What IT buyers should know about encryption

March 18th, 2014

By Byron Acohido, Last Watchdog

SEATTLE — Some 44 percent of consumers don’t bother to set a password to restrict access to their home laptop or desktop computers, and only 14 percent use any sort of encyrption service.

Those findings from a recent Harris poll of 2,000 U.S. adults, commissioned by encryption vendor WinMagic, aren’t terribly surprising. Tighter security means less convenience. And U.S. consumers crave convenience, above all.

However, with personally-owned computing devices showing up in workplace settings, the brunt of any security ramifications is sure to be felt by companies and organizations, particularly those embracing BYOD.

“With consumers bringing their own devices into the workplace, bad security habits will play into the enterprise,” says Mark Hickman, WinMagic’s COO. “There’s going to be sensitive data on their laptops, tablets and smartphones, and they won’t have the right protocols to ensure security.”

That development has put encyrption technologies in the mix of security solutions IT buyers must add to the list of new tools they must come to understand. Last Watchdog invited officials from three encryption vendors — Jim Ivers, Chief Security Strategist at Covata; Gregoire Ribordy, is the CEO of ID Quantique; and Bob West, Chief Trust Officer of CipherCloud– to supply a starting point.

LW: Can you concisely describe your encryption product or service?

West: CipherCloud enables enterprises to extend data security from inside the company’s walls into the cloud. We help companies encrypt  and tokenize data and set protection policies. We also flag suspicious user activities in the cloud.

Ivers: Covata protects data wherever it resides. We do this  through an SDK and our  corporate Dropbox tool, Safe Share.  Covata’s technology enables businesses to secure ad hoc relationships with customers and partners.

Ribordy:  ID Quantique is one of the pioneers in quantum key distribution (QKD), an encryption method that secures data moving point to point. Classical encryption relies on mathematics, while quantum cryptography relies on the laws of quantum physics to establish secure communications using photon keys.

LW: Let’s say I’m the CISO at a company  with 250-500 employees. What is the most important thing I need to understand about encryption?

Ivers: Encryption must be paired with persistent, adaptive access controls that enable the originator to retain control of the data. Decisions makers must adopt a more data-centric approach to controlling how, who and when confidential information can be shared.

Ribordy: People are beginning to understand importance of securing data in transit between locations. While this area may not be the most immediately vulnerable to attack, the impact of vulnerability can be devastating to a company.

West: You should understand what systems hold the most important information I have. If information from my CRM systems fell into the hands of a competitor, they would have information about customers, prospects, pricing and other sensitive information. Most CRM providers don’t encrypt the information stored on the cloud. I’d look at implementing strong encryption across cloud applications.

Q: What  do I need to understand about the many different kinds of encryption services being pitched at me?

West: You need to understand where the encryption keys reside. One of the most important things is making sure the encryption keys are kept separate from the data being protected. Keeping encryption keys separate from the information ensures that if someone tries to steal information, it is protected and can’t be accessed unless the keys are readily available.

 Ivers: Beware of encryption silos and the resulting gaps in security.  Many of the solutions being pitched are narrow in scope and leave huge protection gaps because they address specific functional or physical use cases.

Ribordy: You need to understand the distinction between short-term and long-term solutions. It’s very possible that in 5-20 years, there will be a quantum computer capable of cracking the toughest codes in less than seconds. Quantum cryptography is an option both for today and for the long term, when quantum computers are mainstream.