Encryption: Not the End-All Fix for Data Privacy

Many state data-breach laws exempt encrypted data from PR-nightmare public-notice requirements, but don't let that fool you into thinking it's an easy answer to the data privacy challenge. Here's the lowdown on loopholes, caveats and options to consider when applying encryption.

Proper Uses of Encryption

There are, of course, many instances in which encryption is a very effective security tool. For mobile employees, hard drive encryption is a great way to protect the data on laptops in the event they are lost or stolen. As the name suggests, the technology encrypts the entire hard drive as apposed to only select folders or files. Thus the end-user does not have to concern themselves with which data should be encrypted. It's all encrypted. One-way encryption, also known as a hash, is often used to protect passwords. Depending on the specific network topology, password files can be maintained on local systems or on dedicated authentication servers. In either case the password files are often hashed to protect their confidentiality. Since a hash is non-reversible by design, it's considered that much harder to hack. Secure Socket Layer (SSL) is the standard used to provide a level of protection for sensitive data that is transmitted over the Internet.

One challenge businesses face is finding encryption solutions for the wide range of computer systems deployed in their networks. Performance is another encryption challenges as it's CPU intensive and can negatively impact performance.

There are dedicated encryption appliances that are operating-system agnostic. In fact, the need for dedicated, hi-speed crypto-appliances has become so great that the market is flourishing. Many of these vendors tout that they are certified by either the U.S. Government or by major security consortiums such as the National Institute for Standards and Technology (NIST). Vendors in the crypto-appliance market include CipherOptics, Decru and Neoscale, to name just a few.

Dedicated devices are placed right on the network and can encrypt data both in storage and in transit. The CPU-intensive encryption is handled by the appliance, not by your servers, so performance doesn't suffer. Many of these encryption appliances will work with most versions of Windows, UNIX, Linux, mid-range systems such as AS-400's and even mainframes.

Yes, encryption is an important tool to maintain the confidentiality of sensitive data. However, it's not the end-all answer to data privacy. If improperly used, encryption can actually be a security liability, and misuse will eventually impact the exemptions offered in many current data privacy laws.

Philip Alexander, CISSP – ISSMP, is an Information Security Officer for a major financial institution and the author of the new book Data Breach Disclosure Laws: A State-by-State Perspective by Aspatore Books. Write him at [email protected].