Skip the navigation

Encryption: Do It Today or Pay Tomorrow

The need has never been greater, and the technology is ready

By Gary Anthes
May 21, 2007 12:00 PM ET

Computerworld - On the surface, encryption has always seemed a no-brainer. Why expose confidential information to prying eyes when you could protect it by scrambling it? But even though encryption technologies have been widely available for more than 10 years, they have been slow to catch on.

Things are starting to change, however. A succession of high-profile, high-pain mishaps  including stolen laptops, lost tapes and litigation associated with data breaches  has seized the attention of management, and not just IT management. Meanwhile, hardware and software vendors have whittled away at the traditional objections to encryption, including performance penalties and the difficulty of managing keys.

Now, companies that have a great deal of sensitive data are beginning to move beyond the tactical point products they might have used years ago to high-level encryption platforms that provide services to applications, databases and networks companywide.

We are deploying an architecture that will give us the ability to manage encryption seamlessly across multiple operating systems and multiple back-end systems and encrypt anything we deem sensitive, says Harvey Ewing, senior director of IT security at Accor North America. The encrypted data could be personally identifiable information, such as names, addresses, Social Security numbers or telephone numbers, or it could be medical or financial data that is subject to government regulations.

Accor, a Carrollton, Texas-based manager of economy lodging chains, including Red Roof Inn and Motel 6, uses Key Manager from RSA Security Inc. to centrally manage the encryption keys of its 1,300 properties. The product allows different applications to share encrypted data without the need for each one to have its own keys. The key management server is the nerve center of all our encryption processes, and it takes the management of individual keys out of the picture, Ewing says.

Accor has short-circuited one of the major problems in encryption. Managing keys can be complex and risky, and it has been a major impediment to the broad rollout of cryptography. The difficulty arises because encryption comes into organizations organically, not strategically, says Jon Oltsik, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. Its the piece that many people will get wrong over the next two to three years.

Oltsik predicts that hard drives, tape drives, new versions of data­base software and the like will eventually include encryption functions, and companies will bring them in one at a time. Next thing you know, youve got five key management systems and all kinds of complexities, he says. The biggest risk now is disaster recovery; either youll have to recover five different key management systems to get a business process up or youll do a good job of backing up four of them but lose the keys on the fifth and tank the whole process.



Our Commenting Policies