Encryption from the database to the laptop PC

To encrypt or not to encrypt? When it comes to protecting sensitive data, there really is no choice. Sensitive information, whether transmitted over a network or stored in databases or on laptop computers, must be encrypted to protect against theft and misuse.

With the latest data theft involving a Department of Veterans Affairs employee whose stolen laptop contained the Social Security numbers and other personal information of 26.5 million veterans, experts say organizations should be looking for products that can protect data regardless of where it is.

RSA Security launched an initiative last week to offer companies and government agencies a more comprehensive approach to enterprise data protection. The aim is to protect sensitive data any place it resides: at the application-level, within databases, in files and operating systems, on laptop PCs and mobile devices, and in storage.

RSA’s framework also focuses on managing encryption keys, access control and authentication functions.

At the heart of the company’s initiative are the new RSA Key Manager Partner Program and a strategic partnership with Protegrity, a developer of data security management solutions. Managing encryption keys generated by disparate applications requires integration with data protection products. The partner program will allow vendors to combine their products with RSA Key Manager.

The program is a good move, said Paul Stamp, a senior analyst at Forrester Research. “Right now we’ve got a mess,” he said. Products exist to encrypt laptop PCs, databases, file servers and data in transit, but “none of them talk to each other,” he said. RSA’s initiative will help establish a central broker so the right people can access the encryption keys they need to get their data, he said.

Protegrity and RSA plan to provide product integration between RSA Key Manager and Protegrity’s Defiance DPS and VPDisk by the end of the year. Defiance DPS is enterprise software that helps secure sensitive data in databases. VPDisk secures sensitive files and encrypts structured and unstructured information.

Organizations are looking for ways to manage encryption enforcement policies across files and databases, said Paul Giardina, senior vice president of marketing at Protegrity. “The RSA relationship is a nice fit” because keys can now be managed centrally across an organization with consistent policy enforcement, he said.

RSA is focusing on the infrastructure for managing user access rights, said Chris Parkerson, senior product marketing manager at RSA. Its Key Manager works with RSA Data Security Manager, RSA ClearTrust Web access management software and RSA SecurID authentication solutions. The program will allow RSA to work with other vendors to secure information from its inception to the time it is stored or destroyed, he said. The company is negotiating with vendors that provide encryption for laptops and back-end storage systems, Parkerson added.

Meanwhile, Ingrian Networks is taking a different approach by storing encryption keys on a security appliance rather than on servers where encrypted data resides, as in the case of most software-based encryption products.

The company’s DataSecure Platform consists of five hardware appliances that encrypt data on servers and in databases. Two of the devices comply with Federal Information Processing Standards — the i315 and i325 — providing the level of security for encryption keys that government agencies require, said Derek Tumulak, director of product marketing at Ingrian.

The DataSecure Platform consists of three components: the hardware appliance; the Network-Attached Encryption Server, which runs on the appliance; and the NAE Connector, software that is installed on Web or application servers or in databases and acts as an interface with the appliance.

If an employee downloaded sensitive information such as Social Security numbers to a laptop PC and it was stolen, the thief would not have the correct encryption key to gain access to the data, Tumulak said.

Products that encrypt entire disk drives would further protect laptop users. WinMagic recently released a version of its encryption software for individual and home office or business users. MySecureDoc Personal Edition, which runs on Microsoft Windows 2000/XP, protects data on desktops and laptop PCs by encrypting the entire hard drive before the operating system displays the log-on screen.

The product is built on the same FIPS-based encryption engine that the company’s enterprise edition uses, said James Armstrong, director of North America sales at WinMagic. Some of the networking capabilities have been removed, but MySecureDoc offers the same Advanced Encryption Standard 256-bit encryption that SecureDoc offers. That product provides full-disk encryption for agencies such as the Homeland Security Department, the National Security Agency and the Royal Canadian Mounted Police.