Andrew Buss, originally published on CRN
Data protection remains top-of-mind for many companies. Data losses continue across both public and private sectors. With increasing penalties and regulation around data breaches, encryption is one key to data protection and reduced business risk.
We recently ran an online poll examining the vision around and reality of encryption. Online polls tend to be self-selecting, many respondents to such a survey will have a healthy interest in IT security or encryption. This will bias the numbers somewhat towards protection or encryption compared to a more balanced or random sample but does indicate what IT security professionals might be thinking.
Our poll suggested that encryption is increasingly used as a proactive data protection strategy. In the past, it was often used to lock the barn door after the horse had bolted.
New drivers are now pushing encryption. These include mobilisation and home working – which is on top of the list — a recognition that data types and volumes are soaring, and compliance directives. Doing nothing is no longer an option.
The need for protection is also based around the perceived vulnerability to loss or theft – for example of notebooks, or backup files.
However, servers may be just as much a risk for data loss if, for example, disks are disposed of without secure erasure of the data on them, or the data exists in the form of easily copied, unprotected virtual machines.
If we look at the encryption on notebooks by mobile workers, the biggest barrier is not to do with the load on systems or the cost of the offering, but concerns around practical implementation.
The next challenge is about key management — common problem in pretty much all encryption implementations, despite the lower prices of today’s more integrated offerings.
Clearly there is a lot of room for improvement, and opportunity to add value by integrating the various encryption technologies into a manageable stack.
Strategically, encryption should be a unified implementation across the company, regardless of where it is used. All the elements should interact and interoperate. This won’t happen overnight, but should be planned for.
First, deal with immediate pain points around mobility and compliance. In many cases this will mean protecting the data at rest on mobile devices, including portable storage. You may encrypt the entire device, as with some smartphones, or through tools for PCs or servers.
The trick will be to avoid re-inventing the wheel and to reuse where possible existing infrastructure tools such as key management systems. Getting a single platform to cover multiple encryption implementations is still tricky, although things are starting to become a little more integrated.
The key management platform must also be future-proofed one way or another, as data from all locations may need to be accessed over a period of time, perhaps spanning some decades.
Addressing the basics should start to close the gap between vision and reality. Encryption can then be extended further into the infrastructure so that data on servers, for example, is protected, not just when it is on a notebook. After all, many security breaches, intentional or accidental, occur internally.
Once these encryption fundamentals are widespread, technologies such as rights management and data leakage protection can help protect data at what is arguably the weakest link — the authorised end user.