World-class encryption hardware and technology is an important pillar of any security infrastructure, but it is important to not overlook the little things in favor of a silver bullet security solution. Ganesh Karri, Chief Solutions Architect and Regional, Business Manager - South Asia, Futurex, is going to shed some light on the some of the most common security mistakes and how to fix them. Though they may seem minor, and are often procedural in nature, these steps have the potential to have huge impacts throughout your security infrastructure.
Mistake #1: Not passing the “Lottery test”
One of the things that keeps managers of any organisation up at night is wondering what would happen if key employees were to leave suddenly. This quandary is known as the “lottery test.” How would an organisation cope if a crucial employee suddenly struck it rich in the lottery and quit their job that afternoon, never to be heard from again? There are a few strategies that can function as a failsafe if one of your critical employees were to suddenly depart.
One way is to designate backup users in the system and conduct trial runs during a valuable employee’s sick days or vacation time. This allows managers to test their organisation’s resiliency during an unexpected absence of a critical employee. Preemptive training is another key aspect of passing the lottery test. By allowing the intended backup administrator to work with the current primary and familiarise themselves with the routine as well as decision making processes, interest is stimulated while increasing skills.
Mistake #2: Playing fast and loose with user permissions
A good strategy for assigning user permissions is the principle of least privilege. This dictates that employees only have access to permissions and resources needed to complete their responsibilities. For example, those who are administrators of the entire system would feasibly have all the user permissions enabled, but those who only need to input keys should not be able to create and delete user accounts.The concept of least privilege and user hierarchy has been around for the better part of 20 years and remains one of the most important concepts for limiting exposure of sensitive data. When assigning user permissions to those in your organization, it is useful to have these ideas in mind:
- As a part of a proper user permission hierarchy, permissions should only be assigned to roles based on the requirements of job functions and/or the entitlement of job qualifications.
- Users should have only as much access to systems as needed to complete their jobs.
- User permission constraints can and should be applied to enforce high-level security objectives to avoid being assigned two conflicting roles.
Mistake #4: Falling victim to “Check-Box Compliance”
This is an easy mistake to make. After all, compliance mandates are often designed as checklists. It’s important to recognize that compliance mandates are incredibly nuanced, and measures can be implemented in numerous ways based on your organization’s needs and structure in order to meet the same compliance ends.
Organization with robust compliance requirements should continuously seek the most efficient and cost-effective ways to maintain compliance. Effectively using encryption and tokenization to remove plain-text data can vastly limit compliance scope. Organization who don’t explore these options are likely spend excessive time and money on compliance.
Mistake #4: Not using strong enough encryption technology
Encryption of sensitive data is an important principle of any security architecture. Software encryption platforms can be an alluring option due to their low cost, but it’s extremely important to the integrity of your secure data to resist their boasted convenience. Software-based encryption programs are inherently less secure due to their vulnerability to malware, key logging, and other attacks that attempt to steal encryption keys. In the case of data security, the age-old view still proves true: a physically secure repository is still the safest place to store and process sensitive data.
Hardware-based encryption solutions are a far more secure option for enterprises looking to sleep comfortably at night. Choosing a hardware-based key management solution validated to FIPS 140-2 Level 3 or higher provides for the best protection of the Major Keys used to encrypt all other keys within the system.
All FIPS 140-2 Level 3 or higher devices should include these important features:
- Tamper-responsive circuitry that erases sensitive data upon detection of any intrusion attempt
- Physical security barriers that prevent access to internal components
- Digital signatures of cryptographic modules that prevent substitution attacks
