Some of the more prominent headlines over the past year were dominated by incidents of data theft, where corporation after corporation had fallen victim to information theft on a large scale. While many victims had hackers and devious insiders to blame, other instances were simply due to human error such as lost data tapes and stolen laptops. In cases of human error, CIOs may think that their organization’s information would never be at risk in that situation as they encrypt their data. But is this really enough?

Many organizations assume that information stored on laptops, desktops and tapes is completely secure if it is encrypted, and to some extent that is true. But while encryption is an important piece of the security puzzle, it is only one piece. CIOs need to make data encryption one part of a broader security strategy to fully avert the risk of data theft.

Why Encryption?

Organizations are increasingly distributed and mobile, and the ability to ship and carry secure information is imperative for business continuity. Yet human error is always a factor – be it leaving a laptop behind at the airport, or having your shipping carrier misplace your package of backup data tapes. So while CIOs can’t necessarily control the shipping process, they can insure that controls are in place to protect date on these systems, preventing Mary Bad-gal from accessing the 250,000 social security numbers stored on the laptop she just grabbed out of the backseat of your unlocked car. Mary might be savvy enough to turn the laptop on, but she is very unlikely to be able to decrypt the encrypted information stored on the laptop.

Encrypted data is scrambled in such a way that it cannot be read by anyone unless they have a decryptor (usually special software on a computer) and the decryption key. Anyone without the right key, even with years of time and huge computing resources, could not unscramble and read the message.

Where to Use Cryptography

We can use crypto products to provide confidentiality for transmissions or data files, strong user authentication, authentication of creators of documents, data integrity, and non-repudiation (protection against someone denying they originated a communication or data). You are probably already using cryptography—VPN clients and servers are de rigueur to allow remote access for teleworkers and travelers.

Looking at the challenge with a broad view, most CIOs differentiate between “data at rest” and “data in motion.” Prudence seems to dictate to protect data both at rest—sitting on a server or on archive or backup media, as well as data in motion—flowing over networks. Since most readers are already using VPNs, the next most useful place to use cryptography is on portable computers that contain sensitive data.

On a portable computer, the data is both at rest, in that it is locally stored, and in motion, in that the computer itself is easily transported inside and outside the physical security perimeter of the organization. When a portable computer is lost or stolen, you hope that the thief was just after the hardware and software and not the data. Most companies can handle the computer loss better than the loss of trade secrets, business plans, and personal information. Since the impact of loss may be very high, the threat is certainly greater than 1 (it is possible and happens more than you think—an Internet search on “lost laptop” may surprise you), and the cost to mitigate this risk is relatively low, it makes sense to consider encrypting the data on portable computers carrying sensitive information. The material cost to implement this is very low. Both Microsoft Windows XP/Professional and Mac OS X support encryption of all user-area files. Without the login password, user data on the computer is inaccessible to anyone.

Crypto Myths and Truths

Myth: Crypto is hard to use.
Truth: Writing cryptography algorithm and products is difficult. Modern cryptography is effective, often inexpensive, and can be easy to use.

Myth: Cryptography is expensive.
Truth: Some cryptography is free to use for the end-user (such as SSL-encrypted Web pages). But, your organization will have to pay the price of purchasing, creating, protecting, and managing server certificates. As with any security measures, deploying cryptography requires planning, counting the cost of deployment, user education, support, and maintenance.

Myth: Cryptography must be deployed everywhere, throughout an organization.
Truth: Cryptographic solutions should be deployed where and how your risk assessment indicates they will do the most good.

Myth: When we have cryptography everywhere, we will no longer need firewalls (or antivirus, or...).
Truth: Cryptographic solutions can and may be effectively deployed and used as part of an organizations overall risk mitigation plan. Crypto is not a magic bullet. It may be part of a computer and network security defensive arsenal.

The Rest of the Encryption Story

Since a user has to occasionally access sensitive data, all encrypted data, to be useful, becomes unencrypted for use. Sometimes individual files are decrypted, sometimes the whole hard drive. This is the point of vulnerability for sensitive information, and this is where other controls and practices are needed.

To ensure that your encryption investment holds its value, an organization must rely on synergistic controls—combining various measures, mechanisms, and methods—shored up by encryption (where it makes sense). Strong encryption accessed via weak passwords merely slows down an attacker.

Again, encryption does provide valuable protection; it is just not entirely effective on its own. As CIOs evaluate their organization’s security strategy, take a look at how the security approach utilizes encryption and realize just how powerful encryption can be when aligned with other security solutions and strategies. Otherwise, it becomes just another security step that seems right, but does little.