of losing the keys that allow authorized users to gain on-demand access."

Many agencies rely on RSA and Protegrity to encrypt databases and manage the keys necessary to unlock the data. Although RSA is loathe to relinquish its industrywide role as the keeper of encryption keys, the company in June debuted its Enterprise Data Protection (EDP) initiative, designed to simplify key management and spur the use of encryption to protect data residing in databases, laptops and other mobile devices, files and operating systems.

To relieve government IT administrators of many challenges surrounding key management, RSA has packed into EDP its Key Manager software, which centralizes the administration of key-management policies. That is, the software helps to keep information flowing throughout an organization, despite the fact that one department's encrypted data may be protected with a particular encryption key while another business unit uses an entirely different key.

"Traditionally, government has managed its keys in silos," says Chris Parkerson, senior product marketing manager of RSA's Data Security Division. "The problem is that information needs to flow through many domains."

Big Brother's Role

Pulling together departments while reducing the risks of unauthorized access is crucial to the government's role in both overseeing and complying with industrywide data-protection and privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley and the Gramm-Leach-Bliley Act, some observers agree.

"Encryption is becoming a very hot topic, with the passage of laws by 23 states--and more pending--for the protection of personal data," says Mary Cochetti, a product manager at CA in Islandia, N.Y. "Any agency that keeps personal information on citizens should be using encryption to protect data."

Aiming at agencies operating in a mainframe environment and looking to bolster protection of personal data, CA in May launched BrightStor, a mainframe tape-encryption solution that encrypts and decrypts data residing on IBM's z/OS operating system. BrightStor promises to foster encrypted backup processes, because encryption does not require application or Job Control Language changes, regardless of the data's origin within the agency.

According to Cochetti, mainframe-based encryption has consistently failed to take off. "Until now, there has been no compelling event to move agencies and enterprises to change," she says, adding that new state and federal data-privacy and security laws are sure to provide this necessary impetus.

Many agencies are also faced with securing documents that flow through disparate applications, such as ERP and document-management systems. Left unencrypted and protected only by traditional security and disaster-recovery methods, these documents are at risk, argues Adam Brosnian, vice president of products, strategies and sales at Dedham, Mass.-based Cyber-Ark Software, which offers Network Vault, an encryption-based security software application.

"Encryption can help in backup- and data-recovery efforts, especially when the encryption capability is part of an overall, centralized information-security solution," Brosnian says. "Network Vault provides a centralized, secure repository where the encryption process is transparently applied to all information that is stored and retrieved from the Vault."

FileNet is also banking on increased government interest in encrypting sensitive and regulated content. Recently, the company partnered with Decru, a business unit of storage giant Network Appliance, in offering a combined solution that aims to impose granular encryption based on an agency's document group and security policies.

Storage-based encryption makes sense not only from a security standpoint but from a budgetary position as well, says Campbell Robertson, Costa Mesa, Calif.-based FileNet's acting director of Global Marketing to Governments. "Storage is increasingly a large area for budget consideration, as well as overall management for government agencies," he says.

Government resellers eyeing encryption as a way to position products for agencies with healthy storage and security budgets, however, must hone the expertise necessary to participate in this market, many advise.

"Systems integrators are playing a bigger role in this movement, because they generally understand how to apply encryption to meet the various vulnerabilities in a database and storage system," says Chris Fedde, senior vice president and general manager of Belcamp, Md.-based SafeNet, which partners with IBM on these solutions.

"Resellers that do have the skillset can differentiate themselves in this very important market segment," he adds. *