The major drawbacks of volume or partition encryption are that a single disk or volume corruption event can make the whole encrypted volume unavailable, or that a single compromise can immediately reveal all protected files. It is also possible for intruders to insert malicious code that intercepts the data between the volume encryption routine and the disk, essentially revealing all data in plain text.
Among the strongest encryption solutions are media-level encryption products; as such, they deserve careful consideration. They can encrypt entire drives -- known as full-drive encryption -- or all data as it is streamed onto a media source (sequential tape backup, for instance). Media-level encryption can be implemented using application software, the operating system, or hardware. Even hard-drive vendors such as Seagate Technologies are getting into the action (see “Scouting for Encryption Solutions,” page 34).
An informal list of full-disc encryption products can be found here.
A database that needs protection typically requires field-level encryption. It can be encrypted on a per-column or per-row basis, but it’s usually preferable to encrypt data per element. Essentially all the data stored in a database table is encrypted before being stored in the database and is then decrypted on the fly. This presents additional challenges for indexing and queries, and for that reason, those mechanisms have to be privy to the field-level encryption routines used to store the data.
There aren’t many field-level encryption products that can be used across disparate databases or programs. Most solutions are database- or application-specific, or they require customized programming. Microsoft, IBM, Oracle, Sybase, and other popular database vendors all offer field-level encryption solutions.
Protecting data in motion
It’s essential to protect data as it traverses nonsecure networks. The Web has fixated on the SSL/TLS standard. Network transmissions and VPNs are often protected using SSL, SSH, or IPSec. E-mail can be protected using asymmetric cryptography with PGP or S/MIME. Increasingly, other forms of network communications, such as peer-to-peer and IM traffic, must be authenticated and encrypted.
Holistic solutions come into play when data must be protected across multiple platforms and devices. And although no solution comes close to solving every confidential data need, many cover multiple areas. Several solutions cover hard drives, laptops, removable storage, USB keys, CD-ROMs, and DVDs, with centralized management and key recovery. A single product usually results in easier management and lower cost.
PGP NetShare solution provides for shared encrypted files across multiple applications -- file, e-mail, IM, laptops, and PDAs, according to Andrew Krcik, vice president of marketing. “Files can be encrypted on the server, across the network, and on a local computer with a single user key.”
Keys to the kingdom