Incident Response, TDR, Vulnerability Management

Encryption: Why now?


Tools to encrypt sensitive data have been with us at least since the reign of Julius Caesar, who used a simple letter-shifting code to communicate with his generals. Military leaders to this day encrypt their battlefield communications in an effort to prevent sensitive information from falling into the wrong hands and to save lives.

 Until recently, however, encryption has played a relatively minor role in protecting commercial data.

In the last five years, that situation has changed dramatically as enterprises have come to view confidential information and the intellectual property it contains as the new "coin of the realm." As incidents of industrial espionage and identity theft have proliferated and governments globally have come to view personal privacy as a right that must be protected, encryption technologies are playing an increasingly important role in enterprises large and small.

Perhaps the seminal event in encryption reaching this "tipping point" was the passage of California's data breach disclosure law in July 2003. Known as SB 1386 and little noticed at first, the bill requires that any corporation that loses "personally identifiable information" of a citizen of California to publicly disclose that loss.

Initially, few people paid much attention to the law, but as the frequency and scale of breaches has increased, the cost of disclosure and remediation has also risen.

It's now estimated that it now costs almost $200 per record to recover from a disclosable data breach. The Privacy Rights Clearinghouse, which started documenting data breaches in 2005 estimates that more than 215 million records have been breached in that time.

The other forcing function that is driving enterprises globally to adopt broad encryption policies is the recognition that the notion of a "data perimeter" is largely outdated.

There was a time that convention held that if you kept all confidential information secure behind a well designed firewall structure you could generally assume it was safe. In the last five years, however, this approach has become progressively less effective as the perpetrators of identity theft have become more sophisticated and aggressive and enterprises have widely deployed mobile devices across most corporate functions.

The more important issue here isn't really the bad guys. The proliferation of mobile devices has effectively eliminated "fixed fortifications" as an effective tool in preventing data breaches.

The fact is that most important enterprise data is now both created and consumed outside of the secure perimeter. In this environment, IT architects must develop and deploy security solutions that travel with the data globally. Hence, the turn to encryption to protect data while in motion and at rest.

Given the increasingly sophisticated attacks on confidential data, the increasing cost of breach, and the reduced role of firewalls and intrusion detection tools to protect data, it's little wonder that the largest enterprises have come to view encryption as a key component in the data security wars. Fortunately, data encryption technology, or more accurately encryption deployment technology has also reached a tipping point that make it a practical and cost effective solution to many of the issues cited above.

While the core ciphers and hash algorithms have not changed significantly in the last decade, the ability to deploy in the real world has changed markedly.

Unlike the (largely failed) first generation PKI products, today's data encryption solutions have very sophisticated policy management, key management, and auditing capabilities built in.

Encryption, however, is not a technology that can simply be "painted on" existing IT infrastructure. To be effective it needs to tightly integrate with the complex and sometimes fragile directory, email, storage, and file transfer infrastructures in place in all enterprises. Fortunately, there are now solutions available that comprehend this integration challenge.

So, we now arrive at one of those rare instances where the needs and capabilities of a technology are synchronized. It really is a tipping point in the classic sense. What it means is that five years from now no one will even think of deploying mobile devices, new email infrastructure, or any other enterprise system that deals with confidential information with robust encryption technology built in.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.