Is encryption just a waste of time?

Is encryption just a waste of time?

Summary: Faced with the thought of a USB drive, notebook PC or backup tape going missing, most IT managers look to some form of encryption as the first layer of defence. However, according to one storage security expert, that's largely a pointless exercise.

SHARE:
TOPICS: Storage, Security
7

Faced with the thought of a USB drive, notebook PC or backup tape going missing, most IT managers look to some form of encryption as the first layer of defence. However, according to one storage security expert, that's largely a pointless exercise.

"I often refer to encryption as crypto fairy dust," Eric Hibbard, chair of the Security Technical Working Group in the Storage Network Industry Association, said in a recent interview. "A lot of IT managers sprinkle this on and think it makes certain problems go away."

The reality, Hibbard suggested, is rather different. "If you're doing encryption in the storage ecosystem, the pay off is very limited. A hard drive or tape drive wandering off is a real problem, but that's not a data confidentiality issue; it's a media confidentiality issue. If you're talking about sensitive information, encryption is just one tool in the toolbox. If you don't have that mated to tight authentication and access control, you're screwed."

Of course, there are plenty of reasons why such a mating isn't happening. Getting to that kind of integrated nirvana is a worthy goal, but rarely happens in IT environments where heterogeneity is a fact of life. There simply isn't time, budget or staffing expertise to bring it all together, so access control tends to be limited to the most pressing projects.

Do you think Hibbard is on the right track here and it's time to vacuum up the fairy dust, or is encryption still the best option of a messy bunch for basic data security?

Topics: Storage, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Data encryption

    The real issue is that most data "leaks" are caused by those with legitimite access to the information. Typically, docs are opened then saved to thumb, emailed or renamed, in transit out of the organisation. I agree with Hibbard that encryption is just a part of the whole solution but not a solution in itself.
    anonymous
  • DLP products

    Ditto.

    You've got to look at data loss prevention products and access control products. Things like (previously Vontu, now Symantec's) DLP (Data Loss Prevention), and also SNAC (Symantec Network Access Control) are products in the correct direction, where you can limit or prevent use of USB, live scan files or emails to prevent sending unauthorized data (e.g. any email with what looks like a credit card number), or limiting a client's abilities depending on which network they are connected (e.g. authorized corporate network, VPN, or an untrusted network).

    These kind of products help companies use IT to be able to help enforce compliance and corporate policy.
    anonymous
  • Data Encryption

    In many cases over the last few years data losses have stemmed from the inadvertant loss or theft of a laptop, USB drive or token. Encryption is not the answer for all threats but it cases such as these it will generally avoid the disclosure of privacy sensitive information.
    Rightly or wrongly in some cases negates the requirement for disclosure if the assets are lost avoiding major PR issues for the companies involved.
    anonymous
  • Data Encryption

    Agree absolutely. The recent pattern of very embarrassing data losses experienced in the UK would have been significantly ameliorated if the media had been encrypted. Media encryption is the first line of defence for portable media.
    anonymous
  • Encryption

    Data Encryption is one of the major threats.Encryption is not the answer for all threats but in cases such as these it will generally avoid the disclosure of privacy sensitive information.
    anonymous
  • don´t think so - MARKED AS SPAM BY AKISMET

    I dont think that it is true. I´m using Discryptor <a href=http://www.discryptor.net/en>(discryptor.net)</a> and it really does not feel like that
    anonymous
  • Encryption

    There's a new software being released soon, end of the month I think. It's got what they call "military grade encryption" or 256-bit encryption so that your stuff remains secure.
    Here's the link www.i-mtop.com. Sounds good to me.
    anonymous