|
 |
|
General Information
|
Add To My Personal Library |
June 13, 2008
• Vol.30 Issue 24
Page(s) 27 in print issue
|
Encryption: Advantages vs. Drawbacks
To Encrypt Or Not To Encrypt
|
Even though it makes lots of sense, implementing encryption in the enterprise has its drawbacks, including complexity, cost, lack of scalability, and lack of interoperability with VoIP systems. So even though implementing encryption is appealing, many businesses may balk at the potential obstacles.
Enterprises must take the time to look carefully at encryption’s advantages and drawbacks before implementation. Only then will decision makers be able to judiciously consider the alternatives and make a sound business decision.
 Encryption Advantages
One advantage to encryption is that it separates the security of data from the security of the device where the data resides or the medium through which data is transmitted, says Bruce Schneier, chief security technology officer at BT (British Telecom; www.bt.com). When data itself is encrypted, adds Schneier, it allows administrators to use unsecured means to store and transport data, since security is encompassed in the encryption.
Other key advantages to implementing encryption include the elimination of the pain that comes with data breach disclosures, the provision of strong protection for intellectual property, and the fulfillment of myriad regulatory compliance requirements, says Gretchen Hellman, senior director of marketing for Vormetric (www.vormetric.com).
“Encrypting of sensitive information is an important component of any defense-in-depth model because it places security measures directly on the data itself,” says Hellman. In other words, no matter where encrypted data travels, it is always secure because the encryption travels with it.
Beyond encrypting data at rest, businesses must also consider the transmission of data via various transmission means, such as email. Kevin Kennedy, product manager for IronPort (www.ironport.com), says companies should keep in mind that standard email is not secure and is in fact tantamount to writing sensitive information on postcards that are sent via the mail.
By using encryption, enterprises not only guarantee the confidentiality of information but may also meet the requirements of regulations such as HIPAA, GLBA, or Sarbox that require the implementation of measures to keep sensitive data secure, says Kennedy.
“I equate encryption with confidentiality,” says Scott Palmquist, senior vice president of product management at CipherOptics (www.cipheroptics.com). According to Palmquist, encrypted data that can only be read by a system or user who has the key to unencrypt the data means the system or user is authorized to read the data. And, he adds, encrypted data cannot be accessed by third parties, who only see random strings of bits when they intercept data packets.
Randy Kerns, chief technology officer at ProStor Systems (www.prostorsystems.com), says the most advantageous security addition with encryption is its use with removable storage.
"Removable storage, by its very nature, can leave the premises and the control of a company and be compromised. Encrypting this information is an excellent insurance policy and is mandated for some types of information based on regulations,” says Kerns.
So, using encryption comes with numerous advantages to enterprises that need to protect both data at rest and data in flight. At the end of the day, however, the advantages behind encryption all boil down to one simple fact: It’s protecting data from prying eyes, even when systems such as storage devices or networks are compromised. It’s the last line of defense.
Encryption Drawbacks
One thing about encryption is certain: It is a very complex technology. Just a cursory look at the intricacies behind encryption algorithms and keys is all that’s needed to rapidly understand that this is about as close to rocket science as technology can get.
For example, take encryption keys. One of the main drawbacks of encryption, says ProStor Systems’ Kerns, is the fact that management of encryption keys must be an added administrative task for often overburdened IT staff. In fact, adds BT’s Schneier, one big disadvantage of encryption as it relates to keys is that the security of data becomes the security of the encryption key.
“Lose that key, and you effectively lose your data,” says Schneier.
Also, says CipherOptics’ Palmquist, encrypting data and creating the keys necessary to encrypt and decrypt the data is computationally expensive. No matter what type of encryption is used, the systems performing the computational heavy lifting must have available resources, he adds.
Hay Hazama, vice president of research and development at Safend (www.safend.com), says one of the common drawbacks of traditional full-disk encryption solutions is the reduction of overall system performance upon deployment.
“In fact,” says Hazama, “analysis shows that the data access time increases significantly after full-disk encryption implementation.” These performance hits can be mitigated, adds Hazama, by avoiding the encryption of operating system files, application files, and the empty space on a hard drive, none of which affects data file security.
Adopters should not set the expectation that data encryption is a panacea for mobile security threats, says Jonathan Dale, product manager at Fiberlink Communications (www.fiberlink.com).
"It is important," says Dale, "to understand some of the limitations of data encryption technologies so that you don’t set unrealistic objectives.” For example, he adds, data encryption does not prevent employees from emailing sensitive data to outside parties or from signing on to laptops and then walking away. And encryption won’t prevent a hacker, virus, or file-sharing program from opening and transferring a sensitive file, he adds.
A key pitfall administrators should be wary of is that a poor encryption implementation could result in a false sense of security, when in fact the enterprise is wide open to attack, says Robert Moskowitz, senior technical director at ICSA Labs (www.icsalabs.com).
“Encryption may add a procedural burden to employees that they diligently work around, leaving the enterprise wide open to the consequences,” adds Moskowitz.
Another challenge is the difficulty of layering encryption onto existing applications and data stores, says David Thompson, senior product manager at Voltage (www.voltage.com). In fact, he says, administrators often struggle after an encryption implementation with preventing unwanted impacts on operational activities.
And, adds Thompson, organizations also have to grapple with the burden that comes with managing the encryption keys required to secure data. As far as keys are concerned, data-at-rest applications require keys to be kept for long periods of time, so key storage is an important issue, says CipherOptics’ Palmquist. Data-in-motion keys, on the other hand, are transitory and only need to be retained for the duration of the packet transmission.
“In either case, data at rest or data in motion, the keys can never become compromised,” he warns.
Plan Your Strategy Wisely
Careful planning is the key to a successful implementation of enterprise-wide encryption. Without it, the innate complexity of the technology can quickly become unmanageable for administrators and difficult to use for end users. Transparency is critical to implementing encryption successfully and delivering peace of mind for managers, administrators, and employees who depend on well-protected data. 
by Sixto Ortiz Jr.
View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)
View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)
|
|
