Encryption Works Wonders, But Causes Its Own IT Headaches

Encryption could be a cost-saver if vendors figured out a way to scale it to more end users--to secure customer interactions, in particular. Financial services companies, for instance, would love to reduce the number of paper statements they mail to clients each month, if only vendors could come up with a way to encrypt mass E-mail blasts cost-effectively. "This would be a killer app for encryption," says Richi Jennings, lead analyst with E-mail consulting firm Ferris Research, who adds that it would kill phishing scams perpetrated by fraudsters posing as banks.

Worry, Worry, Worry
More than anything, the urge to encrypt comes from the belated realization that sensitive data is walking around on laptops. But encrypting laptop files and data can be difficult and require additional work. Some encryption software doesn't recognize updates to PC apps, forcing IT teams to uninstall encryption software before they update apps or operating systems, and then re-encrypt the hard drive. That can take several hours per unit.

Capital BlueCross has been encrypting as many as 40 of its laptops weekly. The installation of encryption technology takes less than five minutes, and the encryption takes place in the background while employees use their computers. However, Capital BlueCross' IT team can spend up to four hours per PC performing diagnostics and testing the installation of Utimaco's SafeGuard Easy full disk-encryption software. That software is then integrated with the health care provider's Active Directory security controls. The IT staff has been doing this extra work one day a week on average over the past two months. SafeGuard Easy is among a set of Utimaco products priced at around $250 per PC to provide encryption, personal firewall, antivirus, anti-spyware, and asset management.

SafeGuard Easy encrypts all applications that run on a PC's hard drive with no noticeable effect on users, other than adding a new logon screen when they boot up. Capital BlueCross chose SafeGuard Easy because of its integration with back-end management capabilities, especially its PC-imaging backup and upgrade processes. The insurer initially started encrypting laptops to protect client health information but has extended the program to protect other sensitive company information, VP of IT Whiting says.

Arkansas BlueCross BlueShield encrypts certain client data to meet government regulations, such as the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley, though encryption isn't specifically mandated by those regulations. "When it's personal health information or personally identifiable information, we err on the side of caution," says Bob Heard, VP of IT infrastructure.

Arkansas BlueCross BlueShield plays the same balancing act as many other companies: It's going to do what it must to protect data, but it knows the costs rise if encryption is applied to data a lot of people need to access, because that will mean more software and more support. "Encryption is very, very important to us based upon certain types of data, but it's not used on a broad scale where it's applied to anything and everything," says CIO and senior VP Joe Smith. "There's a practical matter of knowing what you need to protect."

Companies sometimes throw encryption at the wrong risks. "I run into enterprises implementing encryption in places where it's not necessarily needed, but their backup tapes are being sent out unencrypted in the hands of $6-an-hour couriers," says Paul Kocher, president and chief scientist of Cryptography Research. "Encrypting backup tapes and laptops is an absolute no-brainer because it's low cost and the benefits outweigh the risks." IBM and Sun Microsystems are betting on that; both are coming out with storage systems that can automatically encrypt data as it's recorded onto magnetic tape.

Data broker ChoicePoint requires all third-party data sources to encrypt any data sent to it on disk or tape. ChoicePoint isn't taking chances after scammers in 2004 tricked it into giving them personal information, leading to $25 million in fines, fees, and tech upgrades. It's become an encryption zealot. "Everyone's laptop is now encrypted, even if you don't have access to sensitive data," chief marketing officer James Lee says.

It's understandable that a company like ChoicePoint with so much personal data--and a reputation so much at risk--would embrace encryption broadly. But the decision to encrypt data should be made only after a thorough assessment of the cost-benefit. Remember, an investment in encryption is more than a shopping trip for new hardware and software. It's a new approach to security that requires constant management over the lifetime of your data. Make sure what you're protecting is worth the effort.