Encryption from the database to the laptop PC

Vendor initiatives abound for securing sensitive data

To encrypt or not to encrypt? When it comes to protecting sensitive data, there really is no choice. Sensitive information, whether transmitted over a network or stored in databases or on laptop computers, must be encrypted to protect against theft and misuse.

With the latest data theft involving a Department of Veterans Affairs employee whose stolen laptop contained the Social Security numbers and other personal information of 26.5 million veterans, experts say organizations should be looking for products that can protect data regardless of where it is.

RSA Security launched an initiative last week to offer companies and government agencies a more comprehensive approach to enterprise data protection. The aim is to protect sensitive data any place it resides: at the application-level, within databases, in files and operating systems, on laptop PCs and mobile devices, and in storage.

RSA’s framework also focuses on managing encryption keys, access control and authentication functions.

At the heart of the company’s initiative are the new RSA Key Manager Partner Program and a strategic partnership with Protegrity, a developer of data security management solutions. Managing encryption keys generated by disparate applications requires integration with data protection products. The partner program will allow vendors to combine their products with RSA Key Manager.

The program is a good move, said Paul Stamp, a senior analyst at Forrester Research. “Right now we’ve got a mess,” he said. Products exist to encrypt laptop PCs, databases, file servers and data in transit, but “none of them talk to each other,” he said. RSA’s initiative will help establish a central broker so the right people can access the encryption keys they need to get their data, he said.

Protegrity and RSA plan to provide product integration between RSA Key Manager and Protegrity’s Defiance DPS and VPDisk by the end of the year. Defiance DPS is enterprise software that helps secure sensitive data in databases. VPDisk secures sensitive files and encrypts structured and unstructured information.

Organizations are looking for ways to manage encryption enforcement policies across files and databases, said Paul Giardina, senior vice president of marketing at Protegrity. “The RSA relationship is a nice fit” because keys can now be managed centrally across an organization with consistent policy enforcement, he said.

RSA is focusing on the infrastructure for managing user access rights, said Chris Parkerson, senior product marketing manager at RSA. Its Key Manager works with RSA Data Security Manager, RSA ClearTrust Web access management software and RSA SecurID authentication solutions. The program will allow RSA to work with other vendors to secure information from its inception to the time it is stored or destroyed, he said. The company is negotiating with vendors that provide encryption for laptops and back-end storage systems, Parkerson added.

Meanwhile, Ingrian Networks is taking a different approach by storing encryption keys on a security appliance rather than on servers where encrypted data resides, as in the case of most software-based encryption products.

The company’s DataSecure Platform consists of five hardware appliances that encrypt data on servers and in databases. Two of the devices comply with Federal Information Processing Standards — the i315 and i325 — providing the level of security for encryption keys that government agencies require, said Derek Tumulak, director of product marketing at Ingrian.

The DataSecure Platform consists of three components: the hardware appliance; the Network-Attached Encryption Server, which runs on the appliance; and the NAE Connector, software that is installed on Web or application servers or in databases and acts as an interface with the appliance.

If an employee downloaded sensitive information such as Social Security numbers to a laptop PC and it was stolen, the thief would not have the correct encryption key to gain access to the data, Tumulak said.

Products that encrypt entire disk drives would further protect laptop users. WinMagic recently released a version of its encryption software for individual and home office or business users. MySecureDoc Personal Edition, which runs on Microsoft Windows 2000/XP, protects data on desktops and laptop PCs by encrypting the entire hard drive before the operating system displays the log-on screen.

The product is built on the same FIPS-based encryption engine that the company’s enterprise edition uses, said James Armstrong, director of North America sales at WinMagic. Some of the networking capabilities have been removed, but MySecureDoc offers the same Advanced Encryption Standard 256-bit encryption that SecureDoc offers. That product provides full-disk encryption for agencies such as the Homeland Security Department, the National Security Agency and the Royal Canadian Mounted Police.

One-stop remote access

Giving employees secure remote access to data might prevent them from taking sensitive information home on their laptop PCs, which could be lost or stolen. But it has to be done right.

IPSec virtual private networks and Secure Sockets Layer VPNs provide secure access, but each has drawbacks.

IPSec requires organizations to load special software on each PC and creates a direct tunnel into an organization’s local-area network, which could provide a path for hacks into unauthorized systems. SSL VPN appliances provide access only to certain Web-based systems. They do not enable access to custom applications or mainframe systems.

So what’s a user to do? One option is a new hybrid system that offers the best of IPSec and SSL VPNs.

The Talisen Gateway from Talisen Technologies is a proxy server that gives users access to almost any type of application — custom, commercial, Web, Microsoft Windows or mainframe. Users simply need a Web browser to access the server, which acts as a gateway to the LAN. It runs on a Sun Microsystems Solaris server and insulates the LAN from direct access, said George Brill, president of Talisen.

Companies can set policies that restrict users’ access to applications and sensitive data while they are working remotely. If users are allowed to download data, Brill said, agencies should have appropriate security procedures in place to protect it.

Talisen Gateway users include the Defense Department and the U.K. Ministry of Defence.

— Rutrell Yasin

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group