Who Holds the Keys?

Encryption isn't bulletproof if keys and digital rights are left out in the open. Here's how to lock down stored data.

Encryption can make up for a litany of security snafus -- from a bad firewall to an unrelenting hacker to a lost laptop. Once data is encrypted, criminals can't use or sell it. Plus, if encrypted data goes missing, companies are protected from disclosure requirements in most states. No wonder 38% of companies surveyed by Forrester Research have already adopted full-disk encryption technology. But data protection doesn't stop there. Encryption keys and digital rights also must be well orchestrated and secured, or else encryption protection goes out the window.

data security

For instance, encryption keys kept in a predictable place are like house keys left under a welcome mat: They're easy prey for intruders.

In December, hacking group Anonymous broke into SpecialForces.com, a provider of law enforcement equipment, and stole thousands of customers' data and credit card numbers. The data was encrypted, so the crisis appeared to have been averted. But the hackers didn't stop there. They broke into the company's servers and stole the encryption keys. The group then leaked roughly 14,000 passwords and 8,000 credit card numbers of customers on its website.

"Most of the standardized encryption methods or algorithms specified by [the National Institute of Standards and Technology] are good, it's just how you implement them and how you do key management," says John Kindervag, an analyst at Forrester Research.

While many companies have deployed full-disk encryption to comply with regulatory mandates or to avoid public disclosure requirements under state privacy laws if data is lost or stolen, an alarming number of companies still don't take precautions.

More than half of 500 IT professionals surveyed by Ponemon Institute and Experian Information Solutions in January said their lost or stolen data wasn't encrypted. Lost data most often included email (cited by 70% of the respondents), credit card or bank payment information (45%), and Social Security numbers (33%). If the organization was able to determine the cause of the breach, most often it was a negligent insider (34%). Some 19% said outsourcing data to a third party was to blame, and 16% said a malicious insider was the main cause.

"Any device that leaves your organization needs to be protected, and with more than just a password," says Gartner analyst Eric Ouellet. "We know you can jailbreak these things very easily." Data at rest must be protected, too, he adds. "Even mislabeling a tape [in storage] or not being able to find it is a disclosure event," unless the data is encrypted.

Semiconductor production equipment maker Applied Materials faces strict customer and legal requirements to protect information. The company, which operates in 25 countries, began rolling out full-disk and message encryption in late 2010 as part of a tech refresh of its 13,000 laptops. Today, 78% of laptops are encrypted, with only a few holdouts.

"The change has been positive all over the world," says Matthew Archibald, who serves as both chief information security officer and chief privacy officer at the Santa Clara, Calif.-based company. "On the engineering side, they believe anything slows [the system] down, so you have to show them that it doesn't impact them in any way."

1 2 Page
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies