sdecoret - stock.adobe.com
Research shows that businesses are not applying common encryption tools effectively to contain the fallout and costs of data breaches and encryption is still considered difficult to deploy and use, especially by small to medium-sized enterprises (SMEs).
Any small business looking at adopting disk encryption or rolling it out more widely to boost their data protection capabilities should consider five key issues, according to Bernard Parsons, CEO of disk encryption firm Becrypt.
1. Ease of use
Above all else, Parsons believes small businesses should look for products that are easy to use and easy and quick to install.
“This is partly about reducing the time and expertise required to install products in the first place, but an important subsequent point is also total cost of ownership,” he said.
If a product is not easy to install, Parsons said it is usually a good indicator that there is a level of complexity that will remain as a long-term business overhead.
“The more complex a product is, the more complexity there is to manage, leading to higher levels of required expertise and the more potential for support issues to occur over time, driving up the product’s total cost of ownership for the organisation,” he said.
2. Accessible support
After ease of use, SMEs should consider whether a potential encryption supplier can offer good technical support, said Parsons.
“Even if you choose a product that is easy to use, which is going to reduce the amount of required technical support, you should still think about the potential for requiring support over the total life of the product,” he said.
When firms are considering doing something slightly differently in future, such as looking at encrypting new devices that may be non-standard, such as RAID servers, it will be useful to be able to call someone with sufficient expertise, said Parsons.
“The option of phone-based support is important – being able to jump onto a call in a reasonable amount of time and actually talk to an expert,” he said. “Therefore, we would certainly recommend testing this process with a vendor or the partner before you go ahead and procure.”
3. Proof of encryption
Although encryption turns what would potentially be an information loss into just the loss of a physical asset, protecting the organisation’s information and addressing its liabilities, under regulations such as the GDPR, there is often a requirement to prove that devices actually were encrypted in the event of a loss, to avoid some of the reporting requirements within these regulations.
“Proving that a device loss is not an information loss and avoiding the need to undertake breach notification is something you want to be able to think about in advance,” said Parsons.
For firms that deploy an encryption product that includes centralised management, that functionality should already be there. But, said Parsons, many small businesses will choose to deploy in a more standalone configuration, without the need to stand up a central management platform.
“With standalone installs, you should still ensure that that product has a reporting capability of some kind, such as online, allowing the encryption status of your estate of devices to be reported,” he said.
Another key issue SMEs should consider is whether encryption products can be used across multiple operating systems, which are found even within small business IT environments.
“While firms may initially be looking at deploying encryption within an estate of Windows devices, in a year or two they may have other requirements, such as needing to manage encryption on Mac devices, or on smartphones and mobile devices within that same suite of products,” said Parsons.
“Therefore, it is a good idea to look for vendors that have multi-platform offerings, helping to future-proof your technology choice. This will ensure that you are not tied to a vendor, but at least ensuring that your existing supplier is an option as your requirements grow.”
5. Best practice
Finally, Parsons said there is an increasing regulatory requirement to demonstrate that organisations have gone through some process of ensuring that the technology they are using represents best practice.
“For example, GDPR explicitly references ‘state of the art’ technology,” he said. “To fully ensure that you are managing liabilities, you need to evidence that you are not just adopting technology, but that it is appropriately ‘state of the art’.”
Achieving this level of confidence can be done only by looking at technology that has third-party validation through product assurance or product certification, said Parsons, for example to provide independent validation that the product is of an appropriate quality.
Although there is a variety of common certification schemes relevant for encryption products, such as the US Federal Information Processing Standard (FIPS) to ensure that algorithms have been correctly implemented, Parsons said organisations should be wary of adopting technology just because it has a FIPS certification.
“The majority of products use the same algorithms, such as the Advanced Encryption Standard (AES),” he said, “and FIPS ensures that a third party has validated that the vendor has correctly implemented the algorithm. But suppliers can, and still do, implement products inappropriately, leaving vulnerabilities.”
A good example of such vulnerabilities in encryption products is within solid state drives (SSDs), said Parsons.
“Recent research from Radboud University in the Netherlands has highlighted vulnerabilities in not just one supplier, but a whole range of suppliers’ SSDs,” he said. “The fundamental reason that they highlight is that it is actually not easy to implement encryption well, and it is easy to make mistakes. Vendors can take shortcuts, which means security researchers can then find resulting vulnerabilities. In this case, they were able to bypass the encryption within SSDs.”
For this reason, said Parsons, organisations should instead look for certification schemes that are more comprehensive, such as the Commercial Product Assurance (CPA) scheme run by the UK’s National Cyber Security Centre (NCSC).
“CPA works alongside FIPS for validating algorithms, but it says more about the overall product quality and implementation, looking at the security architecture to make sure it has been designed and implemented in a sensible way,” he said.
The CPA also looks at the supplier coding and build standards to reduce the risk of there being a vulnerability in the product. “The risk is never fully mitigated,” said Parsons, “but it certainly goes down to a point that allows you to say that, as an organisation, you are adopting best practice.”