You've got answers, I've got questions. Your responses are coming in fast about my column last week on Seagate's forthcoming hard disk drive that automatically encrypts everything on it . I think built-in, transparent encryption is a great idea that should be extended to just about everything IT departments provide -- including networks, file servers, and tape backup systems.
But as many of you point out, it's not so simple.
"From a security analyst's perspective, if the technology is easy to use and cost-effective, users may speed up adoption of these drives at the expense of other security measures," one reader writes. True enough -- but should we pass on a chance to add a layer of security, even if it may make more security a tougher sell?
Or should we just not tell users the encryption is there, so the money comes from the hardware budget instead of the security budget?
Speaking of telling (or not), that reader also wants Seagate and other vendors to tell us their encryption algorithms so we can assess their strength. I asked Seagate, whose representative told me the current design uses Triple DES with 192 bits' worth of keys. That may change, he said, but "we will most certainly use a public and standard algorithm." Good answer.
Another reader says, "Users need to grow up a bit in their understanding of technologies and the risk that they are the cause of. IT needs to stand up to users and enforce standards. Currently, security is technology, process and people, and the third leg is where it falls over."
And what about office politics, which lets powerful users stay risky and makes IT afraid to lay down the law? We won't change human nature, and we can't overhaul the pecking order overnight. So we're stuck with education, plus technology and process. Or is there another way that we're missing?
From a consultant: "What Seagate should provide, or if not what internal IT should develop independently, is a Trojan horse that grabs the password as the user enters it and registers it in a protected password vault. If the Trojan turns out to be technologically unfeasible, IT can at least provide a facility on the company intranet for voluntarily registering the password."
Does IT really want to get into the virus-writing game? On the other hand, is voluntary registration enough? IT can control passwords for the drives we install on users' machines, but can those passwords be changed? Should they be changed regularly? Or is the drive's password also an encryption key, in which case changing the password would mean re-encrypting the entire drive?
"As soon as you have entered your password, this doesn't protect your data," adds another reader. "All those back doors, worms, Trojans, et al., can still read your data and send it over the Internet. This doesn't explain how data will be protected on the backup server, either."
Too true. Getting encryption built into IT products is a little more protection -- but it's no panacea. But is any single layer of security ever going to be enough?
Finally: "I tried to envision how 'invisible encryption' would work, and could not. When a machine (a laptop, say) is turned on, a password would be required at a very early stage; otherwise, a thief would be able to boot up and get access. So how would users manage that password? That's where the rubber meets the road in terms of trade-offs of a good key and good transparency."
OK, it's not a panacea and it's not truly transparent. Can we use a single sign-on approach, so the drive, operating system and network all open up from one password typed once? Are we better off with a pile of passwords that users may stick on their laptops with Post-it notes? And will we ever find the right trade-offs to make better security easy -- or at least easier?
Until we start crash-testing products with built-in encryption, we'll never know.
Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.