The University's Role in Advancing Data Encryption, Part 2
"Identity theft is one of the fastest-growing cyber-crimes, and, as a result, 38 states have identity theft legislation -- with some states using encryption as a safe haven," said Southwestern Illinois Community College CIO Christine Leja. "The education market as a whole is becoming more serious about protecting student information and is looking to encryption as the means to making that happen."
Nov 1, 2007 4:00 AM PT
Research into encryption technology is on the rise at universities and colleges, spurred on by technological advances, pressing security needs, and new legislation and regulations, as Part 1 of this series notes.
Investigators in both industrial and academic settings are now looking into a wide range of areas where encryption can be applied.
"There is a 'productization' of the technology, where it is being used to protect USB thumb drives, shared and virtual storage environments, and throughout the supply chain," PGP President and CEO Phil Dunkelberger told TechNewsWorld. "Encryption is also being used with nanotechnologies and quantum cryptography, which can guarantee secure communication among two parties. Key management is the cornerstone of encryption and true enterprise data protection."
While most research is aimed at finding ways of creating more robust encryption algorithms, network performance is an area that should not be overlooked, CipherOptics' Chief Marketing Officer Jim Doherty added.
"In general, stronger encryption means more processing, which almost always means longer processing times," he explained. "Today's high-performance networks must be able to meet the latency requirements of delay-sensitive applications such as Voice and Video over IP. While there may be a niche market for security over performance types of solutions, broad adoption of new encryption algorithms will be determined by speed as much as they are by security."
Security vs. Performance
The Rochester Institute of Technology's (RIT) networking, security and systems administration department is undertaking exactly that type of research. Last October, members of a study team published a paper detailing the results of their investigation into the comparative performance of Layer 2 and Layer 3 IPSec Ethernet encryption.
Sponsored by SafeNet, which was looking for independent testing and benchmarking of its Ethernet Encryptors, the study was designed to test and confirm significant performance advantages associated with using Layer 2, as opposed to Layer 3, encryption solutions, which were suggested by earlier research.
"Today's networks require encryption to secure data as it traverses the globe. SafeNet identified early on that the overhead resulting from the use of IPSec to secure these networks was detrimental to network performance," SafeNet's Matt Pugh told TechNewsWorld.
"Finding a solution required us to re-evaluate how we typically go about protecting networks," he continued. "At SafeNet, we learned that if we could push encryption further down the network stack -- say to Layer 2 -- huge performance benefits could be gained in terms of latency and available bandwidth. For most organizations, this translates directly to reduced costs of expensive WAN links."
The RIT researchers also made recommendations for future studies.
"There are a number of factors that must be considered when choosing a WAN (wide-area network) encryption technology," they wrote. "Performance is one such factor; however, a careful analysis must be performed to ensure the solution meets all of the needs of the organization. A future study might work to develop a quantitative framework for analyzing these non-performance related factors. This study was performed using discrete frame sizes for each test run. A future study might analyze these performance characteristics with varying frame sizes as commonly found in mixed Internet traffic."
ID Theft, Legislation
Southwestern Illinois Community College is among a growing number of higher education institutions building encryption into their courses and curricula -- as well as using it on campus to protect data.
In addition to offering a data assurance course that includes an encryption component, "there is discussion about making the class a required course, given the new student online self-services. [The] curriculum committee and the industry advisory group for information sciences are discussing the infusion of encryption throughout [the college's] curriculum offering," Christine Leja, chief information officer, told TechNewsWorld.
Legislation and the introduction of payment card security standards, such as the Payment Card Industry Self-Assessment Standard, are encouraging colleges and universities, as well as public and private sector organizations, to curb the growth of identity theft. The activity is also prompting them to find applications for encryption technology, Leja noted.
"Identity theft is one of the fastest-growing cyber-crimes, and, as a result, 38 states have identity theft legislation -- with some states using encryption as a safe haven. Higher education provides open and secure access for its students, and encryption offers a clear path to secure sensitive data and support an open, mobile environment. The education market as a whole is becoming more serious about protecting student information and is looking to encryption as the means to making that happen," she commented.
Given constraints on available funds and time, colleges and universities for the most part are taking a phase-in approach to their adoption of encryption solutions, choosing one area as a starting point and expanding usage from there, Leja explained. "In the case of securing data, the most critical data is protected first, followed by an augmentation in services."
Putting Encryption to the Test
Southwestern Illinois is making use of GuardianEdge's encryption solution to secure its mobile data. The first phase of the implementation focused on securing mobile data for a team of 30 IT project managers making use of student information for their project.
"Because the 30 team members worked both in the office and remotely, each of them were given laptops containing the student data they required to complete the project, thus dramatically increasing the risk of having a laptop lost or stolen, or of the data being exposed to a non-project team member," Leja elaborated.
The need for different approaches to encrypting static and dynamic data also factors into Southern Illinois' encryption deployment plans.
"Static data -- data stored on databases -- will be encrypted when stored and stay encrypted until decryption is required for readability. Dynamic data is 'on the move' and may encounter change. Encryption for dynamic data involves sharing keys and algorithms with trusted parties to prevent open data viewing should the data fall into nefarious hands. First, a primary focus is protecting the static data. Encryption of dynamic data will then follow the static data," Leja explained.
While database software for application systems, such as enterprise resource planning, provides secure encryption for static data, there is a corresponding lack of support for dynamic data.
"What is extremely difficult is protecting dynamic data on the move via laptops, USB devices, iPods, etc.," noted Leja. "Encryption to the device and sustained on the device is extremely important in an academic environment where data is very mobile."