Otava’s Senior Product Architect Steve Aiello continues his data security series of videos on data encryption by explaining the many challenges to encrypting data and walking through best practices for a high level of data security.
There are many different levels at which you need to encrypt your data. Strong security means thinking about physical security — if someone is able to gain physical access to your server or data center, they can potentially decrypt your data if they steal the device. Using disk-level encryption of data at rest helps protect against physical theft of data. If someone were to pull out a few drives from a storage array, they wouldn’t be able to recover any of the data.
Aiello also describes the challenges with commercial software and encryption. Another challenge is the administration of the server. One question to ask is if your cloud provider allows you the option of using a VPN (Virtual Private Network) so you can manage your own servers securely.
Steven: There are a lot of challenges to encryption. It is probably one of the hardest things, if not the hardest thing, in IT to do properly. That’s because, as I had stated, there’s so many different levels and layers at which you really do need to encrypt your data. Let’s walk through a strong scenario where data would be encrypted at many different levels. You have a lot of things that you need to think about.
If you have a server … your web-hosting provider, or at a closet in your facility you need to worry about if somebody were to break in to your facility and steal your server. Or, if somebody was able to physically compromise your co-location provider or your cloud provider because of poor security measures. If someone gains physical access to that device, they can walk out of the data center with it and decrypt your data. That’s a problem.
This is especially a problem with health care companies and financial companies where there’s a lot of data on laptops. That’s a pretty plausible scenario. What you want to do is you want to make sure that that data is encrypted at rest at the disk level. That ensures that in case there’s any sort of physical theft or anything like that, or in a storage array somebody pulls out a couple of hard drives … they can’t recover any of that data on the hard drives.
The next step going up the stack is you look at the operating system and how the operating system ties into everything. If my machine is turned on, or if my laptop is turned on, or my server is turned on and somebody can walk up to the keyboard … that hard drive has already been decrypted. If you can walk up, if you can hack into somebody’s server, or walk up to your neighbor’s work station and just start accessing data … even though the hard drive is encrypted, you will still be able to extract data and put it on a thumb drive and walk away with it.
That’s another level of encryption. Now how you handle that can be done in a couple ways. Where the real challenge for business owners come in is … let’s say they buy a commercial piece of software. That commercial piece of software … let’s say, I don’t know, I don’t use it … but let’s say you have something like Peachtree, or QuickBooks, or something. The manufacturer does not build in a encryption mechanism into their software, and you have this QuickBooks file. That QuickBooks file, on it, has all of your company’s important financial data and maybe the credit cards of your customers.
If the laptop is left on, or the server is left on … and a person can walk up to that server, or walk up to that laptop and simply stick a USB drive in and copy that QuickBooks file over to the USB drive, then they now have all of your data in an unencrypted format. Again we have a problem. You did due diligence; you encrypted the hard drive at the disk level. Then because the disk was already unencrypted, the attacker was able to extract that data.
This is probably one of the most difficult areas to really deal with. It either requires a piece of software that the manufacturer builds in encryption … or if you’re writing proprietary software, you have to identify all of the data within your software and make sure that your developers are encrypting that data either within your data base, or on disk on top of your file or hard drive based encryption.
Beyond that, we have a couple of other different things. Let’s say you’re accessing this data. This is software as a service. You have SSL encryption. SSL we’ve talked about a little bit. Many times if you do a pen test or something like that … People were complaining that this version of SSL is not really strong enough. SSL is one of the easier pieces to take advantage of and to implement; it’s not too difficult. It can be a little bit expensive, a few hundred dollars, but it’s a very, very standard practice in the industry. That one’s probably a give me.
The next thing that you have to worry about is the administration of the server. Does your cloud or virtual private server company … do they offer you a way to use a VPN to get into the network? VPN in, using a strong cryptographic algorithm, and manage your servers over a VPN so you don’t have to have sensitive services like SSH or RDP exposed to the Internet for everybody. You simply VPN into a private network, you tunnel through that secure VPN, and then you administer your server safely and securely through that additional level of encryption.
What you can do is you VPN in. That’s encrypted. Then you could actually open up a SSH session, which would be a second encrypted tunnel inside of your first primary encrypted tunnel. It may seem like a little bit of overkill, but that’s a much better solution than simply leaving that SSH port open to the Internet … available to anyone who would try to brute force your system or something of that nature.