How to develop an enterprise encryption strategy

An end-to-end strategy must factor in all the ways the data can be input and output, as well as how it’s stored

Further delineating the major encryption classes is where the cryptographic operations take place and where the cryptographic keys are stored. With most software-based solutions, the encryption/decryption takes place in a computer’s general memory area. Hardware-based solutions, such as smart cards and cryptographic tokens, handle the cryptography in specialized memory areas that are accessible by the hardware device only. It’s a much more secure method, and faster.

Many products store the cryptographic keys on the computer device being protected. These types of keys should be encrypted themselves and protected by a long passphrase or another hardware device. Increasingly, cryptographic keys are being stored on hardware devices. Smart cards are becoming increasingly common for two-factor authentication, but more general devices contributing to even stronger encryption are on the way. If you don’t have one already, most PC motherboards will soon have a TPM (Trusted Platform Module) chip, which can be used to securely store cryptographic keys for all sorts of operating systems and applications. Microsoft’s forthcoming BitLocker technology, as part of the Vista OS, can store volume encryption keys on the TPM chip. TPM solutions are resistant to current software-based attacks.

A word of caution: Many products have been discovered to store the encryption/decryption keys in plain text on publicly accessible areas. Lastly, and this is of paramount importance, if you cannot guarantee reliable key archival and management, don’t implement encryption. Unfortunately, good cryptography is a dual-edged sword. When decryption keys are lost or corrupted, without a suitable recovery method data can be lost forever.

| 1 2 Page 3