Data encryption requires strategy, not just products

At the recent Cebit trade show, a flurry of vendors touted products with data encryption capabilities. Among them, Symantec unveiled its Endpoint Encryption product in an attempt to lock down data on USB drives and other removable media. Clearly playing off growing unease over lost data, Endpoint Encryption aims to secure data on desktops, laptops, and other removable devices.

In addition to hard drive encryption, the software package uses AES-256 bit encryption to encrypt files copied to USB drives, iPods, CDs, DVDs, and other forms of removable media. Endpoint Encryption comes in three formats: a full disk edition, a removable media edition, and a version that combines disk and removable media encryption.

It's these sorts of products that were on the minds of vendors who debated the pros and cons of crypto at the system, device, and file levels last week at the Data Protection Summit in Irvine, Calif.

There were the familiar entreaties to make sure keys are escrowed in a way that makes them easy to access over the long term. There was the call to use standards-based technologies (and the retort: "Standards are wonderful; every vendor should have one"). And there was a familiar refrain to avoid obsolescence as companies add to their storage security arsenal.


Most interesting, though, was one CTO who actually took on the challenge of the session's title: "Top 10 Things You Need to Know About Drive Encryption Today." Warning he wouldn't be nearly as funny as David Letterman, Chris Burchett, CTO of Credant Technologies, nonetheless enumerated some major-and less obvious-aspects of contemporary encryption wisdom:

NO. 10: When your boss says, "Encrypt all endpoints," think "all platforms."

NO. 9: "All endpoints" also may include devices you don't own-partners' devices, USB drives that people may leave behind, and the like.

NO. 8: Encrypting data is "managed corruption," so keep in mind the managed part. Customers want to avoid decrypting and re-encrypting data, thus exposing it unnecessarily. Treating all enterprise information in a more holistic way is the security industry's biggest challenge.

NO. 7: Encryption needs authentication, so consider authentication options and how they will be managed. While most customers use two-factor authentication now, requirements scale and grow, so that at some point, they will need identity management systems as well.

NO. 6: Keep an eye out for unexpected problems. For example: Will encryption of data at bootup affect defragmentation later on? (Credant, as you might guess, encrypts at the file level.)

NO. 5: Consider technologies that protect against insider threats-using unique IDs for each user helps with that.

NO. 4: People will complain about and work around security that's in their faces, or that forces them to take extra steps. Any encryption solution must be completely transparent at the desktop level.

NO. 3: Often, a company must be able to prove encryption, either with a log or audit trail, for compliance purposes.

NO. 2: Done wrong, encryption gets in the way of forensics-or hampers it entirely.

NO. 1: Drive encryption is ubiquitous-the challenge now is how to manage it.

Copyright 2008 United Business Media US, LLC. All rights reserved.