Encryption Works Wonders, But Causes Its Own IT Headaches
Encryption is effective, but applying it to PCs, databases, and networks means adding layers of software and hardware and taking on new costs stemming from product licenses, training, and support.
Encrypt everything! Unfortunately, that's become the knee-jerk policy for some organizations that handle sensitive data, despite encryption's well-deserved reputation for adding cost, complexity, and latency to IT environments. More organizations need to encrypt more of their data--the Veterans Affairs fiasco shined the klieg lights on that fact--but blanket encryption policies still are a bad idea.
The most aggressive users of encryption for PCs, databases, and networks can spend hundreds of thousands of dollars on product licenses, training, and support. The added software and hardware layers can slow systems performance, particularly when data packets must be decrypted to be examined by firewalls and intrusion-prevention systems. The alternative is to assume that all encrypted data is coming from a trusted source and let those packets through without inspection. Encryption handled poorly--when decryption keys are lost or stolen or become predictable because they're used too long--is the kiss of death for sensitive data.
"Encryption has to be real and affordable and practical," says Dennis Heretick, chief information security officer at the Justice Department. Heretick prioritizes encryption based on risk. Removable media containing sensitive information must be encrypted, for example. But he realizes that encrypting all information in the Justice Department's databases would mean "a huge performance hit." If Heretick determines that encryption isn't practical for a particular data store, he'll rely on other means of security, such as keeping that database off the network.
While the Justice Department has been encrypting data on laptops for several years, the Department of Veterans Affairs discovered the value of encryption too late, leaving personal information on about 26.5 million veterans and their spouses exposed when an agency laptop and unencrypted hard disk drive were stolen in May. Besieged by Congress and veterans, the VA in August signed Systems Made Simple to a $3.7 million contract to install encryption software from GuardianEdge Technologies and Trust Digital on all its laptops by mid-September. The VA missed its self-imposed deadline but has made "good progress," according to an agency spokeswoman. The department plans to add the software to all of its desktops, as well as enforce the encryption of all data stored on flash drives and CDs.
In lockstep with the VA, the U.S. Army is mandating that each laptop it uses in the field be outfitted with encryption software from Pointsec Mobile Technologies, Credant Technologies, and Microsoft's Encrypting File System. The Army plans to make use of the encryption features in Windows Vista when they become available. (For more on Vista and other emerging encryption tech, see story, New Laws, New Technologies Sell IT On Encryption.)
Indeed, a growing number of organizations are encrypting their databases, laptops, network traffic, and E-mail as they try to mitigate risk. The VA laptop theft prompted Clay Johnson, deputy director for management at the White House Office of Management and Budget, to issue a June 23 memo with security recommendations to all federal departments and agencies. One of the four recommendations was that government agencies encrypt all data on laptops and handheld computers unless classified as nonsensitive.
Still, companies must view widespread encryption with their eyes wide open. Even by the vendors' own admissions, encryption technology presents many difficulties. It sucks up a lot of IT time and makes it harder to share information. Then there's the management of the keys used to decrypt messages. If they're stolen or otherwise fall into the wrong hands, encrypted data becomes vulnerable. If keys are lost, it can become impossible to retrieve data. "If I encrypt this information, how can I be sure that I'll be able to recover it in five years? What about in 25 years?" says Richard Moulds, VP of marketing for nCipher, a provider of encryption hardware and software.
Now You See It ... Encryption makes sense for certain uses. It essentially wraps a sealed envelope around data, obfuscating information so that no one, except the person with the decryption key that unseals the envelope, can make sense of the information. Unencrypted data, in contrast, moves exposed along networks, like a postcard wending its way through mail delivery.
Encryption bogs down networks and systems by pulling data aside and disguising it before dispatching it on its way. Latency's severity depends on a number of factors. If a system encrypts many small data packets, it takes more time than when a lesser number of larger data packets are encrypted. Latency diminishes when users depend on a hardware device rather than software to perform encryption. The ability to simultaneously send multiple encrypted data streams also cuts latency.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.