Photo: Prat Moghe

Prat Moghe is the General Manager of the Data Compliance division of Netezza (NYSE: NZ). Previously, Prat was the Founder & CEO of Tizor, a data auditing company acquired by Netezza. 

Read More »

Subscribe By Email

Your email:

Links of Interest

Blogroll

Browse by Tag

Keepers

Data Auditing Blog

Current Articles | RSS Feed RSS Feed

Data Auditing & Data Encryption: Two Sides of the Data Protection Coin

Posted by Prat Moghe on Tue, Mar 27, 2007
 | Submit to Digg digg it | Submit to Reddit reddit | Add to delicious delicious | Submit to StumbleUpon StumbleUpon | Share on Facebook Facebook | Share on Twitter Twitter | Share on LinkedIn LinkedIn 
Confusion is plentiful when enterprises think of two related but distinct data protection technologies - data auditing and data encryption (*). In my opinion, they’re two sides of the same data protection coin. This post captures my latest thinking on this timely topic.

 

Analogy:

We will get into a technology discussion, but sometimes a simple analogy is worth thousand words. Think of a bank vault that stores valuables – in this case, data. Data auditing is like an intelligent surveillance camera watching all the contents within the vault. Data encryption is like the locker/key provided for each bank customer. (I owe the encryption analogy to Mike Speciner, security expert and co-author of the classic security text Network Security).

 

Technology:

Data Encryption is intended to make data-at-rest only be visible to authorized users. It is a form of “privacy” access control. Once data-at-rest is encrypted, any access to it via unauthorized users, or physical access cannot result in disclosure without appropriate keys being made available.

In contrast, Data Auditing offers four capabilities: (1) Data Discovery: discovers and classifies unencrypted critical data (2) Data Activity Monitoring: monitors and logs who accesses the data (3) Data Theft Detection: detects and alerts on data theft based on suspicious activity (4) Core Data Leakage: detects transmission of unencrypted core data.

How does Data Auditing relate to data encryption?

Let’s take each of the four data auditing capabilities:

  1. Data discovery makes it easier to deploy Data Encryption: data discovery can identify critical unencrypted data as it is being accessed by users. This can be used to select the subset of data that should be encrypted first.
  2. Data Activity Monitoring is complementary to Data Encryption – it logs all activity to critical data, whether by authorized users or not, whether the data is encrypted or not.

    Example: PCI #10 Audit logging requirement requires monitoring card holder data, in addition to PC#3 data encryption requirement.
  3. Data Theft Detection extends Data Encryption. Data Encryption prevents data disclosure by unauthorized users. Data Theft Detection extends this to “authorized users”. It detects data theft by authorized users based on anomalous behavior. This is important since most data breaches can be traced to authorized users that are acting maliciously, violating policies, or have gained access to authorized users’ credentials.

    Note: Some people like to think of points 2 & 3 of Data auditing collectively as a lightweight substitute for encryption. For example, a recent industry analyst note suggested that PCI content-level encryption projects that face technical challenges could adopt data activity monitoring & data theft detection as an interim substitute since it is easier to get started with.
  4. Core Data Leakage audits the effectiveness of Data Encryption: Even if the databases are encrypted at a content-level, data auditing can continuously monitor the effectiveness of encryption by detecting unencrypted data leaving the core databases and fileservers. This can be a form of audit that ensures data encryption is always up-to-date and covers new critical data as it is created. 

In summary, both Data Auditing and Data Encryption offer unique standalone benefits. Their combination offers a tight virtuous cycle of data protection. For folks who need to figure out whether to audit or to encrypt data, think back to the bank vault analogy. All bank vaults have surveillance cameras. Those with custom valuables also offer individual locks & keys. This observation points to a simple maxim:

    • Audit data whenever you can
    • Audit & encrypt data when you must

If you have any opinions on Data Auditing or Data Encryption, please let me know. If you have attempted either Data Encryption or Data auditing projects recently, it would be great to hear your experience.  

Footnote: For the sake of this discussion, Data Encryption means content-level encryption such as database encryption. Other types of encryption such as media/tape-level Encryption, or session-level encryption are not included in this definition since they are intended to address risks different from the on-line data/database theft we are discussing here. Rich Mogull has an interesting post on what he calls three laws of general encryption.

Tags: , ,

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.