Protecting Enterprise Application Data: Is Encryption the Answer?

RFG believes encryption techniques must be considered to mitigate certain data exposure risks in end-to-end enterprise application deployments. IT executives should examine the available techniques and products to determine if and where they should be deployed to the greatest benefit. However, IT executives should note that the human factor can often override any benefits realized through these efforts, and focus instead on establishing stringent policies and administrative procedures for systems management to avoid unauthorized access to sensitive or confidential data.

Business Imperatives:

• Increased regulatory requirements and the potential for lost business and legal liabilities have added to the pressure on IT executives to ensure the security of sensitive or confidential data stored in and transferred between enterprise applications. IT executives should develop and document an overarching strategy that defines critical data elements and the methods that will be used to protect them. IT executives should also ensure that all existing and new applications are thoroughly examined for possible exposure points.
• Encryption is a valuable tool for protecting sensitive data, and many different products are available to encrypt database rows and columns, files, and session traffic between enterprise applications. IT executives should explore these products to determine if and where they might mitigate or eliminate data exposure for business-critical application. IT executives should focus on providing end-to-end protection for data as it transits each system element that supports the application, both inside and beyond corporate firewalls.
• Human factors often outweigh the benefits of encryption strategies, especially with respect to systems in the data center, which support the middleware and back-end components that are the core of application architectures. IT executives should develop management policies and procedures that reduce the number of personnel that have access to sensitive data, and ensure that all employees working with such data take steps to protect it wherever possible.

Security breaches are a common concern for IT executives, and those related to confidential data are among the biggest worries today. At best, disclosures of such data have embarrassed the firms they have been targeted against, causing loss of business and revenue. At worst, they may create legal liabilities with more serious consequences.

IT executives seeking to address this problem should first develop a corporate-wide strategy document that defines the principles for protecting confidential or sensitive data. This document should clearly define the sensitive data elements and their importance to the company as a whole. For instance, to a retail firm, a customer’s order history might be less sensitive than their credit card data, but to a medical supply firm, the situation might be reversed.

Because of the complexity involved in properly identifying all sensitive data elements, IT executives should create a working group that involves application owners, legal counsel, line-of-business (LOB) executives and their own application architects in the creation of this document.

The product of this effort should be treated as a “living” document, and should be updated as each new application is deployed and each new regulation governing the control of sensitive data is ratified. Where business application profiles (BAPs), business service profiles (BSPs), user application profiles (UAPs), or similar repositories exist, they should be updated and expanded in close concert with the encryption strategy document as well. In addition, the document should be both informed by and made coherent with policies and strategies affecting access rights management, user authentication, and other relevant elements of corporate security policies and strategies.

This encryption strategy document may then serve as a starting point for identifying products that might help reduce exposure risks, and for developing management policies and procedures that also mitigate those risks. There are usually four points where such disclosures can occur, and where such products may be of use:

• At the point where sensitive data first enters the application.
• As application data are transmitted between systems in the end-to-end application architecture.
• Where application data are stored locally on a server, such as in a database.
• Where application data are managed, such as via backup facilities.

Managing data entry is usually a matter of properly protecting the front-end interface from unauthorized modifications, preventing the insertion of data monitoring or trapping hooks at this layer. This is not a trivial task, especially given high churn rates of some vendor Web and application serving products. However, encryption products typically provide little value here because at this stage, data must typically be displayed to the employee or a customer using the application. The major exception is the encrypted communications channel to the user. However, techniques related to these are similar to those related to the second potential disclosure point listed above, and may be addressed in the same manner.

Data transfer is often considered the most sensitive aspect of an application architecture because once data are “on the wire” it becomes much more difficult not only to control access to it, but even to audit that access. Thus, many vendors have produced products that focus on this problem. With the attention such transmissions have received, it is now possible to rely on these mechanisms for most encryption needs, such as securing Web transactions, or using Secure Sockets Layer (SSL) channels in client/server applications.

However, vendors and IT departments have historically paid less attention to the third and fourth categories, and RFG thus believes IT executives may realize the most benefits by focusing their efforts on the long-term data storage and management aspects of each application.

Protecting locally stored data can take several forms, but it typically involves file-based or database encryption techniques. There are a number of vendors of file-based encryption tools, but the most notable product is arguably the file encryption component in PGP Corp.’s Pretty Good Privacy (PGP). This is perhaps because a freeware version has been available for some time, and for a number of platforms, including AIX, MS-DOS, HP-UX, Linux, Mac OS, Solaris, and Windows. Unfortunately, key management can be tricky with such products, but for environments at a high risk of data exposure, especially on mobile devices, file-based encryption techniques may be worth the effort.

Encrypting data in databases can be managed directly in database products from IBM Corp. and Oracle Corp., which now support column-level encryption, and third-party add-on products are also available from Application Security, Inc., Communication Horizons, LLC, and Relational Database Consultants, Inc. This technique allows administrators to encrypt sensitive portions of each data row, while leaving the remainder accessible to reporting engines and other tools.

Finally, most backup products now include encryption facilities to protect these repositories from unauthorized access. However, these options are not always enabled by default, and in some products they may not use strong enough encryption algorithms and keys to truly protect data in long-term storage. This problem is especially critical because backup tapes are often small, and may be easily stolen or misplaced. IT executives should ensure that their administrators are making use of all available options to protect backups for systems that handle confidential or sensitive data. Where appropriate, integration between physical and online security solutions and policies should be considered or implemented, to enhance protection against physical theft of corporate data such as backup tapes.

Unfortunately, all of these advancements provide only incremental increases in security levels in an end-to-end application infrastructure. The real problem in these environments is people, and encryption techniques are primarily designed to protect against unwanted disclosure via unauthorized access. Systems administrators often have access both to the data and the encryption facilities themselves.

Further, even when the strongest controls possible are implemented, highly placed systems administrators and developers can often hook into application data flows at unprotected locations, such as in reporting servers, or where the data first arrives in the application, before it is encrypted. Encryption techniques alone are not generally sufficient to prevent a disgruntled administrator from stealing and then disclosing confidential or sensitive data. IT executives should verify that robust user authentication and authorization processes are also in place.

To address these risks, IT executives should identify all of the management processes that bring systems administrators and developers into contact with sensitive or confidential data. IT executives should then make every effort to reduce the number of employees involved in these processes, or segment the processes so that aspects that might create data exposure risks are confined to specific, named employees.

IT executives should then implement as many auditing facilities as possible to track usage of administrator privileges to access sensitive or confidential data. This auditing role should be owned by individuals not associated with the management of the applications in question, eliminating the chance that a single individual could access that data and then erase his or her audit trail showing that activity.

Finally, IT executives should ensure that general data management best practices are being observed, including avoiding the use of sensitive data such as social security numbers as key fields, and separating sensitive data such as credit card information from less critical information such as order tracking information.

RFG believes data encryption techniques are a necessary element in an enterprise application security strategy, especially for mobile devices and on-the-wire data transfers. However, encryption tools provide only an incremental increase in security levels for data in end-to-end application architectures. IT executives should seek out helpful products where they exist, but should also focus more heavily on the human factor by observing best practices and solid management and auditing procedures for these environments.

RFG analyst Chad Robinson wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion of an interview with Mr. Robinson.