The eight myths of data encryption

Misconception 5: It will take a tremendous amount of training for company employees to begin using
data encryption. In many cases, staff members using data encryption on personal computers will require no training at all. Software installation is accomplished from a central location and staff members simply see a new sign-on screen next time they boot up their computer. Encryption and decryption all takes place behind the scenes and does not affect user productivity.

Misconception 6: My organisation already uses an operating system with encryption built in, we don’t need any additional encryption tools. Many organisations need greater flexibility, features and capabilities than is offered by a single encryption implementation – for example one included in an operating system or public domain application. Operating system encryption generally lacks central management capabilities as there are no provisions for managing or backing up the encryption itself, and they also lack reporting and logging features necessary for regulatory compliance.

Misconception 7: Encryption can’t be that secure if someone can just steal the keys from a server and break into any affected system. The theft of cryptographic keys is certainly a risk, however isolating the functionality of key protection in a dedicated hardware security module can offer stronger protection than a software only solution.

A hardware security module is a good solution for focused data security in e-business transactions and e-commerce operations. Following industry practice for passwords – using mixed combinations of letters and numbers, creating difficult-to-guess passwords and taking measures to avoid disclosing passwords to any unauthorised individuals is also paramount.

Misconception 8: Our organisation uses encryption to protect data in transit, such as Internet transactions. We’re not concerned about stored data. Stored data presents a greater risk of loss or threat than network data transactions. Despite clear evidence of this fact, only 30 percent of IT executives say that encryption is used by their organisation to protect stored data.

Companies that already recognise the value of encryption for data exchanged online or in a network situation need to identify other areas of stored data that need to be guarded against loss or theft. This stored data encompasses network storage devices, computer hard disk drives, system and network back-up devices and small and easily pocketable devices such as removable media,
flash cards, memory sticks and optical disks.

Encryption can be allied at various points in the data path depending on the network architecture in use and the policies in force within the organisation. For example, as data moves from a primary storage device to a storage destination, encryption might be performed prior to the data being sent across the network for storage, at the point where a backup application is physically accessing the data or where the backup software has formatted the data and is about to send it to the backup library or a long-term storage device.

Clearly the eight misconceptions do not apply. Strong encryption is a powerful mechanism that can offer effective, continuous protection of data – at rest, in motion and in use. Encryption can help meet legal and regulatory compliance requirements, and it is not difficult to plan and deploy throughout a company. In fact, a well-designed encryption solution will emphasise simplicity in planning, deployment and use.

data eight encryption myths of security the