In my years in the computing industry, I have seen a number of technologies come, go, and resurface. Without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.
Part of the problem may be that many IT pros get their information about data encryption from security vendors. None of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive corporate security architecture. For instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. You probably won't hear this in any security vendor seminar because they want to sell products — I just want to educate you.
Know when to use data encryption
Data encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. In fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.
A striking example of the misuse of data encryption is when IT pros use encrypted file systems where this type of security is simply not needed. Windows and almost all major operating systems can support data encrypted file systems, but most corporations would be hard pressed to find a general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant when applying updates and patches. Also, backups are a must because, if you lose the decryption keys, your data is lost.
There are specific cases where it makes sense to use data encryption. However, many IT pros decide to use data encryption because they assume this means they will have "improved" security. For example, a company that implements a VPN system using IPSEC isn't immune from a worm or virus if its virus scanner only inspects email at the firewall border. A solution is to...
Talkback
Encryption without AAA is meaningless. Meaning that if you encrypt something but don't log and monitor the Authentication, Authorization and Auditing events of it all you might as well don't bother with it. Since you're not slowing down the real bad guys (both external and internal), in fact, you're not even noticing them, but you are slowing down users authorized to access that data.
Another thing to keep in mind: (disaster) recovery. You might want to make sure that at least certain encrypted data can be restored and/or accessed by others in certain situations (e.g., Mr. No Good has been kicked out of the company but he encrypted what he could before his account was disabled).
As for VPN (SSL). If people worldwide would truly understand how much money was pumped into that and how much additional security it actually added a lot of people would be asking very difficult questions indeed.
Security, in reality, is about slowing down the bad guys long enough for you to notice them and taking the right actions before they become a problem. Along with being able to recover in full from whatever situation as far as risk assessment decisions at higher levels permit. And a bunch of other things.
One last thing to think about. Whatever your feelings about encryption, DRM, whatever are. Everything that is out of your total physical and everything else total control is truly out of your control. Think about that before investing into solutions that claim to give you control. Really, I've seen guys, more then once, claiming that they could prevent others from printing, copying, editing and doing what not with documents 'protected' by their security solutions. I took out my PDA, made a photograph of the screen and said: stop me from doing this. End of discussion. Tons wasted on false security saved.
Really, decision makers should start to learn to find, identify and listen to those who actually know what they're talking about and don't have a hidden agenda. That would save such tremendous amounts of money and failure most people wouldn't believe it. Simply because the quantity of an opinion says absolutely nothing about the quality of such an opinion and in itself nothing about the validaty of that opinion. In other words, the whole world could agree on something and still one person could be right. History is filled with such moments plenty of times.