On the surface, encryption has always seemed a no-brainer. Why expose confidential information to prying eyes when you could protect it by scrambling it? But even though encryption technologies have been widely available for more than 10 years, they have been slow to catch on.
Things are starting to change, however. A succession of high-profile data losses - including stolen laptops, lost tapes and litigation associated with data breaches - has seized the attention of management, and not just IT management. Meanwhile, hardware and software vendors have whittled away at the traditional objections to encryption, including performance penalties and the difficulty of managing keys.
Now, companies that have a great deal of sensitive data are beginning to move beyond the tactical point products they might have used years ago to high-level encryption "platforms" that provide services to applications, databases and networks company wide.
"We are deploying an architecture that will give us the ability to manage encryption seamlessly across multiple operating systems and multiple back-end systems and encrypt anything we deem sensitive," says Harvey Ewing, senior director of IT security at Accor North America. The encrypted data could be personally identifiable information, such as names, addresses, Social Security numbers or telephone numbers, or it could be medical or financial data that is subject to government regulations.
Accor, manager of economy lodging chains, uses Key Manager from RSA Security to centrally manage the encryption keys of its 1,300 properties. The product allows different applications to share encrypted data without the need for each one to have its own keys. "The key management server is the nerve centre of all our encryption processes, and it takes the management of individual keys out of the picture," Ewing says.
Accor has short-circuited one of the major problems in encryption. Managing keys can be complex and risky, and it has been a major impediment to the broad rollout of cryptography. The difficulty arises because encryption comes into organisations "organically, not strategically", says Jon Oltsik, an analyst at Enterprise Strategy Group. "It's the piece that many people will get wrong over the next two to three years."
Oltsik predicts that hard drives, tape drives, new versions of database software and the like will eventually include encryption functions, and companies will bring them in one at a time. "Next thing you know, you've got five key management systems and all kinds of complexities," he says. "The biggest risk now is disaster recovery; either you'll have to recover five different key management systems to get a business process up or you'll do a good job of backing up four of them but lose the keys on the fifth and tank the whole process."
IT security manager Marc Massar says his company, which he asked not to be named, processes more than half of all card transactions around the world. He says the company has for many years protected its transactions with narrowly focused products that do specific things like encrypting the personal identification number in an ATM transaction. These products are geared toward protecting "data in motion", Massar says.
There are several ways to encrypt data in motion; options include Secure Sockets Layer (SSL) for the Internet and the IPsec standard for "tunnelling" - establishing a secure tunnel in an otherwise nonsecure network. "These kinds of products are fairly well established, and they paved the way for e-commerce several years ago, especially SSL," Massar says. "Nobody would question the need to encrypt a credit card number across the Internet anymore."
It is much less common today for companies to encrypt "data at rest" - on servers, desktops, laptops and backup tapes. But protecting files and databases has recently become the focus of encryption projects at many companies. For example, Massar rolled out Ingrian Networks's DataSecure Platform, a dedicated encryption appliance that sits between applications and databases. The hardware and software are specially tuned for computationally intense cryptographic processes.
Massar says he uses the Ingrian devices to apply one of the basic principles of encrypting data at rest. "Think of a piece of data as having a life cycle," he says. "I want to protect it as close to its point of origin as possible, so when it comes into my first system, I encrypt it then. Then if I want to funnel it into a back-office system, it stays encrypted, and if I need to back it up to tape, it's still encrypted.