I won a football at the New York Cloud Computing Expo in a session about encryption. Ask a meaty question and the speaker just might toss you a prize. My question was simple: If the only way to protect all the data is to encrypt all the data (except that which is already public), aren’t edge devices like tablets and smartphones going to suffer a potentially significant performance penalty since everything will need to be unencrypted before it can be used and then re-encrypted for transmission?
Well, yes, of course, said Ray Potter, CEO of SafeLogic, as he heaved a small toy inflatable red football emblazoned with the SafeLogic logo my way. Encrypt. Just get over it. Just do it. Don’t encrypt and you’ve got a good chance of becoming front page news. Right, U.S. Government? Right, Sony? And while you’ve got encryption on your mind, understand its three pillars: confidentiality, integrity, and availability.
Confidentiality, the idea that information should not be disclosed to people who shouldn’t have it. This is the idea of encrypting data and making it unreadable to attackers. Integrity, as Potter puts it is “making sure that data isn’t mucked with in transit.” A use case might be financial transfers where you need to make sure that account numbers and amounts are not compromised.
Third is availability, which might not initially appear to be related to security. But, it is. “We see a lot of distributed denial-of-service attacks that take down a server or an entire site,” Potter says. Think about Amazon going down. That’s a major loss of both revenue and goodwill. Yes, availability is security.
Regarding encryption, Potter says it fits everywhere, even on your spiffy new smartwatch. What each business needs to undertake is a risk-management plan, figuring out where data lies in the system, classifying data in terms of its sensitivity or the assets it protects, and then assigning weighted metrics. What’s typically revealed is that encryption, which was once done at the device level, now needs to be everywhere. What it boils down to is that data needs to be encrypted both in transit and at rest. Otherwise, you could be the next Sony Pictures or Anthem Health Insurance.
When it comes to encryption standards, there’s really only one that matters, and that is FIPS 140-2. The Federal Information Processing Standard (FIPS) Publication 140-2 is a cryptographic standard maintained by the Computer Security Division of the U.S. National Institute for Standards and Technology. It encompasses four distinct security levels, but for most commercial (read that as non-governmental) applications, level one is usually sufficient.
Even though FIPS 140-2 is the standard you need to implement when building your applications, usually followed by compliance verification and certification testing for certain environments (governmental and healthcare, for example), there is one gaping hole. The current version, enacted on Nov. 15, 2001, predates mobility — the existence of tablets by a decade and the mainstream advent of mobile phones by many years.
If you’re a business that’s signing up for anything-as-a-service, part of your due diligence is a demand to see the provider’s FIPS compliance certificate. And you also need to know on what exact platforms compliance has been tested — and which platforms haven’t been tested.