End-to-end encryption: The PCI security holy grail
How do you make it difficult to illicitly move and use your data? The answer is simple: encrypt it.
By Ben Rothke and David Mundhenk | CSO | Published: 15:49, 14 September 2009
One of the first to obviate companies from being locked out of their own data was PGP with the use of an additional decryption key (ADK). Note that in truth, it is an additional encryption key; as decryption is done by a private key. However, the terminology additional decryption key and its acronym have stuck.
As stated already and as will be reiterated in this article, data encryption projects require attention to detail to the extreme. Project plans need to be created that are tactical and focused to the specific application of the encryption services needed. They should also employ concise strategic objectives and milestones.
If encryption is not done correctly, there can be negative impacts to the performance of applications, systems and people who are supposed to use it. It can also adversely impact existing Service Level Agreements with business partners, customers, service providers, and other third party entities.
Many encryption rollouts have failed due to the fact that the company did not give sufficient attention to the design and testing phases preceding implementation. Far too many companies think that encryption is plug-and-play, which it most often is not. Effective encryption roll-outs take time and require significant attention to detail, and cannot be rushed.
As mentioned previously, an effective encryption roll-out requires a strategic approach. Forrester's Paul Stamp writes in Adopting an Enterprise Approach to Encryption that there are two main considerations when adopting a more enterprise-wide approach to encryption. They are as follows:
* Make sure that users and administrators can use the system transparently and simply in concert with other operational processes
* Ensure that the organization can track and demonstrate that encryption requirements are effective and being carried out properly
Achieving this across all the areas where encryption is used is by no means a small undertaking. When creating an encryption strategy, note that encryption for different scenarios requires different approaches. Your data backup encryption approach will be quite different from your mobile device encryption, as will messaging encryption be different from database encryption.
Finally, many simply underestimate the administrative and technology overhead associated with the proper management of cryptographic keys and required compliance validation documentation. Also, when considering PCI, note that cardholder data can be not only on databases and file servers, but also on laptops, PDAs, USB, floppies/CD-ROM/DVD, and other mobile devices. Make sure all such applicable media is included in your encryption deployment.
Also remember that section 3.4.1 of the PCI DSS Requirements and Security Assessment Procedures stipulates the following: If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.
This is to ensure that anyone compromising user accounts cannot automatically have access to critical encrypted data repositories on the systems hosting those accounts.
The importance of encryption for mobile devices can't be overemphasized. Today's workforce is extremely mobile, and such mobility requires strong controls around the data that is moving about.
Documentation and Policies
An effective encryption deployment, like any other technology implementation, requires formalized documentation of relevant policies, process and procedures. The authors can't overemphasize the fact that encryption must be supported by optimal policies, process and procedural documentation as well as a formal asset risk management program. This will help to demonstrate that the work was adequately planned and supervised, and also shows that internal controls have been studied, valuated and can be accounted for.
The encryption policies must be endorsed by management and effectively communicated to end-users, business partners and all third-parties that handle sensitive data. If they can't comply with your policies, don't give them access to your data.
Also, the policy must be flexible enough to deal not with just merchant data on statically deployed systems, but also laptops, PDAs, mobile devices, and more.
Finally, policy shows that the work around the encryption project has been adequately planned and supervised and also demonstrates that internal controls have been studied and evaluated.