The Green Sheet Online Edition
September 12, 2011 • Issue 11:09:01
Encryption's place in data protection
Encryption is an important issue for compliance with pci Payment Card Industry (PCI) data, device and application security requirements. And like tokenization, which I discussed in "What tokenization is and isn't," The Green Sheet, May 9, 2011, issue 11:05:01, it is a confusing topic for many people.
In addition, vendor hype can make it difficult for nontechnical people to separate fact from fiction. To make the picture clearer for ISOs, merchant level salespeople (MLSs), processors and their merchant customers, this article will delve into what encryption is and what it is not, and explore how it helps with PCI compliance.
To begin, encryption has been around in various forms for several thousand years and will still be used long after PCI is forgotten. It isn't a single technology or tool, but a whole family of solutions. Together, they form a key building block of the Internet and all forms of e-commerce. This contrasts with tokenization, which solves only one specific problem inside e-commerce.
Encryption consists of scrambling a message or piece of data so that it cannot be read. That wouldn't be very useful if the process was one-way - if it were, say, the electronic version of a paper shredder. But encryption involves doing the scrambling in such a way that it can be unscrambled if you have the secret piece of information: the key.
Encrypting data is a little like putting a private letter in a high-security safe: even if burglars steal the safe, they can't get to the information in the letter in order to read it. Similarly, if hackers steal a database containing millions of credit card numbers, no real harm is done if that data is encrypted and the hackers cannot decrypt it.
Following are basic principles regarding encryption. First, remember that encryption isn't a silver bullet. Although an invaluable tool in lots of different areas, encryption does not solve many security issues. Getting encryption right is an important part of addressing security - but only a part.
Second, encryption protects data only while it is actually encrypted. This sounds obvious, but it often gets forgotten. This means, for example, that if you rely on a wireless encryption scheme like Wi-Fi Protected Access 2 (WPA2), credit card data sent over the wireless link is protected only while it's traveling on the wireless leg of its journey.
If that sensitive data has to go across the country or across the world to reach the processor or gateway, wireless encryption protects only the first 50 feet of that journey.
Similarly, every time sensitive data is decrypted for use, it becomes vulnerable. This scenario is inevitable because the proper, intended recipient of the data can't work with the scrambled version.
That is why everyone should be diligent in checking the claims of companies that offer end-to-end encryption. Too often, the solution is not genuinely end to end, and the traffic is broken out at several points along the path, introducing vulnerability at each point.
Third, some good news: in almost all cases with encryption tools, you don't have to look far to find an excellent solution. In fact, most standard plug-and-play versions are better than the new, unusual solutions. So don't be fooled into looking for novelty or the latest and greatest breakthrough.
The boring solutions out there are incredibly strong and resistant to attack if used correctly. It's hard to get precise figures, but probably 99 percent of attacks on encryption either fail or only succeed because the encryption was set up incorrectly in the first place.
It's as if the world provides you with an almost-free, super-high-quality safe in which to store your confidential paperwork; the most likely source of problems is you - if you forget to lock the papers away or if you leave the key in plain sight on top of the safe.
Keeping data at rest from traveling
There are various ways encryption comes into play in PCI. We classify encryption of data found in two different modes: encryption of data at rest, for example when the data is sitting in a file or database, and encryption of data in transit, when it is moving across a network.
Regarding PCI and encryption of data at rest, adhere to the following main requirements:
- Remember, certain types of data must not be stored, regardless of encryption issues: for example PINs and mag-stripe data.
- Whenever possible, avoid storing sensitive data, such as primary account numbers. Careful encryption of such data is the right fall-back plan, but the best solution is to avoid having the data in the first place.
- Make sure that all sensitive data is encrypted. This is the equivalent to making sure you don't leave sensitive paperwork sitting next to the safe instead of in it.
One particular example of this deserving of attention is the storage of sensitive data on removable media such as thumb drives. Too often, people forget to encrypt this data, concentrating only on the obvious storage places, such as databases.
- Carefully manage how encryption/decryption keys are themselves stored and managed. An attacker who can get hold of the decryption key can easily get past any sort of encryption, no matter how powerful.
So it is critical that keys be protected like valuable assets. This situation is no different from losing your house keys to burglars: no matter how expensive the locks on your doors, they open when someone uses the right key.
Keeping data in motion on course
Regarding PCI compliance and encryption of data in transit, respect these primary requirements:
- Encryption is crucial for traffic that passes over open, public networks such as the Internet. It is also vital that encryption protect the information for the entire length of that travel. The data obviously needs to be decrypted at some point, in order to be used at all. But that should occur inside the safe, internal environment of the gateway or processor.
- Wireless communications are a special case for encryption for two reasons. First, wireless is particularly vulnerable to malicious eavesdropping, since an attacker needs to have only a nearby antenna, as opposed to the much more difficult task of getting physical access to a cable inside a building.
- Second, wireless encryption has an unusual history. The first type of encryption developed for wireless - called wireless equivalent privacy, or WEP - was badly designed and implemented, making it easy for hackers to defeat. The more modern replacements - WPA 2 and 802.11i, for example - are far stronger.
Following the rules
The more sensitive the communications, the more important encryption becomes. For instance, traffic used to control a system (such as administrative access to a computer) is more important and more sensitive than just normal system access. So it's particularly important that communications controlling systems be encrypted.
These rules should help clear the techno-babble haze surrounding encryption. Following them means merchants, ISOs, MLSs and others can enjoy the many benefits of this technology while doing relatively little work. And that's a good deal for everyone.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.