Given all the hype over data encryption these days, you might get the impression that it's the only security control
you need to achieve and maintain compliance. It's not.
First, let me be clear about my stance on encryption. It's certainly a beneficial technology that helps prevent data breaches when it is done right. Whether it is for business-critical files, backup tapes, wireless networks or laptop computers and other mobile devices, data encryption can save the day. Even the HITECH Act and certain breach notification laws have exemptions for encrypted data. There is a mountain of evidence supporting the use of encryption.
But don't let the illusion fool you. Vendors will tell you "encrypt and be done with it," but it's not that simple. The problem is encrypted data means different things to different people. It's not just the mere existence of the technology, but how it's implemented that counts.
There's also the confusion some IT and security professionals create by touting all the complex security exploits that can be carried out only by someone with insanely great programming skills. Encryption-related weaknesses are different, and so have created a false sense of security. Be it sensitive files, Wi-Fi or mobile devices, an attacker doesn't need sophisticated skills or expensive tools to exploit the lack of encryption or the poor implementation of it.
There are also technical issues to be concerned with. Will your current hardware and software revisions support the level of encryption you need? Who has access to the encryption key management system? Is key management going to be too much of a burden for your staff's skill level? Are you encrypting everything, or just certain areas?
What's considered "strong" encryption is often protected by a weak passphrase -- often a password -- that's easily cracked. This is especially true for PDF files, word processing documents and spreadsheets. What controls do you have in place to detect and prevent weak passphrases? How can you rely on this? What about screensaver timeouts? Users not locking their screens when they walk away from their computers can fully negate any benefits of full disk encryption.
There are operational concerns, as well. In the case of mobile devices and home PCs, where encryption is extremely difficult to enforce, will data encryption be enabled where it needs to be by default? Can you reasonably assume that sensitive information is always going to be encrypted everywhere it travels?
There are also insiders who have access to unencrypted data. Just because they have access doesn't mean they can be trusted. You must ask yourself: What controls do I have in place to prevent and track insider abuse, and do I have control of unstructured information on my network? You cannot protect what you don't know about.
My point is you can't rely on data encryption in and of itself -- or any other single control -- to keep everything safe. A one-layered security defense is a weakness waiting to be exploited. Sure, make encryption part of your plan but never ever assume everything's in check just because it's there.