Saturday, May 5, 2012

Encrypt Your Business Data!

Introduction


In my job as a consultant, I am usually in possession of my client's data, some of it sensitive. I do lots of work for insurance companies who generally keep large amounts of personal information about their customers (insureds). Some of these companies are even public companies, so there's all sorts of extra laws they have to abide by. And of course, because I work out of my home office, I sometimes need to work with some of that data in my office, and my office is connected to the Internet.

I've always said that the only problem with privacy on the Internet is that there is none. 

Just about every single thing you do on the 'net decreases your privacy. If I were to draw a diagram, it would show your personal information flowing away from you towards the Internet. It wouldn't be a pretty picture.

Obviously there are lots of procedural things you can do to increase your privacy, but today I'm going to talk about the main tool that people can use to increase their privacy on the Internet. Encryption.

Disclaimer


Information is power. And any power can be abused. The same technology you can use to keep your sensitive, legitimate data safe and secret, can also be used to keep knowledge of bad things safe and secret. I'm a technologist, not a philosopher or attorney. The moral aspects of this technology are beyond my pay grade. Encryption is a powerful tool, so please use it responsibly.

Public Key Cryptography


The arts of concealing information date back to the dawn of man. As long as there have been secrets to keep, there have been ways of concealing them. There have been lots of methods throughout the years, but it is "public key encryption" that dominates the Internet landscape today. I know basically how it works, but I'm not a mathematician, so read this link for more information.

Wikipedia - Public-key cryptography


Securing Your Data


I'm rather fond of how I secure my data. My "work computers" are virtual machines (VMs). This gives me quite a few benefits, but one I'm interested in here is the separation between my home life and work life. When I "power off" my VMs at the end of the day, there's no client data on my computer - that data is all inside the VMs.

TrueCrypt


TrueCrypt Web Site

Now, the VMs all reside on drives encrypted with TrueCrypt, which is an open source application for creating encrypted drives. I put the entire volume under TrueCrypt. When your computer powers up, you have to type in passwords for all your encrypted drives. It's a big hassle, but that's the price of safety.

Once you type in the password, that drive is available to anyone who has access to your computer. The encryption keys reside in memory for as long as the computer is powered on. Once the machine is powered off then you need the passwords to reconnect the drives when the machine is booted.

As you can see, if the computer is stolen from you, they'd pretty much have to power it off to get it out of your office. Once they do that, the hard drives inside are literally bricks without the password. Your data is safe.

Obviously there are other ways for people to take your valuable data, but those are beyond the scope of this post. Encrypting your drives is the "low hanging fruit".

VPN


Your data is vulnerable not only at the point of storage (your hard drives) but also at the point where it enters/leaves your office, i.e. your Internet connection. Short for "Virtual Private Network", having a VPN gives you a secure (encrypted) connection between two networks. So, it allows you connect two networks without worrying about your data being intercepted between both endpoints. Though you do have risks at the endpoints themselves.

Support for VPNs is built into Windows and most routers. There's also lots of third party and even open source applications. Most people setup their VPN from router-to-router so that it's transparent. Some people like me use the "dialup" method where I press a button to connect to a secure network.


Wikipedia - Virtual Private Network

Encryption Backdoors?


It's widely rumored to be true and in some cases even proven. My problem with encryption back doors isn't that it lets governments spy on your personal information. That's back to morality/philosophy, which I have no interest in debating. No, my problem with potential back doors is that it's another possible exploit - something that makes it less secure.

Either way, I have an obligation to keep my client's data safe to the best of my ability, so to that end, I try to use open source encryption like TrueCrypt whenever possible. I even prefer to use the open source algorithms like Blowfish where possible too.

Though, it's not something I worry about much. And honestly, you can only do so much. You are always going to be vulnerable to someone with more talent / resources than you. But I can look my clients in the eyeballs and tell them that I am using good practices. I make a pretty good attempt to keep the data I use secure.

Encryption Cracking?


It's also widely rumored that *cough* certain agencies in certain governments now have the computing resources (and possible mathematical breakthroughs) to be able to "crack" modern public key encryption.

Modern encryption relies on the fact that it is very difficult for a computer to factor products of very large prime numbers.  Since the very scruffy mathematical types figured out encryption, it's probably inevitable that those same people will someday figure out how to defeat it.

My strategy for dealing with this possibility is simply not to have a beef with a) large groups of mathematicians and/or b) people with lots of super-computers. Again, not something I worry about much.


Conclusion


My basic privacy strategy for securing my business data is to contain it in a virtual machine (VM), encrypt the container with TrueCrypt and encrypt the connection between my office(s), and my clients office(s) with a VPN. This is not the entirety of my strategy but the gist of it.




No comments:

Post a Comment