When To Layer Encryption

May 28, 2008 – 7:36 PM

I used to joke about the client that once told me their management mandated “double encryption” on all financial information after a breach. In their case, they were encrypting their database and backup tapes. Not that there isn’t a valid reason to encrypt databases and backup tapes, but the way they were implementing provided no additional security. Once those card numbers were encrypted in the DB, re-encrypting at the tape level added no value (this wasn’t a case where they were encrypting the tapes to protect information not already encrypted).

But if we go back to the Three Laws of Encryption, there are circumstances where you might consider multiple layers. The most common case is when we are encrypting for media protection, but also need to encrypt for separation of duties.

Full disk encryption is your best bet to protect yourself from information loss due to a lost or stolen laptop, but there are situations where FDE is not enough. It doesn’t protect content from multiple users on a system, say the sensitive financials on the CFOs laptop from the lowly system administrator, nor does it protect content as it moves, say to a USB drive. File level encryption allows more granular options and protection in a wider range of circumstances. But since users are unreliable, and there are places (like virtual memory) where sensitive data can hide, file encryption doesn’t obviate the need for FDE (or an FDE-equivalent).

Thus file encryption is complementary to full drive encryption; each solves a different part of the data protection puzzle. With file encryption you can protect content as you move it off the laptop, protect it from other users (especially administrative users) on the same system, and encrypt data that’s shared across a team using group keys.

Long term, file encryption will become more interesting as it combines with DLP. We are starting to see products that encrypt files based on their content, managed by central policies. Have something with a credit card number in it? It’s automatically encrypted using a corporate key. While FDE doesn’t need to pick and choose what to protect, long term file encryption (and DRM) will have to use content and context awareness to reduce the burden on users, comply with corporate policies, and improve the practicality of encryption.

Source: Securosis

You must be logged in to post a comment.