Security experts are urging users and businesses to adopt full disk encryption to secure sensitive data
Concerns about data breaches and privacy violations would spur enterprises to adopt encryption and use it effectively, according to security experts.
Organisations are beginning to assume that the firewall has already been compromised and are relying on ubiquitous encryption to protect data across the enterprise, according to Jeff Hudson, CEO of Venafi. In the past, security measures assumed that firewalls and other perimeter defences were enough to keep the bad guys out.
Recent high-profile data breaches proved that attackers were able to still get into the network, and had free rein because the data was not protected at all, according to Hudson, who has predicted that 2012 will be the “year of ubiquitous encryption”.
Along those lines, privacy rights organisation Electronic Frontier Foundation recommended that users “commit” to full disk encryption on all their computers. Encrypting the entire drive would help secure private data, including business documents, Web-surfing history, information about other people and email communications, even if the computer is lost or stolen, Seth Schoen, EFF’s staff technologist, wrote on the EFF blog.
“Don’t put off taking security steps that can help protect your private data. Join EFF in resolving to encrypt your disks 2012,” Schoen wrote, noting that there are several easy-to-use tools available, including Microsoft’s BitLocker or TrueCrypt.
Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key, according to Schoen. “Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer,” he wrote.
Organisations need to make sure that all data, regardless of whether it is stored in-house or managed by a third-party provider, is protected by either encryption or tokenisation, Ulf Mattsson, CTO of Protegrity, told eWEEK. Incorporating these data-security measures may add some complexity, but the protections would wind up saving the organisation money in the event of a data breach, Mattsson said. Taking the time to protect the data would expose the organisation to less damage post-breach, he said.
In a recent survey of 500 IT professionals, more than a third admitted to losing USB drives and portable devices containing unencrypted personal and company data, iStorage found. Over half said they transported data without encrypting it first, according to iStorage.
Vital key management
Organisations that have adopted encryption still encounter problems because they are not following best practices for encryption key management, according to Hudson. Organisations struggle to keep track of what keys are being used and who has access to them. Encryption would be a “defining issue” in the year ahead, he said.
When employees leave, they may take the keys with them, leaving the organisation unable to access the data, Tim Matthews, senior director of product marketing at Symantec, told eWEEK. A recent Symantec study found that poor key management and lack of control over the technologies being used could cost the organisation an average of $124,965 a year.
Cloud services will also need to start thinking about encryption as users start worrying about their personal data and enterprises try to protect the corporate data leaving their networks, according to Geoff Webb, director of product marketing at Credant Technologies. Users have a “real desire” to take back control over the files they put in the cloud, he said. Storage and collaboration services will begin offering user-owned data-security and encryption options. Salesforce.com acquired Navajo Systems in August to provide customers with data-encryption capabilities.
After the European Union issued a mandate that security breaches involving unencrypted data need to be disclosed to local regulators, several large telecommunications companies started offering encryption services to minimise the risk of data exposure. As industry regulations and laws evolve to address unencrypted data, organisations will find it necessary to encrypt the data from the get-go, Jon Heimerl, director of strategic security for Solutionary, told eWEEK.
The Health Information Technology for Economic and Clinical Health (HITECH) Act is a good example, as it states that if an organisation loses health care data, as long as it can show that it protected the encryption key and took proper data security measures, it does not need to disclose the incident.
“You don’t have to make this overcomplicated; even hard drive encryption and database encryption can go a long way to protect your cool data,” Heimerl said.