The Snowden scandal did more than alert businesses to the increasing dangers of system intrusion. It also made us realize that part of our national defense system includes keeping tabs on data in the cloud. With so much information stored in the cloud, how can we be sure those hosting our data aren’t obligated to share our data with the government? Businesses need encryption key management as a way to secure their data before it goes to the cloud.
Snowden Leak Alerted Businesses to the Danger
Edward Snowden was employed by consulting firm Booz Allen Hamilton, a company contracted by the NSA for its technical expertise. In his work, he stumbled upon a massive NSA spying program initiated following the 9/11 attacks.
Snowden made his discovery public, revealing that the government was intercepting internet traffic, routing it to their servers, and sifting through it for leads on terrorist plots. PRISM, an arm of the NSA’s spying program, was so named because it was intended to bring clarity to massive amounts of data by working with major internet providers to focus in on the specific information the agency needed.
Cloud Providers Must Comply with Government Demands
As a matter of necessity, PRISM operates under agreements with some of the biggest web firms in the world. Under current laws, investigators can order cloud providers to give up their data and even keep it secret from you if the investigation warrants that action. So you don’t have full control over your data in the cloud unless you take active steps to protect it.
Nowhere Is Safe
Ongoing leaks have proven that businesses have to worry about more than lawful investigations looking at their data. An even bigger threat lies in hackers with various agendas seeking access to private data. Sony’s massive data loss continues to have mysterious origins, despite months of investigation. And more recently, Anthem suffered a loss of data when hackers used social engineering to secure admin credentials and access databases containing sensitive personal information belonging to insured members. That intrusion has been blamed on the Chinese government. And countless POS systems have been breached by hackers looking to steal financial card information for personal gain. With so many ways for hackers to gain access and so many motives driving them, more needs to be done to keep data safe.
The Strength of Today’s Encryption
In the past, companies shied away from implementing encryption because key management was a headache. Many relied on their cloud providers to perform encryption. When the Snowden story broke, the business community realized that encryption had become a necessity. When companies control the encryption of their data, they decide how their data is shared with investigators and can better control security against hackers.
Encryption is as old as data, but the versions used today are considered unbreakable. You may be familiar with the Enigma machine used by Germans in WWII to encrypt communications. British agents invented the Turing Bombe, a machine that automated the decryption process, breaking Enigma’s code.
In the 1970’s, the standard form of encryption in use was called DES. Developed by IBM and modified by the NSA, it was considered unbreakable. Advances in computing technology by the 1990s, however, made it possible to guess the correct code in just a few days, a method called brute force.
To combat the weakness of DES, the National Institute of Standards and Technology (NIST) held a competition in 1997 to develop a newer, stronger form of encryption that was sufficiently complex and easy to implement in software and hardware. Business leaders worried about NSA involvement in encryption because the agency could essentially build in a “back door” that would give it access to the private data. For this reason, NIST made the competition public and agreed to offer the new encryption worldwide and royalty free.
The world’s top encryption experts tested developer entries and chose the submission from Belgian developers Joan Daemen and Vincent Rijmen, dubbed Rigndael (“Rhine doll”). The government calls it Federal Information Processing Standard 197 (FIPS 197), released to the public in November of 2001. The government approved FIPS 197 for use in top-secret documents two years later.
FIPS 197, usually referred to as the Advanced Encryption Standard (AES), can contain 128, 192, or 256 bits. At 128 bits, it isn’t twice as complex as the old standard. It’s 264 times more complex. By comparison to the old standard, a hypothetical computer capable of breaking DES encryption in one second would need 149 trillion years to crack AES. In other words, it’s unbreakable. Although 128-bit encryption is unbreakable, many organizations simply feel more secure using 256-bit. AES is so incredibly difficult to break that there is no functional difference in security between the two.
How Key Management Software Works
Because of Snowden’s revelations, businesses should realize that they must encrypt data themselves rather than relying on cloud vendors. If you’re not doing this, your data is at risk and susceptible to NSA seizure. In fact, the NSA could have some of your data now without your knowledge. And if Snowden could penetrate NSA security, someone else could do so, as well. You simply must keep hands on your own data in today’s insecure world.
With such large numbers in use and the need for separate keys for granularity and segmentation, finding a way to keep track of keys becomes vital. Losing a key would be equivalent to losing the data it protects. So, businesses use Key Management Software (KMS) to keep track of keys in a secure environment. Key management software performs these essential functions:
- Automatic key management, keeping keys encrypted at all times
- Key generation using random strings
- Separate keys to backup keys
- Easy ways to regularly change keys
- Key replication to avoid data loss
- Reporting tools
Because keys are vital business information, it’s important to include the data from your key management software in your disaster recovery plans. The Federal Information Processing Standard (FIPS) 140-2 Level 3 guidelines say you should have physical security for the systems you use to store encryption keys, implement two-part authentication for access to keys, keep audit logs on all key access events, and encrypt all data traveling between systems.
HyTrust DataControl Helps You Keep Data Private
HyTrust DataControl works in any private, hybrid, or public cloud, giving you a centralized system for data security. By encrypting data in the cloud and giving you complete, yet automated control of keys, businesses ensure that if anyone gets their hands on the data, it will be in encrypted form, making it useless to attackers. Call us today to learn more about implementing DataControl at your business.