Is Encryption Overkill?By Doug Bartholomew | Posted 2008-03-26 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
What measures can organizations take to improve the security of at-rest customer, product and employee data? Experts weigh in.
Baseline: Is encryption the best way to secure stored data, or is it overkill? What alternatives are available?
Proctor: Encryption is a good way to secure stored data. But it comes at a great cost in many environments, at the expense of database/application performance, key management costs, and application development costs.
Encryption is not a panacea. In many cases enterprise-wide encryption is expensive overkill. Some alternatives would include classifying data and selectively encrypting high-value data, obscuring data in sensitive fields, managing access control, and monitoring administrative access.
There are dozens of possible controls. One of the more popular today is data loss prevention technology that can detect sensitive data-on-the-fly and encrypt it, or delete it as necessary.
Woo: Encryption can occur on many levels. In my non-network, non-security-oriented brain, object/file encryption is the best. However, it does come with severe costs: namely, that of key management. Alternatives such as full-disk encryption provide adequate protection, and at least in many of the implementations I’ve seen, require only minimal key management. The economic factor is not the cost of encryption, but rather the cost of not encrypting. If a file is encrypted, then by definition, it is inaccessible without the appropriate key(s). This approach is actually quite simple, but complex to implement.
The most critical thing for our industry is that storage, network, and security functions are converging, and we must adapt to this convergence. The current virtualization trend only adds additional layers of sophistication and complexity.
There is no silver bullet in addressing this issue of data security. Each organization needs to do a loss analysis in order to properly ascertain the degree to which their data needs to be secured.