Skip the navigation

Who holds the encryption keys?

Encryption isn't bulletproof if keys and digital rights are left out in the open. Here's how to lock down stored data.

March 26, 2012 06:00 AM ET

Computerworld - Encryption can make up for a litany of security snafus -- from a bad firewall to an unrelenting hacker to a lost laptop. Once data is encrypted, criminals can't use or sell it. Plus, if encrypted data goes missing, companies are protected from disclosure requirements in most states. No wonder 38% of companies surveyed by Forrester Research have already adopted full-disk encryption technology. But data protection doesn't stop there. Encryption keys and digital rights also must be well orchestrated and secured, or else encryption protection goes out the window.

data security

For instance, encryption keys kept in a predictable place are like house keys left under a welcome mat: They're easy prey for intruders.

In December, hacking group Anonymous broke into, a provider of law enforcement equipment, and stole thousands of customers' data and credit card numbers. The data was encrypted, so the crisis appeared to have been averted. But the hackers didn't stop there. They broke into the company's servers and stole the encryption keys. The group then leaked roughly 14,000 passwords and 8,000 credit card numbers of customers on its website.

"Most of the standardized encryption methods or algorithms specified by [the National Institute of Standards and Technology] are good, it's just how you implement them and how you do key management," says John Kindervag, an analyst at Forrester Research.

While many companies have deployed full-disk encryption to comply with regulatory mandates or to avoid public disclosure requirements under state privacy laws if data is lost or stolen, an alarming number of companies still don't take precautions.

More than half of 500 IT professionals surveyed by Ponemon Institute and Experian Information Solutions in January said their lost or stolen data wasn't encrypted. Lost data most often included email (cited by 70% of the respondents), credit card or bank payment information (45%), and Social Security numbers (33%). If the organization was able to determine the cause of the breach, most often it was a negligent insider (34%). Some 19% said outsourcing data to a third party was to blame, and 16% said a malicious insider was the main cause.

"Any device that leaves your organization needs to be protected, and with more than just a password," says Gartner analyst Eric Ouellet. "We know you can jailbreak these things very easily." Data at rest must be protected, too, he adds. "Even mislabeling a tape [in storage] or not being able to find it is a disclosure event," unless the data is encrypted.

Semiconductor production equipment maker Applied Materials faces strict customer and legal requirements to protect information. The company, which operates in 25 countries, began rolling out full-disk and message encryption in late 2010 as part of a tech refresh of its 13,000 laptops. Today, 78% of laptops are encrypted, with only a few holdouts.

"The change has been positive all over the world," says Matthew Archibald, who serves as both chief information security officer and chief privacy officer at the Santa Clara, Calif.-based company. "On the engineering side, they believe anything slows [the system] down, so you have to show them that it doesn't impact them in any way."


Proceed with caution on EDRM

While assigning rights for viewing and editing documents seems like a good idea, it's not something that Gartner's Eric Ouellet recommends for organizations that need to keep documents for a long time.

"There are no standards for EDRM [Enterprise Digital Rights Management]," he explains. If a vendor changes the cryptography or the way it applies the technology, users must upgrade or retrofit all existing documents or run the risk of having orphaned documents that no one can open. One Gartner client had to upgrade twice over the past eight years, he adds.

"If documents are only going to live for 12 to 18 months, that's a risk window that you can manage," he says. "But if the documents need to live for four to five years or more, then you have to start building alternate systems," such as ones for keeping copies in plain text that are accessible to only one or two people in the organization.

— Stacy Collett

Our Commenting Policies