A Q&A with Patrick Townsend of Townsend Security
Encryption is one of the best defenses against data loss, giving an organization some assurances that unauthorized interlopers won’t be able to access encrypted information, no matter where it resides. Moreover, in some cases the organization may not have to notify the victims of a breach because encryption provides safe harbor. Yet many organizations still choose to not encrypt their data, at their peril. I spoke with Patrick Townsend, CEO of Townsend Security, about the benefits of encryption and key management.
Can you please explain, for a layperson, the value of encrypting PII data?
From a security perspective, encrypting PII is simply a baseline, fundamental protection that most people would expect of businesses in today’s world. If hackers are trying to steal data that’s stored on servers, it will be unusable so long as it’s encrypted. Nobody is immune from data breaches, but encryption makes sure the information is properly protected. To be able to tell your customers that you’ve protected their sensitive data, that even in the case of a breach they won’t be exposed is a wonderful thing.
What are some of the main reasons organizations decide to not encrypt their data?
Five or six years ago people had the attitude of ‘I’ll just pay the fine if we have a data loss—it’s not a big deal.’ Well, no one thinks that anymore. We now know that companies suffer hugely with the legal liability of data breaches—there’s a lot of litigation, fines and other associated costs. Today, the problem is the perception that encryption is difficult, complex, time consuming and expensive. The reality is that these days all of the major companies have done important work in this area and encryption is not as expensive or difficult as it used to be.
If an organization encrypts their information, do they still have risk? Is there any foolproof method for encryption?
No one in the security industry will ever tell you that there’s such a thing as perfect protection—and if they do, you probably shouldn’t trust them. Encrypting your data is a substantial improvement in your security posture, it’s an industry-wide best practice, but it’s not perfect. And encryption in and of itself is not enough. You need to manage and protect the key. We see a lot of situations where people store keys on the same server where their data is stored. If you’re not doing it right, you won’t get the real benefit of extra protection. Our analogy is that when you leave your house or apartment and lock the door you don’t leave the key in the lock. That being said, I think key management plays a greater role in data breaches than we realize.
How can a risk manager proactively protect sensitive data and choose an encryption provider?
A good practice that’s reflected in a number of compliance regulations is to start by knowing where sensitive data is stored. It seems obvious but a lot of companies, especially mid-sized companies, have many servers and applications and they don’t know where the sensitive data is. Getting an inventory is the first step before you make any technological decisions. Then you can at least start prioritizing and addressing your issues accordingly. In the areas of encryption and key management there are well-proven standards and certification processes you can rely on when you look at vendor solutions. The last thing I’d say is to look for a vendor that can provide technology you can use out of the box, which is something you couldn’t do ten years ago.
It’s been reported that NSA can now crack encryption. How might NSA be doing this? Do they have backdoors into the various vendor encryption products, or super computers that simply run trillions of calculations?
I can only speak for our company, and tell you that we don’t implement any of the suspect encryption algorithms that have come to light recently. Our system doesn’t have any backdoors or ways to be compromised, we own all of our source code which has been independently validated by a security lab, and we have no access to our customers’ encryption keys even when they’re stored in the cloud, so it’s our belief that our product is not subject to this concern. To me, the vulnerability really seems to be around key management, so I’m not personally concerned about this particular issue. With encryption, I don’t think it’s feasible to use a brute force attack—I don’t care how many computers you’re using. All of us who work in the security industry stay closely involved with a worldwide group of academic cryptographers who are evolving the algorithms. We continue to benefit from their work, basing our solutions on it, so there should be a level of confidence that things are being done the right way.
Any other thoughts?
I think a lot of folks are interested in cloud security, especially now with so many cloud providers out there. All of the things we’ve talked about apply in spades to data stored in the cloud. You want to make sure that the encryption is properly vetted to protect you from any added risk.
In summary…
When a client says “we’re encrypting all of our sensitive data” the expectation is—and it needs to be verified—that they’re applying this best practice across the many locations in which organizations may store, transmit and share PII data. This can include mobile devices (laptops, iPhone, thumb drives); email; online transactions; data-at-rest (corporate databases); backup tapes; and online storage solutions (cloud). However, due to cost or complexity some organizations might decide to forgo encryption in certain settings. This places the organization, employees and customers at unnecessary risk.