Who cares about encryption & why hard disk cryptography is only part of the solution...
By Simon Thorpe on Jul 23, 2010
One of my favourite sources of IT news and information is The Register, a UK based IT news related website that is written with style and often makes what can be a dull subject of IT, compelling reading.
I just read an article by Jon Collins which details results of a recent poll asking about general use of encryption and what people thought were the main areas where cryptography should be used to protect sensitive information. Run by research company Freeform Dynamics, Jon points out that their polls typically attract those interested in the subject matter, so its safe to say my Mum wasn't answering the questions.
The first analysis from the article looks at the answers to "Which of the following drivers are likely to influence your organisation when it comes to requirements for encrypting data?" Pretty obvious results with compliance in first place, then protecting the storage of confidential information and protecting information due to an increasingly mobile workforce.
No surprises here, more and more regulatory controls specify that credit card data, patient information, etc needs to be encrypted. Companies with large amounts of sensitive information, such as financial data, intellectual property and trade secrets need to protect the storage of that data and also when it's used on a mobile device, typically a laptop.
However when the poll asked what the most important areas of encryption were, the results revealed concerns of the modern, mobile workplace. The question was "In an ideal world, which of the following do you think should be encrypted and to what degree?"
So the top three ideal-world targets for encrypting everything are, in order:
- Data stored on notebooks used by mobile workers
- Data stored on smartphones and other portable/handheld devices
- Data stored on desktops/notebooks used in home locations
Combine this with the following quote from Jon's article... "The executive who found himself personally responsible for a data breach when his laptop was stolen from his house may have been taken by surprise, as there is a lingering mindset that security is a central infrastructure thing. But rules and regs like PCI are not fussy about which particular part of the IT infrastructure is involved, be it a SAN in the data centre, or an SD card in a phone. It's all just IT."
Information rights management is a perfect solution for these encryption challenges. But it goes beyond just the mobile or home use, IRM uses encryption at the document or email level. So no matter where the information is stored, it's always encrypted. Another really nice feature of IRM is that even when the content is in USE, it is protected. So the file on the hard disk, the file being sent over the network and the file in your Word/Excel/PowerPoint/Adobe Reader/Internet Explorer etc is ALWAYS secured with IRM.
Unfortunately the article ends with some not so good news. The poll finds that one of the main reasons not to encrypt information on notebooks, removable devices (DVD's, CD's, USB drives etc) is the "practicalities around implementation" and "challenges with key management". So people view that deploying an encryption solution for mobile devices is difficult. Yet IRM is actually pretty easy to deploy and use and Oracle IRM has excellent key management.
Finally, and this is the real killer for me, is Jon's closing message, "Meanwhile, the message to end-users is, if you haven't already encrypted your laptop data, you'd best get on with it - or at least ask your IT department how to do it". I would be that most IT departments are going to end up looking at hard disk encryption to secure documents stored on mobile devices. Yet this really doesn't solve the greatest risk.
The advantage of hard disk encryption is it protect every file stored on it, unlike IRM which applies encryption to a limited set of supported file formats. However, that is also one of its main weaknesses... hard disk encryption ONLY protects the information whilst it is stored on the disk. It doesn't do anything to protect against the following challenges.
- Research shows that data loss incidents are usually by accident and by people outside your organization. So basically it's the supplier you sent your trade secret document to that stores it on an unencrypted USB key which gets lost on train. Encrypting your employee hard disks doesn't get close to solving that problem.
- Hard disk encryption only protects the content whilst it is stored on the disk. As soon as that content is attached to an email, copied to a USB key or even just opened in Word, it now exists in an decrypted state. IRM is persistent in its security because the cryptography is applied at the document level and is combined with tight application integration to ensure that you can't even copy and paste sensitive data from a document into a non-encrypted world.
So whilst IRM is not the be all and end all of information security, combined with technologies like DLP, hard disk encryption, network encryption etc, it brings a huge difference in the reduction of the risk and exposure of an organization to losing control of their most sensitive information.