Thursday, January 29, 2009
Encryption Anywhere and Everywhere
Will 2009 be the year where 'Encryption Everywhere' is a necessity? If you noticed, many of the recent breaches, like TJX and Heartland, have happened on the internal, private network. Scammers were able to get to the private network and watch as sensitive info flew by in clear text. Certainly, there are many technologies that should help in keeping those undesirables off the internal network, if configured properly. But if they do make it in, one easy way to thwart that front-row seat is to encrypt sensitive info on the Internal network. We've discussed how PCI DSS only covers transmissions over the public network(s) yet these have occurred on the internal network. This isn’t a challenge to PCI to include encryption on private networks but I do think they should consider it soon. Even the Heartland CEO is now saying they are going adopt end-to-end encryption. Others should follow as the cost barriers have dropped since the initial PCI scope. OK, that's good, that these huge credit card processing firms are protecting our information as it navigates their networks. But how would/could this be applicable to an enterprise that might not need to be PCI compliant? Aren’t there some sensitive financial statements or sales numbers that need to be kept confidential? What about sensitive documents that have trade secrets or patent information? There's plenty of information available on the internal network that probably should be secure - even from insiders. You can certainly restrict them from certain subnets & VLANS when they connect to the domain. And there are solutions like BIG-IP Secure Access Manager that can do all the end point host checks, AAA authentication, ACL's, resource assignment and granular application access control for remote workers. This ensures that users only have access to certain resources, subnets, applications and so forth. But that might not protect the sensitive file from being seen as it passes through the internal network to the CFO's office/device. Here again, BIG-IP SAM can play a role in protecting your internal LAN and files. Think of it this way. Many companies have Intranets which are only accessible when authenticated to the domain. Many of these sites also have numerous links to the various internal resources available when you're 'on-net' like 'Human Resources' or 'Corporate IT' or 'Customer info' or 'Finance.' For most of the links, like HR for instance, users should be able to navigate and download files pertaining to insurance, benefits and any other pertinent info. These might just be the PDF versions of the insurance brochure and it doesn't need any additional security measures. But, say I'm the CFO and I click through to the Finance portal. Even here, you can restrict access to only certain users. There might be some documents pertaining to the last fiscal quarter and maybe some other non-sensitive files available. But also available is the current fiscal quarter numbers and that certainly needs to be kept confidential. With BIG-IP SAM, you can create a policy that launches a SSL tunnel for specific resources that need confidentiality. So when the CFO tries to access the sensitive financial info, BIG-IP SAM can create an encrypted tunnel so even if someone is sniffing the network, they won't be able to see the jewels. So you might not need encryption Everywhere but you do need it Anywhere. Anywhere there’s a potential risk and threat. Granular Application Access Control that's Fast, Available, Secure. ps
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment