The eight myths of data encryption

The emerging model of the open enterprise has raised the stakes on ensuring data protection throughout an organisation. Companies collaborate more freely and more often with partners and suppliers, responding to supply chains that stretch across the world.

Web-based business processes and e-commerce have combined to create a much more open IT infrastructure and corresponding protection must be put in place to counteract possible network vulnerabilities.

This applies whether data is at rest – stored on a laptop, smart phone or PDA –in motion across a network, or on some form of removable media being transported from one place to another – or in use by an application.

Encryption can be applied to data in any one of these conditions. It has been embraced in a variety of areas where the sensitivity of data being transferred is extremely important. This includes the banking industry, business transactions conducted over the Internet, email communications where privacy is essential, and mobile phone technology.

Despite advances in encryption techniques, outdated ideas about encryption persist. In fact there are eight common myths that need to be debunked.

Misconception 1: Encryption is too complex and difficult to plan, deploy and use. The idea that data encryption creates insurmountable IT challenges is one of the most prevalent misconceptions. In truth, well-designed encryption solutions emphasise simplicity in planning, deployment and use. The key to achieving simplicity is fully understanding data movements – and corresponding risks – within the organisation.

Appropriate solutions depend very specifically to the situation it involves. A one-size-fits-all approach will not give the right balance between security and ease-of-use. Some solutions may involve encrypting data as it is being sent to a network backup device, or mobile computers, email communications throughout an organisation, or the data on the flash memory devices used by field personnel.

Management of encryption processes is also an important consideration. Look for solutions that centralise and simplify oversight and administration of encryption operations with a sound management strategy. Centrally managed data security products add consistency to system activities, preventing users from tinkering with system configurations, for example.

Misconception 2: Encryption is a great way to protect data on a notebook computer or corporate server, but it can’t help protect data on a PDA or smartphone.

Companies sometimes underestimate the scale of the problem of lost handhelds. In a recent survey of taxi drivers in a major U.S. city, 21,460 PDAs and pocket PCs were discovered in taxis within a six-month period – each lost PDA representing a potentially serious security breach. While an Australian city may not turn in such an impressive volume of losses, it is still a major issue here – just one PDA can contain sensitive personnel files, commercially critical business plans or your complete customer list.

Fortunately, a number of application solutions now specifically support data encryption information stored on mobile computing devices. Further security is provided by a variety of authentication options which can utilise a variety of authentication modes – including biometric input devices, passwords or symbols PINs which give companies a mechanism for meeting data confidentiality regulations at the state and federal level.

Misconception 3: The state and federal regulations with which my organisation must comply don’t say anything specifically about data encryption.

Most regulatory mandates do not specify particular technologies that must be deployed to ensure secure communications, data privacy, accountability or transaction tracking – however data encryption is often the easiest and most fail-safe method of meeting these requirements.

Full compliance typically requires a combination of actions, including:

•Initiating policies that govern the communication and storage of data
•Implementing accountability practices in the organisation to ensure that
personnel practices are followed and technologies are appropriately deployed
•Performing monitoring and oversight of transactions and activities involving
sensitive data
•Employing methods that prevent private data from being stolen, accessed, or
viewed on computing equipment inside or outside of the organisation
•Establishing techniques to positively verify the identities of anyone
accessing or using sensitive information generated by the organisation

Other complementary data security products that handle digital signature use and encryption keys, and perform other security functions, can also contribute to regulatory compliance.

Misconception 4: Encryption will significantly slow down my system or impact network performance. Major performance issues are a thing of the past thanks to advances in computer platforms, improvements in encryption algorithms and enhanced application designs. The new application designs use available computing cycles efficiently and take advantage of background processing to perform tasks. As a rough guideline, a well-designed encryption product should typically have a performance impact in the range of two to five percent for standard uses.

Simon Coffey Technical Services Manager, Computerlinks Network Security Systems.