Kamala D. Harris, Attorney General of California released a report on data breaches in the State in 2012. The report has some interesting statistics and is worth reading. What I’d like to look at today is the first recommendation:
Companies should encrypt digital personal information when moving or sending it out of their secure network. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourage our allied law enforcement agencies to similarly prioritize these investigations. The Legislature may also want to consider requiring the use of encryption to protect personal information in transit.
Despite the incentive created by the breach notification law’s exemption for encrypted data, many companies are still failing to use this effective security measure .Far too many people continue to be put at risk when companies do not encrypt data in transit .More than half of the Californians affected by data breaches reported to the Attorney General in 2012 – fully 1 .4 million – would not have been put at risk if the data had been encrypted .
Readers who have taken Learning Tree Course 468, System and Network Security have heard this throughout the course – if you want confidentiality you need to use encryption. Whether the information is stored on a client or a server, or whether the information is in transit (e.g. being sent over a network), it needs to be encrypted if it is important that attackers not see the data. In the course we discuss both public and private key encryption and course participants use encryption and decryption tools.
At the recent Black Hat conference there was presentation on a method to compromise some types of data sent over SSL/TLS (the secure sockets layer is the tool used when you type https in the browser; today most sites use the updated TLS or transport layer security). I recommend you read it only if you know a good deal about how http operates. There have been other attacks before, too. That does not mean we should stop using SSL/TLS, of course; it just means that care is needed in deciding when and where to use it.
Data in transit can also be protected using IPSec. IPSec is used to create a secure (encrypted) channel or “tunnel” between two points. We discuss IPSec in 468, too.
The upshot is that there are multiple ways to accomplish encryption both when data are stored and when they are in transit. It is unfortunate that companies do not perform this “best practice” on their own and that legislation may be necessary to protect Californians’ data. I’d love to hear your opinions on why people don’t encrypt given the high monetary and social costs of disclosures of plaintext data. Let me know in the comments below.