Firms take steps to head off encryption dangers

Computerworld - The growing call to encrypt stored data is raising questions among users and analysts fearful that a lost password or damaged drive could bury important information forever.

Some industry observers believe that a new Trusted Computing Group (TCG) standard, released last month, could lead all hard disk and solid-state drive makers to add encryption capabilities to most products within five years. Most of the top storage vendors are members of the TCG.

Corporate IT managers acknowledge the potential problems but say that steps can be taken to overcome them.

For example, AdaptaSoft Inc., a maker of payroll systems software, requires workers to store critical data on the company's network drive rather than on laptops with encrypted hard disk drives, said CIO David Virkler.

AdaptaSoft installed Seagate's self-encrypting, 2.5-in. Momentus 5400.2 drives on its Dell laptops in October 2007 to better protect customers' financial data.

Virkler also noted that implementing a group policy eased what could have been a "painful" rollout of the drives.

Ken Waring, IT director at Toronto-based CBI Health, said that despite the potential for problems, encrypting data "is still a million times better than having nothing."

The company, which operates 135 health care facilities throughout Canada, must do all it can to protect sensitive patient information, he said.

Today, 90 of CBI Health's 200 laptops use Seagate Momentus drives with native full-disk encryption, and the rest will be on a regular product-upgrade schedule.

Dave Hill, an analyst at Mesabi Group, said that well-managed, full-disk encryption ensures that lost or stolen data can't be accessed and that companies are in compliance with most state data-breach notification laws.

This version of the story originally appeared in Computerworld's print edition.