Security Laboratory

Security Laboratory

Security Laboratory: Cryptography in Business Series

We are grouping papers in this series to focus on the many facets of data encryption.

Other Related Articles in Security Laboratory: Cryptography in Business Series


Cryptography Industry Analysis Papers


By Stephen Northcutt, Google+
One of the biggest challenges in 2008 is full disk encryption. As 2007 ended, we discovered that OpenSSL, a real workforce for communications, had a vulnerability, the random number wasn't random.[1] We are also looking at challenges in our understanding of cryptography with problems with cryptographic hashes[2] and the potential for quantum computers[3]. Multinationals face issues with compliance and export regulations[4] as well as in-country laws concerning the use of cryptography[5].

The Security Laboratory is pleased to announce that the SANS Institute and a leading Cryptography vendor have teamed up to produce guidance on navigating the compliance landscape as well as keys to procure a cryptographic system. We interviewed Nagraj Seshadri[6] the Product Marketing Manager for Utimaco Safeware, Inc. to find out why Utimaco was willing to invest in developing research for all of the defensive information community.

Nagraj stated, "At Utimaco, a provider of enterprise-class data encryption solutions, we are constantly asked by both our customers and prospective customers to provide them with more information about regulatory compliance requirements in relation to data security. In the recent months, compliance has become a very big driver for the adoption of data encryption especially in North America. While there is a lot of information out there about compliance, it is not easily accessible or fully relevant to customers' real-world needs. We turned to SANS to help us solve this problem."

We then asked Nagraj why he chose SANS and their security industry analyst program. Many people do not even realize SANS does analysis. It is buried in their vendor information page; they call it their Industry/Market Analysis Whitepaper Program and state the "research will be educational in nature and will define and size the market segment in question. It will evaluate vendors' approaches to their market and their market offerings. The target audience is mid-to-senior IT management i.e.: directors, VPs, CIOs, CTOs and other IT professionals. This analysis will focus on both business and technical issues. It will assist the company in understanding their specific market segment and define risks that may negatively effect the company's operations, IT environment, and business performance."[8] Nagraj stated,

"We chose to do this project with SANS, over several other companies, because we found that, overall, SANS provided us the best value, which was measured in terms of quality of work, SANS reputation in information security, ability to provide an unbiased opinion and value for money. We also have an ongoing relationship with SANS where we have done projects in the past and have seen very good results. Of course, we also really like working with Stephen, Dave and the rest of the team at SANS."

How is that for a testimonial? It is not easy to write a whitepaper on compliance. On the one hand, such a paper has the danger of becoming too broad and generalized where it does not provide actionable insight; on the other, it could become so extensive and detailed that it becomes difficult to grasp the essence - at which point one might be better off reading the actual regulation. We had to achieve a careful balance between these two extremes. It took us several drafts and reviews to achieve it. You can find the paper here, and it is also available on the Utimaco website (www.utimaco.us). If you are a computer security manager, we highly recommend that you read this paper and keep a copy available as a resource; hopefully, the analyst team will update it in a year or so as the world changes.

In order to reduce the risk of data breaches, many organizations are turning to full disk encryption. According to Wikipedia, "Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term 'full disk encryption' is often used to signify that everything on a disk, including the operating system, is encrypted. There are also programs capable of encrypting an entire disk fully but not capable of directly encrypting the system partition or boot partition of the operating system (e.g. FreeOTFE, GBDE and TrueCrypt which can fully encrypt an entire secondary hard disk). To boot from a fully encrypted disk on a standard personal computer requires hardware assistance as there is otherwise no other way for the BIOS to decrypt and transfer program control to an encrypted master boot record (MBR). There are software programs that can encrypt bootable operating system partitions but they must still leave the MBR, and thus part of the disk, unencrypted."[10]

Keep in mind that if you are using AES 256, your encrypted data is not at risk. However, there are a number of management issues you want to consider. If you have a few minutes to spare, there is a youtube video by Dr. Eric Cole on the subject. In addition, there is a paper by Peter Giannoulis about the pitfalls of full disk encryption.[13] So, you want to consider the management issues related to cryptography every bit as much as the technical issues, and that is where two resources may help. We have already mentioned the compliance paper, but there is also a research paper that provides a draft RFP[14].

The Utimaco sponsored research paper also has a section on best practices for data security within the compliance context. As Nagraj said, "When our customers spend money to meet compliance goals we would also like them to maximize their return on investment on data security. Sometimes when there is a tremendous pressure to comply one may lose focus on overall data security goals. The SANS data security best practices section helps to ensure that deployments are planned correctly."

Those of us in the Security Laboratory would love to hear your real world experiences: if you are implementing or considering implementing full disk encryption, please drop us a note, stephen@sans.edu.

-------
1. http://www.sans.edu/resources/securitylab/ssl_tts.php
2. http://www.sans.edu/resources/securitylab/hash_functions.php
3. http://www.sans.edu/resources/securitylab/quantum_crypto.php
4. http://www.blackducksoftware.com/exportip
5. http://www.gilc.org/crypto/crypto-survey.html
6. http://www.linkedin.com/pub/0/231/b07
7. http://www.sans.org/about/sans.php
8. http://www.sans.org/vendor/pricing.php
9. http://www.sans.org/reading_room/analysts_program/encryption_Nov07.pdf
10. http://en.wikipedia.org/wiki/Full_disk_encryption
11. http://www.bitzipper.com/aes-encryption.html
12. http://www.youtube.com/watch?v=Gi-niOoVAm4
13. http://www.sans.edu/resources/securitylab/246.php
14. http://www.sans.org/reading_room/analysts_program/Encryption_June07.pdf