Data Backup Digest

The use of encryption software helps your organization meet government or industry requirements for protecting sensitive or private information. But if used improperly, encryption software can add administrative overhead to your daily tasks and lull you into a false sense of security. Encryption software and built-in data security features are not magic bullets for security. Realizing the benefits relies on both your understanding of the software and your ability to communicate best practices to your users and publishers. Avoid the following security mistakes that may lessen or negate your organization’s security posture and encryption software.

**Improper protection of encryption keys and passwords**

Password lists and encryption keys need to be protected at the same level and rigor as the unencrypted data would be. All the encryption in the world won’t help if an attacker has the passphrase or encryption key.

Improperly protecting passwords or insecurely transmitting passwords is perhaps one of the biggest downfalls, largely because locating and typing in passwords can often be inconvenient. But this inconvenience is necessary for the encryption software to do its job.

Just like you would never leave your car keys in the ignition when you parked in a public space, you should never store passwords with the encrypted media. Encrypting a file and then including the password in the same email as the encrypted file completely defeats the purpose--you may as well have not even encrypted the file. Instead, you can email the encrypted file and then call the person to provide them the password. Or you can establish a known passphrase ahead of time and use that for your encrypted correspondence. The key is to always keep the encrypted media and the password separate from each other. Never write down passwords near computers (under the keyboard or blotter is the first place someone will look). If you have a password list saved on a local hard drive, encrypt it.

**Improper physical security for trusted platforms**

Many data-at-rest encryption solutions rely on trusted platform module (TPM) devices that don’t require the user to enter a password to access the encrypted data. For example, in Windows, BitLocker will encrypt the entire hard drive, which prevents the data from being read if the hard drive is removed from the computer or otherwise accessed outside the operating system. However, as long as the hard drive is booted from the original machine, the data will be accessible. So, if a laptop is BitLocker encrypted, it won’t be protected if a thief steals the entire laptop.

If you intend to protect your data-at-rest and utilize TPM devices for convenience and everyday functionality, it behooves you to enforce a strong physical security plan. Restrict access to servers and storage areas for clients and work PCs.

**Reusing Passwords**

Different members of an organization should have different levels of access to data. Ideally, each user should have their own password that only they know and only they use. This is achievable even if multiple users are accessing the same encrypted data. Many encryption modules allow you to create multiple passwords for the same file, which obviates the need to share a common password with multiple users. Use a unique password for each file and each user to avoid allowing access to more files than intended when disseminating encrypted data.

In summary, encryption software will only get you so far in terms of security. Common sense practices and an understanding of what your software does and does not protect you from is essential when implementing your security plan.