Updated by Candice So Apr. 24, 2014 at 4:05pm ET: We ran a Twitter chat on encryption under the @itworldca Twitter account. Read on for a quick recap of the tweets from today’s discussion.
With all of the data breaches making headlines today – like the Canada Revenue Agency’s loss of 900 Social Insurance Numbers due to Heartbleed this week – it’s becoming clearer than ever that businesses and organizations need to closely guard their data.
One of the easiest ways to do that? Encryption, or encoding data and communications so hackers and malicious actors are barred from reading it.
Here at IT World Canada.com, we want to help business owners and IT professionals tackle the issue of encryption through our latest Twitter chat, exploring how they can protect their data – and their reputations – from falling into the hands of hackers.
Using the hashtag #EncryptITWC, we’ll be gathering for a Twitter chat on Thursday, April 24 at 1pm ET to 2pm ET for anyone who wants to learn about safeguarding their data.
For the chat, we’ll be bringing on guest experts who are knowledgeable in data security and encryption. We’re excited to welcome:
- Claudiu Popa, president and CEO of Informatica Corp. For more than 20 years, Popa has advised his clients on risks to their security and to their data, keeping up with the shifts in the information security and privacy landscape. He is also the author of the books “Managing Personal Information” and “The Canadian Privacy & Data Security Toolkit.” Find his tweets at the handle @datarisk.
- Brad Haines, director at Renderlab.net and security specialist. For more than 10 years, he has done security consulting for clients on wireless, system administration, and technical training. A past speaker at SecTor, one of Toronto’s biggest security conferences, he has also co-authored “RFID Security,” “Kismet Hacking,” and authored the “7 Deadliest Wireless Technology Attacks.” Haines tweets from @ihackedwhat.
For the questions we’ll be covering during our chat, check out this list:
- Why is it so important for businesses to encrypt data and to do it right?
- What kind of data should businesses be encrypting? How much should they encrypt?
- What kinds of encryption tools can businesses use to safeguard their data?
- How can businesses find out if their encryption is broken? How can they keep it up to date?
- How can an organization’s company culture adapt to an encrypted environment, without frustrating employees?
- What effects will encryption have on speed and productivity in the workplace? Will it slow down business performance?
- How does the rise of big data and unstructured data affect encryption?
- If a business uses a cloud provider, what questions should it ask about the provider’s encryption practices?
- How can businesses use encryption as part of their mobile device management and BYOD strategy?
As many participants noted, it’s important to protect customer data from breaches – not only does this protect customers’ personal information and their privacy, but it also protects businesses’ reputations.
@itworldca 'Do it right' because failure in crypto means false confidence in security and often times destroyed data #EncryptITWC
— Gal Shpantzer (@Shpantzer) April 24, 2014
@itworldca If you dont encrypt, you are likely to find yourself on the front page of the globe and mail in a bad way #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
@itworldca A2. Any data that involves the potential to identify a user or business, that is a good start. #EncryptITWC
— Tony Anscombe (@TonyAtAVG) April 24, 2014
A2: Sensitive information such as intellectual property, financial, customer and partner data #EncryptITWC #security
— Patrick Correia (@PatCorreia1) April 24, 2014
@PatCorreia1 And data in motion. Can't forget that. Data in motion is more my main concern ATM #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
Haines and Correia defined “data in motion” as data that is in flight, like network traffic and data sent via email. On the flip side, data at rest is data that stays on a system drive.
@itworldca Anything that costs less to do so than a lawsuit for losing it. I generally say 'everything you possibly can'. #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
A3: Most vendors supply enterprise grade encryption that is FIPS, Common Criteria and @Intel AES-NI Certified… #EncryptITWC
— Patrick Correia (@PatCorreia1) April 24, 2014
A3: Most vendors supply enterprise grade encryption that is FIPS, Common Criteria and @Intel AES-NI Certified… #EncryptITWC
— Patrick Correia (@PatCorreia1) April 24, 2014
Some vendors, like Symantec Canada, also offer encryption tools to their customers.
A4: Realistically, they need an endpoint management console to deploy, manage, update and report compliance. #EncryptITWC
— Patrick Correia (@PatCorreia1) April 24, 2014
@itworldca A4. having vulnerability/penetration testing done on a regular basis is essential for any large organization #encryptITWC
— Tony Anscombe (@TonyAtAVG) April 24, 2014
@candice_so Shame goes a long way to encouraging good security practices. That and big ass lawsuits #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
A4 Doing an audit might uncover misconfigurations that could lead to a broken encryption process.#encryptITWC -MV
— Symantec Canada (@SymantecCanada) April 24, 2014
Haines also recommended that businesses protect themselves by checking out peer review for cryptography systems, as well as by having migration plans in place in case of a major breach.
A5 My bet is that if employees feel they have to do 'extra' work because of encryption, they won't do it #EncryptITWC
— Brian Jackson (@brianjjackson) April 24, 2014
@itworldca A5. Make the process so seamless that the employee does not have to do anything specific to encrypt. #encryptITWC
— Tony Anscombe (@TonyAtAVG) April 24, 2014
@TonyAtAVG IT security employees with actual power to direct or halt insecure projects helps alot. Most have no real power #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
#encryptITWC RT @MarylkaE without proper buy-in, engagement, and training, there will always be lapses regardless of the protections
— IT World Canada (@itworldca) April 24, 2014
A5: Good news is that there a lot of options now…Native and Advanced for PCs and Mac, etc. #EncryptITWC
— Patrick Correia (@PatCorreia1) April 24, 2014
@NETLOGISTX @ihackedwhat @itworldca You will need to make users/staff accountable. Education and awareness only go so far. #EncryptITWC
— Security & Privacy (@datarisk) April 24, 2014
@candice_so Also any of the apps from silent circle. A few buck in apps and you can have alot of seamless crypto on android #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
Correia adds it’s also possible to run less intrusive encryption tools, especially those that are location-aware implementations. That makes it much easier for employees to adapt, he says.
@itworldca A6. It should not but based on amount needing to be encrypted. Hardware low cost bandwidth is less of an issue now. #encryptITWC
— Tony Anscombe (@TonyAtAVG) April 24, 2014
#encryptITWC RT @datarisk: Great question. It's important to test diff encryption tools not just for compatibility/effectiveness but speed.
— IT World Canada (@itworldca) April 24, 2014
RT @datarisk: Patch management is critical for companies and systems that depend on encryption. So is configuration mgmt #EncryptITWC
— IT World Canada (@itworldca) April 24, 2014
@mpancha The data had to be unencrypted at some level to process it. Heartbleed was a perfect storm that dumped mem #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
One thing to remember is you still need access control even with encryption #encryptITWC
— Howard Solomon (@HowardITWC) April 24, 2014
@itworldca Q8 big data encryption, new specialty vendors r in play, some established ones that have transitioned 2 HDFS/NoSQL #EncryptITWC
— Gal Shpantzer (@Shpantzer) April 24, 2014
RT @datarisk: @itworldca Protecting unstructured data means companies need to have knowledge of the sensitivity of their data #EncryptITWC
— IT World Canada (@itworldca) April 24, 2014
A8 Complexity increases with increased data. Encryption should also be complemented by proper data loss prevention solutions #encryptITWC MV
— Symantec Canada (@SymantecCanada) April 24, 2014
#EncryptITWC Fantastic read about Big Data, the future of the personal cloud and privacy by design http://t.co/TNXpy1Abl6
— Chris Sandison (@ChrisSandison) April 24, 2014
@itworldca Data is currency, it has value. Ppl will try to steal it to mine. IF not encrypted, you are playing with fire. #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
A9: One of the primary questions is who else has access to the data? And also how are the encryption keys managed?… #EncryptITWC #cloud
— Patrick Correia (@PatCorreia1) April 24, 2014
Correia also added that businesses need to ask their cloud providers if they have an SLA on performance.
@itworldca #EncryptITWC The first thing to find out is how many other suppliers the cloud provider exchanges data with.
— Security & Privacy (@datarisk) April 24, 2014
@itworldca #EncryptITWC The second thing about cloud provisioning is to understand the confidentiality policies between suppliers
— Security & Privacy (@datarisk) April 24, 2014
@PatCorreia1 I ask what country is the data in and what laws is it subject to? i.e. Patriot Act #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
@itworldca I would ask why Big data did'nt build in crypto from the beginning? Shortsighted? Ignorant? Cheap? #EncryptITWC
— Render Man (@ihackedwhat) April 24, 2014
@brianjjackson #EncryptITWC Correct, mobile data is information 'in transit' in all senses of the word, so crypto layers have to mesh well.
— Security & Privacy (@datarisk) April 24, 2014
@brianjjackson #EncryptITWC Correct, mobile data is information 'in transit' in all senses of the word, so crypto layers have to mesh well.
— Security & Privacy (@datarisk) April 24, 2014
@itworldca #EncryptITWC Critically, there are various strengths of algorithms, of implementations and compatibilities between products.
— Security & Privacy (@datarisk) April 24, 2014