One of the questions I'm frequently asked is: "If perimeter-based data-security strategies are breaking down, why aren't more companies using encryption to protect their confidential information?"
Although I'm not sure I agree completely with the question's premise, I believe what we're seeing has less to do with the role encryption will play in protecting confidential information than the rate at which enterprises can really upgrade their core information infrastructure.
Encryption is not the kind of technology that can be "painted on" an existing set of information-technology assets. Achieving comprehensive enterprise data protection requires a change in both policies and technology at the architectural level, followed by deliberate deployment everywhere sensitive information resides.
As one of my favourite chief information officers observed: "Rome wasn't built in a day, and that was a far easier goal to accomplish."
What I've observed, particularly in the last year, is the growing understanding by IT security professionals that General Patton was correct when he observed that "fixed embattlements are monuments to human stupidity".
With the vast majority of mission-critical data now being created and consumed on mobile devices outside most corporate security perimeters, data-security experts globally have realised that fixed data embattlements are a necessary but insufficient component of a comprehensive, enterprise data-protection strategy. These companies are rethinking their security strategies, and the leading firms — primarily in financial services and manufacturing — are implementing solutions that assume there is no perimeter in the classic sense. Most, if not all, of these new approaches involve broad deployment of various encryption technologies.
The Jericho Forum has been promoting this concept of "de-perimeterisation" for a number of years. What I'm seeing from the largest PGP Corporation customers is a belief that security now must travel with the data wherever it goes throughout the world. Because upgrading the security policies and technology in a large enterprise takes time and careful planning, however, this is not the type of trend that pops out fully formed — like a YouTube or Facebook — but evolves over time to address changing threat models.
The other phenomenon driving this trend is the growing understanding that no institution is immune to the type of breach experienced by TJX in early 2007 or HM Revenue & Customs in late November.
I expect both the number of breaches and the cost per breach to increase in the short term as the profitability and frequency of identity theft rise in the increasingly organised international criminal community
Phil Dunkelberger, PGP Corporation
So, although de-perimeterisation and the assumption that all firms are vulnerable are the current drivers for encryption adoption, there's a third, less understood phenomenon that I believe will become increasingly important in the next two years: the hard dollar costs of a breach.
TJX disclosed recently that it may spend $500m (£253m) mitigating the effects of the breach. The most recent study by the Ponemon Institute, which tracks the cost of breaches, estimates that each compromised record costs an affected company $197, up eight percent from 2006 and 43 percent from 2005.
I expect both the number of breaches and the cost per breach to increase in the short term as the profitability and frequency of identity theft rise in the increasingly organised international criminal community. This trend will, in turn, put increasing pressure on public and private institutions to protect sensitive data regardless of where it resides in the enterprise.
The final factor affecting the rate at which encryption technologies are deployed is the knowledge that to protect all data in motion and at rest in a large enterprise effectively, it isn't enough to deploy one point solution for email, one for laptops, a third for shared storage, and so on. Most chief information officers know from hard experience — and early public key infrastructure deployments — that a combination of such point solutions usually leads to data that is actually less secure and/or less available to those who need it.
Encryption by itself is not the answer, and the fact is that building or deploying a simple, single-application encryption technology just isn't that hard. The magic of enterprise data protection occurs when it is combined with a comprehensive data-protection policy and key-management system, and encompasses all of an enterprise's business, compliance and security requirements.
Building systems that meet these criteria is hard and should be undertaken only when implementers truly understand all of the enterprise's threat models and have identified the most cost-effective, scalable solutions.
Phil Dunkelberger is chief executive of security software company PGP Corporation.
Talkback
First you have to close the stable door. Point solutions do this.
Citadels have always had strength in depth from the moat to the keep, unlike HMRC (or firewalls) which neglected basic data security, and the breach took place outside the citadel.
HMRC have to take the minimum precautions of not allowing everyone to browse or download the whole database. And understand password protected zip files are not the state of the art data security, and why data security matters and what is your responsibility. Junior (inadequately trained) staff were required to supply the whole database (in password protected zip files) by people who should know better (but didn't).
Encryption is necessary for mobile data, mobile data is not necessary for HMRC, and supplying the whole database was not a alternative to sterilising the data, for it's intended use, and distribution outside the citadel.
Corporate experimentation and learning is an important activities in their own right. Simple rules can drive complex behavior and solutions come from iteration and experience.
Maybe we are reaping our rewards from the modern push to de-skill the IT administration function. We don't want to have to pay people who have deep knowledge and experience. We would rather pay a shedload of money for applications that do all our thinking for us. Fine if we are talking about automating repeatable physical processes. Not so fine when we are talking about complex and highly variable stuff like looking after large IT systems .. particularly secure ones.
I remember a paper from a certain large IT supplier a long while ago that was advocating the removal of the distinction between the IT Technician and the Engineer. It was punting the renaming of the function that used to be fulfilled by technicians to an "XYZ Engineer" and doing away with the top end engineering function. They then went ahead and did it. For a long while it seemed to work.
However, without the deep geeks being involved in the overall systems maintenance, the systems that resulted started to rot. Decisions that were made by engineer level staff, that added time and effort to processes, but were done for good reasons obvious to engineers, have dropped off because the current staff, with lesser skills and experience didn't see the point. Only too late do they work out why it used to be done that way .. if they even knew it did.