1 A White Paper by Bloor Research Author : Nigel Stanley Publish date : November 2007 This document is Copyright 2007 Bloor Research
2 Some traffic is now far too important to encrypt solely at an organisation s gateway to the outside world Nigel Stanley
3 page 1 Summary As is now fully embedded as a business tool and is being used to transfer critical, sensitive data, it is becoming increasingly important to provide a secure, robust and manageable encryption service for users. encryption cannot be addressed as a standalone proposition. It must be considered as part of an organisation-wide encryption service, providing security for other applications and line of business solutions. Some traffic is now far too important to encrypt solely at an organisation s gateway to the outside world. The rise of the inside threat means that all organisations need to consider who can access internal messages and ensure that this risk is mitigated, if appropriate, from sender through to recipient. A mature, blended approach to encryption that encompasses an intelligent analysis of the risks to data and the associated data value will enable organisations to implement a cost effective, robust and reliable solution. encryption should be of strategic concern to businesses given the possible value of data contained in many messages. Appropriate levels of encryption should be applied intelligently. now mainstream and mission critical For any sizeable organisation is probably the top, mission critical application used by the company. Of course customer database systems, finance applications and product design systems are important but it can be legitimately held that is the glue that holds an organisation together and provides major support for critical processes with suppliers, partners and customers. With this ubiquitous and important nature comes the responsibility of ensuring that messages sent and received via an system remain secure at all times. Users are not going to think about the sensitivity of their message before they send it; rather technology, enabled and controlled by policies, needs to come to their rescue and ensure that messages are appropriately secured. It is very rare for an organisation to mandate less security in its IT systems. In fact the relentless march of new threats places pressure on us all to increase our levels of security to ensure we can match new and emerging attacks. is one of the most potent business tools that we have, but also one of the most vulnerable systems for attack. The volume of organisational smarts that can travel out of the virtual front door via can be staggering. Quotes, legal information, contracts, customer data and just about every type of document you can think of will be transported via . Due to the prevalence of it must be considered as a top priority in any corporate security and encryption strategy. Implementing firewalls, intrusion prevention and hygiene devices is fine on the one hand, but if confidential traffic is in a plain, unencrypted format there will exist a fundamental flaw in an organisation s security strategy. Reputational risk Many CEOs see their role as keeping their corporations out of the headlines of the Wall Street Journal or Financial Times for anything other than good reasons. Building a brand, with an associated reputation, takes years and can be destroyed in days following allegations of inappropriate behaviour which can often include data losses facilitated by insecure, inappropriate or vindictive messages. In fact an organisation can be one away from significant if not terminal damage. Reputational risk is now more likely following the enactment of various corporate behaviour laws such as Sarbanes Oxley, the Payment Card Industry Data Security Standard and the EU s Data Privacy Directive all of which place responsibility, in different measures, on corporate executives. In addition, over 30 states in the US have enacted Breach of Information Legislation that forces organisations and agencies to disclose security breaches involving personal information, and a federal law is being actively discussed. Internationally, countries are drafting similar provisions to protect consumers and the EU is likely to see legislation by 2009.
4 page 2 As well as attracting reputational risk there is a direct requirement, in many instances, for organisations to compensate users for subsequent financial loss due to a breach. Research from the Ponemon Institute showed a breach to cost $182 per record in sees a rise to $197 per record with the increase attributable to increasing legal costs. encryption and a wider security strategy encryption should never be considered in isolation from a broader security strategy that touches all parts of an organisation and protects data wherever it goes. Fundamental to this security strategy must be the issue of encryption and how data, in any of its forms, can be secured from prying eyes according to an organisation s overall data protection strategy. Historically encryption had been perceived as difficult and costly to implement, due in part to the issue of key management and difficulties with administration. Creating, authenticating, distributing and recovering public and private keys was a time consuming task and placed a burden on the IT department. Policy decisions needed to be made with regard to how keys were safely distributed, refreshed or placed into secure storage had decryption been required. Additionally, placing demands on users to go through more steps to encrypt messages or deviate from their standard working methods meant that encryption was patchy at best, and non-existent at worst. Wider issues, such as departmental politics, need to be addressed, as an organisation has to be aware of how to prevent pockets of unrecoverable, encrypted data appearing across a network. Robust key management and a focus on an achievable policy are critical in preventing silos of unrecoverable data. Point solution or strategic approach? There are many IT security solutions that perform the role of a point solution; that is, they solve a very particular security issue. Some organisations have a strategy of adopting best of breed solutions, for example the best firewall, the best intrusion prevention system and the best database security tool. Whilst this approach will deliver very good point solutions, orchestrating these applications to work coherently together can often be almost impossible as they may be based on different standards, technologies, or incompatible management interfaces. This not only increases the time and cost of deploying and maintaining technology but means valuable IT staff and resources could have been used on other projects. An alternate approach would be to adopt a single provider of a solution set, on the basis that the elements will work together and there is one vendor to deal with. In some instances this may result in the adoption of a solution component that is not best of breed, but in many cases the solution is more than adequate and easier manageability makes up for any shortfalls. encryption needs to be considered as part of a broader encryption strategy as the complex issues of, for example, key management, policy creation and reliability can only be properly addressed as part of a strategic approach to encryption for the entire organisation. It is unlikely that a number of point encryption solutions would be successful as management issues would be compounded leading to huge practical problems. Bloor Research believes that for a critical infrastructure service such as encryption, a single vendor solution, from a leading supplier, is the best strategy. Software or appliance based encryption? Appliances encapsulated servers that contain preconfigured hardware and software are, quite rightly, popular in many small and medium sized businesses. The deployment of an appliance can often be as straightforward as placing it into a rack and switching it on, giving us the notion of a FedEx system upgrade. That is, a new system is simply mailed or delivered by van for easy, instant installation. For many security applications this is a valid and useful approach. For larger enterprises with complex multi-site operations, many of which may operate 24x7, appliance-based solutions are generally unable to provide the depth and breadth of effective encryption seen from an enterprise software approach. Issues around scalability, redundancy and practical systems management make a software-based approach to encryption a more suitable choice for large scale organisations. The growth of virtualisation technologies is raising another challenge to appliance vendors as enterprises see the possibility of hosting multiple security systems on preexisting but under-utilised servers, increasing the return on what could be considerable hardware investments. From gateway to gateway When and where should you encrypt your traffic? Is it at the client or is it at the gateway prior to sending to the recipient? Or maybe the encryption is only from the gateway to the recipient client? Or maybe a combination of all of the above is appropriate? Many organisations are happy with the placing of an gateway of some description that encrypts messages as they leave the corporate perimeter. These gateways are often appliances that process s as they leave and enter the organisation. The problem with gateway encryption is that s are still travelling around the organisation unencrypted and in plain text, vulnerable to prying malware or interception prior to being encrypted by the gateway.
5 page 3 Figure 1: traffic is only encrypted once it passes through the gateway In some circumstances, organisations with data deemed to be of low value or not a risk may find gateway encryption appropriate, but those needing a higher level of security based on the type of work they do or value of data they manage will need to look a bit deeper. Why? Threats to an organisation need not always come from an external source, and indeed threats to an organisation s secure data can be just as damaging from internal users who make mistakes. Most businesses and organisations have in place basic security arrangements that enable them to conduct their day to day work. For many this will entail the provision of a relatively safe and protected building for employees to come to work secure in the knowledge that they will be able to leave the premises at the end of the day without either harming themselves or the business. IT security is dealt with in more or less the same way. The business will put together sufficient technologies so that it can undertake its day to day work, with security implemented appropriately. The level of security protection can range from nothing through to complex intrusion prevention and detection systems combined with state of the art firewalls. Unfortunately most of this effort is targeted at keeping the bad people out. For many who are not IT security experts their visualisation of the topic comprises just this lots of barriers and obstacles to prevent unauthorised people from getting in. No one would disagree with this approach, but keeping the bad people out is only half the problem. What if the bad people are already inside your organisation? What about those upset about poor bonuses looking for a quick exit? This type of insider threat is a real and present danger. Just one incident can have material consequences on a business. Most vulnerable to outside interference would be the ubiquitous mobile user with a handheld device. Tour any financial centre and see the thousands of city whiz kids passing data around in form, with goodness knows what data being passed in plain text. Unless these s are secured using a consistent policy as implemented by an organisation s desktop and gateway encryption products before they leave the handheld device, organisations leave a big gap in their security measures. This immediately demonstrates how perimeterless modern enterprises now are, and puts added pressure on messaging security experts to ensure their is as secure as possible. Remember a $300 device could contain data worth $millions to the right individual or organisation. If the lost data contained customer information then an organisation will need to fix the data breach and report the loss to customers at possibly great financial and brand equity expense. Historically, consideration was given to securing traffic based on a departmental need such as HR, legal and executive messages which were deemed to be sensitive. It is the opinion of Bloor Research that this approach is too simplistic as the nature of s generated by those further down the hierarchy can be just as compromising as those created higher up. In this case encryption needs to be considered as a corporate-wide solution.
6 page 4 From end point to end point A more suitable encryption option that offers better coverage for more sensitive data would be to put in place a security technology that requires all messages to be encrypted at the time they are sent from a client any client. That way there would never be insecure traffic as we now have whole journey encryption for each and every being sent. Data Value & Risk to Data Higher Suited to lower risk/value data Partial journey encryption only Does not deal with inside threat issue More scalable Suited to high value and sensitive Mitigates inside threat issue Full journey encryption A challenge with this approach is how to make the encryption seamless to the user asking users to manually encrypt s each time they are sent is a sure fire recipe for wasted investment in security technology. All it takes is a single user not following policy for the investment in technology to be wasted. By using software that integrates into the heart of an system as well as an existing directory structure user intervention is not required and system management made a lot easier. Organisations that deal with legal, financial, medical or any other classically sensitive data should seriously consider the benefits of end point based encryption. Risk vs. data value the blended approach It is apparent that most businesses will adopt a blended approach to their encryption as they balance the value of the data against the cost of ensuring it is protected. By reviewing the type of data being sent, the roles of individuals and the overall encryption strategy, a mixture of no encryption, client-based and gateway-based encryption is the most probable, and sensible, outcome. Implementing an encryption solution If you work in an organisation that handles sensitive data then encryption is a must have. The best model for this encryption is an end point to end point (client to client) basis anything else leaves you subject to a security violation. The implementation of a client to client solution need not be onerous, and you would expect a leading vendor to have a product that would interoperate with your current system providing the tools and infrastructure to enable deployment and management across a desktop estate. Lower No Encryption Figure 2: Approaches to encryption Less key management required Gateway Encryption This solution must also have the capability to reflect organisational security policies in the s being sent; for example picking up keywords, sender details or recipient information and then applying an appropriate level of encryption based on relevant sensitivities. It is important to have strong integration with content scanning and data leakage prevention systems. An client encryption product that is also extensible enough to take part in an enterprise encryption strategy that secures data ranging from USB flash drives through to file servers is a must have, as previously discussed. Throughout, user workflow and productivity must not be impacted with encryption implemented transparently and enforced by policy. Market overview Blended Encryption Encryption Solutions More key management required Endpoint Encryption encryption can be implemented by using a hardware appliance or by software installed on a server or clients such as desktop/laptops and smart phones. An appliance-based approach to encryption may be a valid approach for some small and medium sized organisations with fixed, specific requirements. For larger organisations an appliance-based approach to encryption may not be flexible enough and may become severely limiting in a short period of time. In addition an appliance will only provide encryption services from the gateway onwards it will not address the issue of encrypting internal traffic.
7 page 5 A software based encryption product provides a more flexible and manageable environment for larger organisations. It will also be easier to integrate into a broader IT management infrastructure, especially if the vendor is able to provide enterprise data encryption and the choice of endpoint or gateway level encryption. Well-proven and extensible key management is critical to any solution that is implemented. The ability to quickly and seamlessly issue, recover and manage keys is core to the successful implementation of and other strategic encryption applications deployed today and in the future. Purchasing issues and points to consider A decision will need to be made early on regarding the nature of the encryption solution being evaluated. Tactical purchases are easier to make but are likely to lead on to problems later with poorer management tools and weak scalability. Any savings in the short term will be quickly lost due to increased management and limited functionality. A strategic encryption solution should be considered in most cases. This should be capable of securing traffic from end point to end point and via gateways depending on an organisation s specific risk profile, data value and deployment considerations. Whatever approach is required, the encryption functionality should be one element of a broader encryption strategy for an organisation. The vendor relationship with a provider of encryption services needs to be considered in depth. You will be buying more than a simple encryption product; instead you will be purchasing a strategic element of your overall security strategy. Consideration needs to be given to the make up of a potential vendor, their support infrastructure, fiscal soundness, broader encryption strategy, international reach, road map, focus and history of working with encryption. Together these should give you a belief in the vendor s soundness and fitness for purpose.
8 Bloor Research overview About the author Bloor Research has spent the last decade developing what is recognised as Europe s leading independent IT research organisation. With its core research activities underpinning a range of services, from research and consulting to events and publishing, Bloor Research is committed to turning knowledge into client value across all of its products and engagements. Our objectives are: Save clients time by providing comparison and analysis that is clear and succinct. Update clients expertise, enabling them to have a clear understanding of IT issues and facts and validate existing technology strategies. Bring an independent perspective, minimising the inherent risks of product selection and decision-making. Communicate our visionary perspective of the future of IT. Founded in 1989, Bloor Research is one of the world s leading IT research, analysis and consultancy organisations distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services and consultancy projects. Nigel Stanley Practice Leader Security Nigel Stanley is a specialist in business technology and IT security. For a number of years Nigel was Technical Director of a leading UK Microsoft partner where he lead a team of consultants and engineers providing secure business IT solutions. This included data warehouses, client server applications and intelligent web based solutions. Many of these solutions required additional security due to their sensitive nature. From 1995 until 2003 Nigel was a Microsoft Regional Director, an advisory role to Microsoft Corporation in Redmond in recognition of his expertise in Microsoft technologies and software development tools. Nigel had previously worked for Microsoft as a systems engineer and product manager specialising in databases and developer technologies. He was active throughout Europe as a leading expert on database design and implementation. Nigel has written three books on database and development technologies including Microsoft.NET. He is working on a number of business-led IT assignments and is an executive board member of a number of privately held companies. He has significant experience in security and related activities and is practice leader for security at Bloor Research.
9 Copyright & disclaimer This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.
10 Suite 4, Town Hall, 86 Watling Street East TOWCESTER, Northamptonshire, NN12 6BS, United Kingdom Tel: +44 (0) Fax: +44 (0) Web: