Sep 08 26
Is encryption just a waste of time?
Posted by Angus Kidman @ 13:10 6 comments
Faced with the thought of a USB drive, notebook PC or backup tape going missing, most IT managers look to some form of encryption as the first layer of defence. However, according to one storage security expert, that's largely a pointless exercise.
"I often refer to encryption as crypto fairy dust," Eric Hibbard, chair of the Security Technical Working Group in the Storage Network Industry Association, said in a recent interview. "A lot of IT managers sprinkle this on and think it makes certain problems go away."
The reality, Hibbard suggested, is rather different. "If you're doing encryption in the storage ecosystem, the pay off is very limited. A hard drive or tape drive wandering off is a real problem, but that's not a data confidentiality issue; it's a media confidentiality issue. If you're talking about sensitive information, encryption is just one tool in the toolbox. If you don't have that mated to tight authentication and access control, you're screwed."
Of course, there are plenty of reasons why such a mating isn't happening. Getting to that kind of integrated nirvana is a worthy goal, but rarely happens in IT environments where heterogeneity is a fact of life. There simply isn't time, budget or staffing expertise to bring it all together, so access control tends to be limited to the most pressing projects.
Do you think Hibbard is on the right track here and it's time to vacuum up the fairy dust, or is encryption still the best option of a messy bunch for basic data security?
The real issue is that most data "leaks" are caused by those with legitimite access to the information. Typically, docs are opened then saved to thumb, emailed or renamed, in transit out of the organisation. I agree with Hibbard that encryption is just a part of the whole solution but not a solution in itself.