Thales eSecurity, a vendor primarily known for Hardware Security Modules, sponsored an independent study by the Ponemon Institute regarding the opinions security assessors have regarding data encryption. There are some fascinating conclusions in this report and I was excited to get a view into the minds of the security audit community.

From the Ponemon study:

“Respondents say that restricting access to confidential data on a on a need-to-know basis is a very difficult compliance requirement to achieve. Other difficult requirements include the need to maintain secure systems and applications and protecting confidential data at rest (in storage).”

Every organization needs to enforce business need-to-know for sensitive regulated information and this is difficult for a number of reasons. Aside from the limitations SharePoint’s access control model may have, you cannot natively keep IT administrators from viewing information. That also implies challenges when it comes to separation of duties which is something auditors emphasize when they perform their reviews.

Maintaining secure systems requires a strong understanding of the interconnected systems in an environment and how they integrated. Also, you have to maintain that hardening over time despite configuration changes, software and operating system patches, etc. I know one organization that is very good at this because they have a small group of extremely talented systems administrators who run their systems with maniacal precision.

Protecting confidential data at rest should be a no-brainer for any organization. Data at rest encryption solutions have been in the market place for over 8 years. Unless you have legacy applications or operating systems, there are solutions that will meet your needs.

The big question is where to insert the data at rest encryption. In a web-based application like SharePoint, implementing the encryption at the application level provides the best security if you can do it transparently. In the PCI DSS market, the Qualified Security Assessors are increasingly favoring an application level approach since it is the only solution to control database and systems administrators from viewing information which goes a long way when it comes to enforcing business need-to-know.

Also from the study:

“Encryption is the hands-down favorite technology for achieving data protection compliance. In fact, the overwhelming majority of respondents believe an organization’s information assets cannot be fully protected without encryption or other crypto solutions.”

CipherPoint’s founders have been in the encryption space for many years and we couldn’t agree more with the quote above. Encryption is an important piece of a comprehensive data security architecture but there are many ways to implement it and each approach offers a different degree of effectiveness. For example, disk encryption is effective for addressing the threat of physical loss or theft of a tape or laptop but does very little when it comes to protecting information on a data center server from unauthorized access.

And a quote from the study on key management:

“Respondents admit that despite a favorable response to encryption, key management can be very challenging in terms of meeting compliance requirements.”

Encryption is easy. Key management is hard. An encryption solution that provides solid key management (e.g. secure, scalable, and easy to operationalize) is hard to come by. For this reason, the best database vendors in the world are not the best key management providers. When you evaluate a SharePoint encryption solution we encourage you to look beyond the encryption capabilities and dig into the key management functionality!

In conclusion, encryption is effective when deployed at the correct tier, application level encryption provides the best security but must be done transparently, and key management needs to be a core selection criterion for any encryption solution.

Mike