Beruflich Dokumente
Kultur Dokumente
feature
Hands of End Users
Because it is impossible to identify and control all
of these scenarios, many organizations respond
Do you have
by deploying end-user-managed encryption tools, something
www.isaca.org/currentissue hoping that users will be responsible enough to to say about
integrate encryption into the existing processes (e.g.,
this article?
As part of a defense-in-depth strategy, many an IT request to encrypt before sending an email). Visit the Journal
organizations are expanding their usage of However, this approach essentially delegates the pages of the ISACA
encryption. While encryption can provide security responsibility to uninterested end users who web site (www.isaca.
protection from unauthorized access and reduce are looking for the path of least resistance.2 org/journal),find the
the likelihood of data theft, it is very difficult to article and click on
implement systems and processes that can provide Welcome to the Jungle the Comments link to
share your thoughts.
reasonable assurance of confidentiality in real-
In theory, encryption is just a matter of applying
world implementations. In recent years, many
some math on bits of data before and after
software products have begun offering built-in
sending a file or message. However, there is a vast
encryption capabilities that are more user-friendly
ecosystem of encryption technologies, algorithms,
and manageable. When it comes to purpose-built
configurations, tools and file formats. Complicating
encrypted communication tools or standards-based
matters, end-user encryption tools are notoriously
system-to-system encryption, the level of maturity
unfriendly from the end user’s perspective.3
is usually quite high. But many organizations are
Management and transfer of encryption keys
not prepared for the risk and pitfalls of end-user-
and/or passwords and ensuring secure storage are
managed (user-to-user) encryption.
daunting requirements to
place on end users.
The Call for Encryption
Industrial espionage, nation-state hackers and Even if the best, most End-user encryption
organized crime are concerns for even the smallest seamless tools and tools are notoriously
organization. This has not, however, slowed the training are implemented,
rate of data capture and sharing among partners, there is still the issue of unfriendly from
regulators and customers. Organizations now compatibility with partners.
If one partner is on a
the end user’s
regularly share large quantities of proprietary data
and employees’ or customers’ personally identifiable different platform, deploying perspective.
information. Heightened awareness by the board that platform requires
and increased regulatory pressure are leading to additional investment and
increased focus on and funding for data protection.1 implementation efforts.
Given that organizations have multiple partners, the
Most organizations today are comfortable deploying overhead from purchasing and supporting multiple
in-transit encryption. Security teams can easily sell tools can quickly escalate. Failure to support the
the need for transport layer security (TLS)-secured tools that internal users need to make their business
web applications or push for secure protocols, partners happy will result in end users seeking creative
such as Secure File Transfer Protocol (SFTP) and solutions and workarounds.
Secure Shell (SSH). Unfortunately, there are many
data transfer workflows outside of IT’s control or
Eric H. Goldman, CISA, Security+
that must meet externally imposed requirements. Is an information security professional with experience in financial
As a result, critical and high-risk data still travel services and manufacturing. He focuses on human factors and human-
through email and attachments. More and more, computer interaction in the realm of information security. He can be
users are also making use of both authorized and reached at Eric.Goldman@owasp.org.
unauthorized cloud storage and file-sharing services.
When one is evaluating encryption software and systems, it is important to consider how the tools will
impact the organization’s legitimate access to data. If the tools are enterprise ready, they will integrate with
the DLP and IDS somehow, such as by communicating the plaintext, transferring the keys or coordinating
with local software agents before encryption. Such systems must also securely manage all of the keys/
passwords to prevent misuse and targeting by hackers, and should also include approval workflows and
logging as appropriate.
Personal communications can and should still rely on robust, backdoor-free encryption technologies to
prevent eavesdropping. In enterprises, the fundamental ownership issue means that users must understand
and accept that communication is being secured between enterprises, not people.