Page 11 - CDM-Cyber-Warnings-January-2014
P. 11
Is encryption a magic bullet? In the wake of the Snowden affair encryption is being hailed as the answer to ensuring data security. HÃ¥kan Saxmo, CTO at Cryptzone, considers this view. Mass surveillance is everyone's business, so it's only natural that Edward Snowden's disclosures on the activities of the National Security Agency (NSA) and its international partners have brought unprecedented public attention to concerns like cyber security. Accordingly, some of the world's biggest consumer-facing organizations have been pushed to respond. They've endeavored to send strong messages to the effect that keeping data from falling into the wrong hands isn't something they take lightly. Encryption takes center stage These have followed a common pattern, with encryption - something the general public might know a little about, but probably not enough to realize they encounter it in everyday activities like online shopping - taking center stage. Yahoo promised to encrypt users' emails, for example, while Microsoft announced a "comprehensive engineering effort" was underway to scale up encryption in services like Outlook, Office 365 and SkyDrive. Google chairman Eric Schmidt's response to the NSA scandal came along similar lines: "The solution to government surveillance is to encrypt everything," he said. Developments like these mean some commentators are already calling 2014 'the year of encryption'. But as the likes of Yahoo and Microsoft shovel resources into making their cloud services more resilient, should the enterprise change the way it approaches encryption in on-premise IT infrastructure? At first glance, implementing a far-reaching, comprehensive encryption solution to your organization's network doesn't seem like it comes with many downsides. Not only will it protect your data from attackers and disgruntled - or careless - insiders, it's also one of the boxes you'll need to tick if an auditor for PCI- DSS or the Sarbanes-Oxley Act comes calling. Similarly exemptions from breach notification requirements apply when electronic Personal Health Information (PHI) has been encrypted, as specified in HIPAA Security Rule. Encryption is easier than ever Modern machines don't struggle to supply the computing power required to encrypt and decrypt data, and there are software packages on the market that make the whole process more user-friendly than it's ever been before. It's now possible to give particular users access to one file or resource, while stopping other users from doing the same, without labouring over key management - your solution should be able to automate this for you. However, there are still some complications you need to be aware of, as well as hidden pitfalls to steer away from, when putting encryption in place - even if you've invested in the best software money can buy. Encryption is important, but it's not a magic bullet. If your solution isn't diligently maintained, it can backfire and cost you more resources to fix. Equally, if you're hoping encryption can plug the gaps in a working culture that isn't savvy to the risk of data loss, you might encounter problems down the line as + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *