In motor racing, they say you could go as fast as you can
afford and that the best drivers win races as slow as they can.
This apparent paradox has its parallels in the approach to
securing information. While the mantra of “Security must be good enough!” lies
at the basis of any strategic approach to building a defence around an
information system, it is often trumped by the idea that more is better.
Information Security students often propose a double
encryption solution as the best protection for data. Of course they choose the
two strongest ciphers they can find. I always have to point out the costs of
this, the energy and time it takes to encrypt and decrypt each time. I also ask
why will there ever be a need to make a near unreadable piece of information
only slightly more unreadable.
The promise of top encryption algorithms are that it will
take too long to guess the key that decrypts the information and therefore make
the effort worthless. Criminals do cost-benefit analysis too. If I have to send
sensitive information over the Internet, I will encrypt it and, if possible, use
a secure channel such as SSL. While in transit the data will be double encrypted
but my main reason for the first encryption was to protect the data at rest, when
it crosses to the other network and has to be treated discretely. There it can
only be read by those to whom I’ve given the key.
Information Security as a practice should see itself as a risk
enabler. Almost all companies that pay attention to InfoSec will have policies
that prescribe best practices for data protection. Most for example will set a
standard for transmission and SSL will be one of them.
Does this mean that when a piece of information is encrypted
at rest, it cannot be transmitted on a non-secure medium such as HTTP? There
may be other risks that come with HTTP that have to be considered but from a
privacy point of view, why not?
And if the answer is that there is no difference, what
should be InfoSec’s response? Should the policy take priority over the fact
that there is an alternative cheaper medium that is secure enough for the business?
Comments