Encryption management is a necessary, but not sufficient, line of defense for protecting data within a business...
ecosystem. The basics of digital data encryption -- encoding and decoding data in a way that renders it unintelligible to unauthorized third parties -- have been well understood for decades.
There is a Catch-22 to encryption, however: Processing-power advancements have made stronger encryption techniques available. These same advances are available to those with malicious intent, however, and that has made better encryption algorithms necessary.
We won't debate the merits of various encryption technologies, products or vendors here -- the upcoming RSA Conference is probably the best place to see and evaluate those in action. Rather, our focus is on encryption management governance and policies.
There are three reasons to encrypt your data, and they are interrelated: regulatory compliance, reputation risk and "oops" moments.
An increasing number of regulations specify encryption mandates directly or indirectly by outlining the activities required after an unencrypted data breach. California was at the vanguard of a trend requiring businesses to inform customers when their unencrypted personal data could have been made available to unauthorized parties (SB 1386, 2002). Now, more than 40 states have similar breach notification laws, and California is considering stronger disclosure regulations. Given the cost of disclosure -- be it direct or indirect in terms of reputation risk -- it's a wonder that anyone stores unencrypted personal information anywhere today.
As in most things related to regulatory compliance, businesses will weigh the cost of compliance with the risks and costs of detected noncompliance. The cost of encryption management is relatively modest. When it is indicated by direct or indirect regulatory mandates, the reputation risk surrounding noncompliance is generally too high to ignore.
Reputation risk should still be a consideration for data encryption in the absence of regulatory mandates, however. Any breach that becomes public is potentially damaging to a firm's reputation. In particular, losses that indicate ongoing vulnerabilities will affect future revenue streams.
Sony's loss of customer data this year, for example, had effects beyond those customers whose data was protected by regulation: a six-week service outage and an unhappy insurance carrier that denied coverage.
The "oops" moment refers to the unforeseeable -- or at least, to the unforeseen. It covers any unregulated loss that has a business impact but doesn't become a reputational risk issue. One example is the loss of confidential proprietary data that costs the business in competitive advantage, from plans to designs to sales forecasts and results.
Manage encryption to supplement security
Conceptually, the unit of transportation (field, record or file) should be evaluated at the data modeling stage to see if it should be encrypted based on the three listed scenarios. When in doubt, encrypt. But use encryption as a basis for additional security, because it is not a replacement for physical security and additional cybersecurity measures. For general guidance, we recommend the ISACA RISK-IT governance framework (Disclosure: the author was an outside reviewer of this framework, but he has no financial or business stake in its commercial success).
When in doubt, encrypt. But use encryption as a basis for additional security.
It is instructive to look at the impact of emerging technology on encryption management strategies and requirements. Some of the most significant trends in IT today are those I refer to with the acronym MACS: mobility, analytics/big data, cloud and social. Each introduces new vulnerabilities, and there should be an encryption requirement review for any initiative or investment in a MACS component.
One of the best examples of an "oops" moment appears in the international news headlines. The U.S. has asked Iran to return a spy drone that landed inside Iran's borders. Somehow I can't escape the image of a kid asking his cranky neighbor to return a baseball that has just been discovered inside the neighbor's house next to a broken window. The difference is that the drone was still under digital control after it left home, while the fate of the baseball was determined as it left the kid's hand. It appears Iranian specialists exploited the drone's reliance on the Global Positioning System, or GPS, to trick it into landing in Iran.
Did the drone's system use encryption? It's hard to imagine that it didn't. Was it sufficient? Clearly it wasn't. As we've noted, encryption is one layer in a defense strategy. Encryption can't be the weakest link, but it will never be the strongest. Plan accordingly.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on strategy and management. He is the founder of SIG411 LLC, a Westport, Conn.-based research and advisory firm. Write to him at firstname.lastname@example.org.