"We are doing this first for our internet-facing systems, because that's where the most risk is," Massar adds. But the goal is to have one encryption service, so application developers don't have to develop a new encryption routine every time they get a piece of sensitive information.
But Massar acknowledges that such comprehensive, seamless encryption is easier to imagine than to accomplish. He says he has more than 1,000 systems subject to the encryption guidelines of the Payment Card Industry Data Security Standard, and "that requires a lot of architectural decisions".
Organisations moving to encrypt their information at rest naturally look first at the most vulnerable data, which can exit the company in laptops, handheld devices and so on. A computer services firm recently set a policy that the hard drives on all laptops be encrypted using Whole Disk Encryption from PGP in California, says Lawrence Hale, the firm's chief information security officer. He asked that his employer not be identified.