Trying to keep corporate secrets away from prying eyes? We evaluate five encryption software packages.
I guess in a perfect world we would not even have the term “encryption” in our dictionary; the same would go for car alarm, PIN, and theft. Alas, we are a bit more than a tad off living in a perfect world and so security is a very important issue. Many people use the terms “encrypt” and “encode” interchangeably, but this is not strictly true. To encode something simply means change it to a form that renders it easier to transmit or store. For example in the days before voice could be transmitted over wire or radio we had Morse Code, which—far from being a secret—was a code that enabled bursts of electricity or radio noise in short and long durations, dots and dashes, to be universally understood by anybody listening with a receiver.
Encryption on the other hand is a completely different kettle of fish. Rather than encoding, an encryption algorithm converts the data into ciphertext—which can’t easily be understood without decrypting it first. The actual algorithm used to do so is called a cipher. The sole purpose of encryption is to prevent unauthorised access to the data; ideally only those authorised have the ability—and the necessary decryption key—to convert the data back to its original form.
It’s probably true to say that encryption came into existence around the same time as communication. When our ancestors were still running around on their knuckles they probably had a series of secret grunts that the neighbours didn’t understand.
Ciphers range from the very simple, such as substituting numbers for letters, right up to very complex algorithms that require a reasonable degree of computing power just to encrypt and decrypt, and of course enormous (and hopefully prohibitive) amounts of computing power to break without the correct algorithm or decryption key.
With the move away from dedicated leased lines between secure sites to transferring sensitive data using VPNs over the internet, and even worse via wireless communication, it has become far easier for someone to tap into your communication and view your data. And security is important even if you do not use your credit card over the Internet; you still swipe your card at the local supermarket or milk bar and send sensitive financial data over regular phone lines.
You are certainly going to want that data to be encoded so it cannot be snooped.
The stronger the cipher, the more computing power and time it will require to break, which brings us to the so-called “strong encryption”. Strong encryption ciphers are unbreakable—or at least by the time they are broken, the information is no longer useful—unless the decryption key finds its way into the wrong hands. While these powerful ciphers are great for legally protecting sensitive data, they can also be used to encrypt the data of criminals and terrorists, for instance.
Because of this, many governments want to set up a secure database of encryption keys, so that authorities could decrypt communications that might be used to conceal illegal or threatening activities. Among the many potential problems with this idea is the possibility that this database itself could be hacked, providing the keys to secure communications of all sorts to people less scrupulous than the government. And, of course this is not going to help much if the cipher itself is based on a unique password key provided by the user.
A great article on attacking ciphers can be found at http://axion.physics.ubc.ca/pgp-attack.html—some of the present cipher schemes require truly mind boggling brute force processing to crack.
Business uses
The main business uses for encryption technology are encrypting communications such as e-mail, instant messages, Web site sessions, and Internet connections, and encrypting files on a disk, so that even if the system is compromised, the files are not readable.
Despite your best security efforts, at some point one of your corporate desktops or laptops will be lost or stolen. If the machine belongs to someone in customer service, you may only need to worry about the loss of the equipment. If the machine belongs to the CEO, CFO, or the head of human resources, important company data could be compromised. Encryption software can often prevent a loss of sensitive data, but is it right for all desktops or is that security overkill? It depends.
When determining whether your desktops and/or laptops need encryption software, consider file location, file type, and file sensitivity.
File location
If your organisation stores highly sensitive data only on network servers, neither your desktops nor laptops likely need encryption software.
However, if your organisation must store sensitive data on desktops and/or laptops, you should take a second look at encryption software. It’s always appropriate to encrypt sensitive data stored on a laptop. Laptops generally travel out of the office, so unless the data is encrypted, it could be easily compromised if the laptop were lost or stolen.
Depending on the encryption software used, encrypted data can be difficult if not impossible to recover if the PC’s operating system crashes. To avoid catastrophe in the event of such a failure, you should completely back up encrypted PCs on a regular schedule. This effort can be quite time-consuming if you’re dealing with a large number of encrypted desktops and/or laptops.
File type
Not all files can or should be encrypted. For example, you usually can’t encrypt an operating system, nor can you perform partition-level encryption on a partition that contains operating system files. This is because during the early phases of the boot process, the operating system is unaware of any encryption software (even if the encryption software is part of the operating system, as in the case of Windows 2000). Encrypted operating system files would therefore be unreadable, making the system unbootable.
File sensitivity
Consider the files’ sensitivity and only encrypt those files that could cause significant damage to your organisation if exposed to a competitor or made public. A few examples include human resource records, financial statements, legal department documents, and sales figures. When deciding which files to encrypt, we recommend enlisting the aid of senior management and your organisation’s legal department.
