CAMBRIDGE, Mass. -- Many organizations are struggling to comply with a number of government regulations intended to protect sensitive and confidential personal information. A simple approach to satisfying at least some of these requirements may come from novel use of a familiar source: data encryption.
Rob Johnson, head of IT security architecture for Walt Disney World, explained this approach at last week's Information Systems Audit and Control Association (ISACA) conference in Cambridge, Mass. Johnson is responsible for the planning process that includes identity management, encryption technologies and legal and regulatory compliance.
The problem that many organizations face is how to comply with a plethora of regulations -- including Gramm-Leach-Bliley, HIPAA and Sarbanes-Oxley -- that mandate privacy and confidentiality of computer records. This isn't just a domestic problem either, as the European Union, Australia and other countries have similar laws either passed or pending.
Neither is this problem simply an IT concern anymore, because executives and board members of non-compliant organizations could face severe penalties for any shortcomings. The potential repercussions of scrutiny by the press, loss of public trust and degradation of public image raise the stakes even higher.
The challenge, of course, is to determine who has access to an organization's data, and then control it. OSes like Windows and Unix run hundreds of background services and daemons -- many with root or administrative privileges -- that can potentially access data files. Flaws abound in these processes and can allow an attacker to gain complete access to the data.
Johnson points out that the very language of the many regulations offers a key to simple and successful compliance. For example, California's SB 1386 protects personally identifiable information; obviously it doesn't matter if encrypted data becomes public since it's near impossible to decrypt.
He suggests that organizations use an encrypted file system to hold the table spaces that make up the confidential data in a database. This can be implemented in such a way that only the DBMS program can decrypt the data. "You don't even have to encrypt all the data," noted Johnson. "Just enough to break any links between names and associated personal identifiable information."
There are several benefits to using encryption this way. It strictly controls access to sensitive data and prevents hackers from using the data even if they manage to steal it. This narrowing of data access also means that system audits are simpler, faster and more accurate. Yet, the files are still available for ordinary use and backup. Finally, this satisfies many of the legal regulations, as well as other third-party processing obligations.
Details of this solution ensure its usability. "You want the encryption to be part of the OS kernel," said Johnson. "That way, even entities with root or administrative privileges cannot alter or tamper with the data." The solution shouldn't require any changes to the applications nor should the system suffer performance degradation.
Johnson has identified two currently available solutions: VPDFS, offered through GM Consulting, and the Microsoft Windows Server 2003 encrypted file system. Vendors are also working on enhancements to AIX, HP-UX, and Solaris to support similar features. "The EFS feature is free: you just have to turn it on," Johnson said.
In performance tests, Johnson has found only minor impacts (less than 8%) due to encryption. In fact, some tests indicate an improvement in performance from using encryption. "That has the DBAs scratching their heads," Johnson said. "We think it may have something to do with the extra caching necessary for the decryption step, which makes more data available in memory."
For many organizations, encryption may be the route to compliance that they've dreamed of.