Encryption from the database to the laptop PC

Vendor initiatives abound for securing sensitive data

To encrypt or not to encrypt? When it comes to protecting sensitive data, there really is no choice. Sensitive information, whether transmitted over a network or stored in databases or on laptop computers, must be encrypted to protect against theft and misuse.

With the latest data theft involving a Department of Veterans Affairs employee whose stolen laptop contained the Social Security numbers and other personal information of 26.5 million veterans, experts say organizations should be looking for products that can protect data regardless of where it is.

RSA Security launched an initiative last week to offer companies and government agencies a more comprehensive approach to enterprise data protection. The aim is to protect sensitive data any place it resides: at the application-level, within databases, in files and operating systems, on laptop PCs and mobile devices, and in storage.

RSA’s framework also focuses on managing encryption keys, access control and authentication functions.

At the heart of the company’s initiative are the new RSA Key Manager Partner Program and a strategic partnership with Protegrity, a developer of data security management solutions. Managing encryption keys generated by disparate applications requires integration with data protection products. The partner program will allow vendors to combine their products with RSA Key Manager.

The program is a good move, said Paul Stamp, a senior analyst at Forrester Research. “Right now we’ve got a mess,” he said. Products exist to encrypt laptop PCs, databases, file servers and data in transit, but “none of them talk to each other,” he said. RSA’s initiative will help establish a central broker so the right people can access the encryption keys they need to get their data, he said.

Protegrity and RSA plan to provide product integration between RSA Key Manager and Protegrity’s Defiance DPS and VPDisk by the end of the year. Defiance DPS is enterprise software that helps secure sensitive data in databases. VPDisk secures sensitive files and encrypts structured and unstructured information.

Organizations are looking for ways to manage encryption enforcement policies across files and databases, said Paul Giardina, senior vice president of marketing at Protegrity. “The RSA relationship is a nice fit” because keys can now be managed centrally across an organization with consistent policy enforcement, he said.

RSA is focusing on the infrastructure for managing user access rights, said Chris Parkerson, senior product marketing manager at RSA. Its Key Manager works with RSA Data Security Manager, RSA ClearTrust Web access management software and RSA SecurID authentication solutions. The program will allow RSA to work with other vendors to secure information from its inception to the time it is stored or destroyed, he said. The company is negotiating with vendors that provide encryption for laptops and back-end storage systems, Parkerson added.

Meanwhile, Ingrian Networks is taking a different approach by storing encryption keys on a security appliance rather than on servers where encrypted data resides, as in the case of most software-based encryption products.

The company’s DataSecure Platform consists of five hardware appliances that encrypt data on servers and in databases. Two of the devices comply with Federal Information Processing Standards — the i315 and i325 — providing the level of security for encryption keys that government agencies require, said Derek Tumulak, director of product marketing at Ingrian.

The DataSecure Platform consists of three components: the hardware appliance; the Network-Attached Encryption Server, which runs on the appliance; and the NAE Connector, software that is installed on Web or application servers or in databases and acts as an interface with the appliance.

If an employee downloaded sensitive information such as Social Security numbers to a laptop PC and it was stolen, the thief would not have the correct encryption key to gain access to the data, Tumulak said.

Products that encrypt entire disk drives would further protect laptop users. WinMagic recently released a version of its encryption software for individual and home office or business users. MySecureDoc Personal Edition, which runs on Microsoft Windows 2000/XP, protects data on desktops and laptop PCs by encrypting the entire hard drive before the operating system displays the log-on screen.

The product is built on the same FIPS-based encryption engine that the company’s enterprise edition uses, said James Armstrong, director of North America sales at WinMagic. Some of the networking capabilities have been removed, but MySecureDoc offers the same Advanced Encryption Standard 256-bit encryption that SecureDoc offers. That product provides full-disk encryption for agencies such as the Homeland Security Department, the National Security Agency and the Royal Canadian Mounted Police.

One-stop remote access

Giving employees secure remote access to data might prevent them from taking sensitive information home on their laptop PCs, which could be lost or stolen. But it has to be done right.

IPSec virtual private networks and Secure Sockets Layer VPNs provide secure access, but each has drawbacks.

IPSec requires organizations to load special software on each PC and creates a direct tunnel into an organization’s local-area network, which could provide a path for hacks into unauthorized systems. SSL VPN appliances provide access only to certain Web-based systems. They do not enable access to custom applications or mainframe systems.

So what’s a user to do? One option is a new hybrid system that offers the best of IPSec and SSL VPNs.

The Talisen Gateway from Talisen Technologies is a proxy server that gives users access to almost any type of application — custom, commercial, Web, Microsoft Windows or mainframe. Users simply need a Web browser to access the server, which acts as a gateway to the LAN. It runs on a Sun Microsystems Solaris server and insulates the LAN from direct access, said George Brill, president of Talisen.

Companies can set policies that restrict users’ access to applications and sensitive data while they are working remotely. If users are allowed to download data, Brill said, agencies should have appropriate security procedures in place to protect it.

Talisen Gateway users include the Defense Department and the U.K. Ministry of Defence.

— Rutrell Yasin

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above