It's all about the data

Cryptography is the last line of defense when it comes to protecting valuable information assets. What I mean by that is that when all else fails - which is unfortunately often the case - the only means to ensure that something remains secure is...

Share

Cryptography is the last line of defense when it comes to protecting valuable information assets.

What I mean by that is that when all else fails - which is unfortunately often the case - the only means to ensure that something remains secure is to properly implement cryptographic systems with secure key management techniques.

I frequently get questions about the size of cryptographic keys and frequency of change, which will inevitably increase the strength of an implementation at the expense of convenience and cost in some instances. My response is that companies should always try to analyse what the cryptosystem is protecting in order to determine the 'time value of the data'.

By this I mean how long the data needs to be protected before compromise no longer poses a risk or issue. In some cases this may be minutes. While in others it can be decades, therefore selecting a proper cryptosystem with suitable size keys and change frequency is critical.

One thing to consider, however, is the scope creep or mission creep which may happen when such considerations are made at the design stage. In many cases we find that systems designed for one purpose are used in entirely different ways than their architects had in mind.

In such cases, all bets are off and a review of the 'time value of the data' has to be considered when such scope creep is suspected or confirmed.

The moral of the story: it’s not about the system you're designing, the security of the system or even the crypto...it's all about the data.

The 'time value of the data' being protected is an important aspect which will have numerous implications on the overall design of the system and how it is implemented.

By John Velissarios, Accenture

"Recommended For You"

Security flaw on Kingston, SanDisk and Verbatim USB flash drives Why mobile data protection IT projects fail