Crypto is no magic bullet for data protection
- By William Jackson
- Jul 30, 2007
Piling on unending layers of static security can be costly and burdensome, Art Coviello told an audience of federal administrators recently. Too much cryptography can be overkill.
This was a surprising statement coming from the president of the RSA Security division of EMC, a name almost synonymous with encryption. But Coviello wasn't dissing encryption. He was continuing a message he has been delivering this year on the need for a holistic rather than product-based approach to security. The caveat against relying too heavily on encryption was a common theme at the symposium where he spoke.
A panel of federal speakers addressed the guidelines from the Office of Management and Budget on protecting personal data. OMB recently gave agencies a September deadline to have policies in place for responding to data breaches and notifying those whose information might have been exposed. Last year, it issued requirements for protecting personally identifiable information, which required among other things encrypting it on mobile or portable devices.
But, 'the problem with encryption is that if not managed properly it becomes one of your greatest vulnerabilities,' said Mischel Kwon, the Justice Department's chief IT security technologist.
Cryptography can provide excellent security, but as with all security, it has limits and trade-offs. Poor key management makes cryptography vulnerable, and any sense of security it provides could prove false. Proper key management with strong cryptography can be burdensome, creating administrative overhead and incentives for users to get around it. Kwon said any policy needs to be practical where it touches technology.
Tim Grance, manager of systems and network security at the National Institute of Standards and Technology, the agency responsible for turning policies into practice, echoed this point of view.
'We can't suspend common sense and just encrypt the hell out of everything,' he said.
And they are right. I am a fan of encryption, especially when it comes to my personal data that someone else is carrying around. I do not want that data exposed when the laptop is left in a taxi, the USB drive is left in a port of a computer or some thug steals the iPhone. But if good cryptographic security is burdensome, what is the answer?
The prime directive, everyone speaking at the symposium agreed, is to 'limit the collection of personal data.' That is the first line of defense. You do not have to protect what you do not have. Think of cryptography as an incentive to do away with as much sensitive data as possible.
OMB makes this explicit in its guidelines. Agencies are required to identify their stores of personal data and strip them down to what is really necessary. Special attention is given to Social Security Numbers, the Holy Grail for identity thieves. Agencies are to stop using them whenever possible.
There are degrees of identity necessary for different jobs. Knowing that I am the person who reserved a National Park campsite is on a different level than knowing I am the holder of a driver's license or the resident of a particular state, and neither has anything to do with my financial accounts. A SSN is a convenient tool for any of these degrees of ID, and that is the problem. No matter what it originally is used for, once it is compromised, I am out of luck.
Much of the data agencies collect does not need to provide a high degree of identity, and many of the functions carried out with that data probably require an even lower degree. If an agency gathers and the worker then extracts only the data that is necessary, what is being used might not even qualify as personally identifiable data and the worker won't have to worry about encryption.
But, if you are carrying around my name, address, birth date and Social Security Number, encrypt it. It might be a burden, but it's also your job.
William Jackson is a Maryland-based freelance writer.