Tech Time: What Should Credit Unions Know About Encryption?
It’s the unfortunate reality of the world we operate in today: Statistics show that your credit union will suffer a data breach or, at a minimum, an attempted breach. It’s going to happen, and nobody is immune. Thus, it’s critical to limit your risks.
But how can you do that? There are many different ways of protecting sensitive data, but the foundation of any security and data-leakage protection initiative must be encryption. With encryption, information is turned into an unreadable string of random characters. Whether your member data is stored in the enterprise or in the cloud, if it’s encrypted, the only way attackers can decipher it is if they have the key to decode it. So, unauthorized users won’t be able to read the data, even if they access it. This greatly minimizes the impact of a data breach on a credit union.
It’s important to employ a strong method for managing encryption keys. With centralized encryption, keys are controlled from a single console enabled by the software encryption service provider, making them easier to administer and manage. This centralization minimizes the possibility of exposure to unauthorized parties, thus reducing data breach risk and helping support regulatory compliance.
Speaking of compliance, encryption is mandated by many data protection regulations. The National Credit Union Administration requires U.S. federally-insured credit unions to establish security programs to address the privacy and protection of member data (e.g., records, information, etc.). If a credit union is found non-compliant in the wake of a breach, the organization would be forced to disclose the breach, resulting in likely negative impact to the credit union in terms of financial implications and loss of member trust. To prevent this, credit unions need tight access controls and encryption of all information, regardless of where the data is located. This includes minimum encryption that meets the 128 bit Advanced Encryption Standard and tightly restricted access to member information and systems, either while in transit or in storage.
What Options are Available for Encryption?
Credit unions can consider several different encryption approaches. One is device-based. This can be hardware encryption that comes with the device’s operating system, including solutions like Microsoft’s BitLocker for Windows machines and Apple’s FileVault 2 for Macs, or it can be one of many software-based offerings in the market. Software-based encryption solutions protect your data while it’s on a device of some sort, including physical servers, laptops, desktops, USB drives or tablets—even if the device is stolen, making the information on that thumb drive useless to anyone who doesn’t have the encryption key to decode it.
One thing to keep in mind is that many of these solutions rely on device PINs, which are shared amongst all users of the device. This creates an unnecessary risk in data security. To address this, consider a solution that provides user-based key authentication—where each user has his or her own unique credentials and keys with appropriate permissions—to manage all of the different types of operating systems and devices and users’ access to them. Unifying your encryption solutions under one management console also greatly simplifies visibility, reporting and auditing.
A second type of encryption option is virtual machine-level encryption. This really should be a staple in cloud and virtualized data centers, because it protects your data directly with persistent encryption, rather than the device where the data resides. By enabling persistent encryption on the file, folder or dataset, that data remains protected when it’s moved, regardless of the device it goes to—like another rserver—or its protections. It also protects data stored in the cloud.
What Should Credit Unions Have on Their Radar?
With the rapid adoption and evolution of cloud and virtual desktop infrastructure technologies, as well as emerging technologies like the Internet of Things, data is constantly on the move. This makes persistent encryption all the more important.
When it comes to the cloud and member data security, it’s critical to remember that while the cloud service provider is responsible for the cloud’s infrastructure and network security, you are responsible for your data in the cloud. As such, encryption must always be employed by the credit union or its encryption service provider to protect that data in the case of a cloud breach.
Also important to consider is that data privacy has grown beyond your own borders. The European General Data Protection Regulation, which goes into effect May 25, reinforces the care that must be taken with customer data. If your business members operate or have customers in the EU and share data with you, your credit union may be liable for a breach. The fines for failing to take the necessary precautions could be up to $21 million—or 4 percent of worldwide turnover/net income—whichever is higher.
The bottom line is that your credit union can’t afford to simply think of members’ data as their information. It should be treated as if it were your own personal data. Think of how you’d want your information protected and provide those same protections to your members. Encryption is key to that protection and must be the base layer of your data security efforts.
As COO at WinMagic, Mark Hickman is responsible for direct and channel sales, marketing, professional services and global business development. Prior to joining WinMagic, he held senior sales management positions with Computer Associates, BEA Systems Inc., and RightNow Technologies.