I have been speaking to some of my clients over the past few weeks about an "encryption cloud". It is the idea that there are many different ways that data can escape from an organization and to protect that data requires a larger approach than just whole disk encryption.
Right now, many companies and agencies are just trying to get a handle on all of the laptops they have that leave the relative safety of their offices every day. This is a great first step and one that should not be procrastinated on. However, any security policy is only as good as its weakest link. Unencrypted PDAs, CD-RWs/DVD-RWs, thumb drives, iPods, P2P software, etc. represent paths along which large amounts of sensitive data can quickly appear in the wrong hands.
That is why you see different encryption manufacturers producing a wider variety of solutions to try and stem all of the leakage points. Secure E-mail, encrypted network shares, tape and database encryption are all areas that must be included in a comprehensive encryption solution. Data at rest and data in transit must have a way to be centrally managed to provide for the ease of use and management while always providing the most security.
Pretty soon a cloud of encrypted traffic within your network appears and extends out to to encompass mobile devices taken to client's sites or user's homes.
Encrypting data is not hard to justify if you ask the right people. And I am not talking about people within the encryption industry. I am speaking of organizations like Neiman Marcus who just announced they "lost" the names, addresses, social security numbers, birth dates, and salaries of over 160,000 current and former employees. Of course, the sad part of this is that it wasn't really Neiman Marcus that lost their entire staffing history but a pension-benefits consulting firm that NM had hired. The contractor's guidelines requires them to encrypt their information but strangely, they cannot confirm if the data was encrypted or not (Ahem, whole disk encryption would have not made that an issue).
Be sure to read the whole article and be glad it's not your organization that they are talking about. :)
Michael Mongold
Comments