Rolling your own management
system can create a mess"> Instead of needing just one trustworthy superuser, do you wind up with points of vulnerability because youre rolling your own management system for applications that all do it differently? Montgomery: At a minimum, that can create a management challenge. Within a specific application, some of the concerns that you have to look at are, What are you doing with the data? Is it going to be heavily searched upon? Is it part of search criteria? Or will it only ever be displayed as part of a record on the screen? That will drive the type of technology and the type of coding that youll put around the encryption.Think about how your application will behave if you scramble the data. You may have to [insert] some logic that searches on the ciphertext, which means you have to select the right encryption mode to support that type of capability. Those are the types of things that application developers have to think about. And oh, by the wayyou have to retrofit that into an application in many cases [whose designer] never thought about that kind of stuff.Is it common for developers to make bad choices that do things correctly, but with unacceptable impacts on performance? Montgomery: Absolutely. If you encrypt a piece of data, [and] you dont process it properly, you can force things like table scans on databases. Your application can even give you erroneous results when it cant find records that it should be able to find. Are there any common pitfalls that people encounter when they try to graft encryption into an IT stack that wasnt designed with that in mind? Do they wind up with the form of security but not the substance? Montgomery: Someone might roll their own [solution] and find out that its not compliant. [That might be] their own system or a system from their own application vendor that tries to solve the vendors problem but not within the context of compliance. Is there a broad lack of understanding of what encryption really is? Do legislators, for example, understand there are degrees of protection, with some encryption approaches vastly less effective than others? Moulds: Encrypting data is easy; looking after the keys is hard. And if you leave the keys hanging around, it doesnt really matter what algorithms you useits all been a bit of a waste of time. As Microsoft talks about the use of [Trusted Platform Module] chips in Vista, I think that will start to shift peoples minds toward the idea that crypto has to be done in a different waythat there is good crypto and bad crypto, strongly implemented and poorly implemented crypto. The idea that keys have to be looked after in hardware hasnt broadly permeated outside the sectors of banking or server management. As people start marketing PCs with that kind of capability, the depth of secrecy will be seen as directly impacting security. Microsoft will be offering the hard drive encryption tool Bitlocker with its Windows Vista operating system. Click here to read more. Montgomery: One thing I can tell you were seeing is that industry initiatives, like [Payment Card Industry]even if not as specific as they could beare opening doors. People are saying, "If we have to do it anyway, lets do it right." The technology they put in place has to be flexible enough to handle the things theyll eventually want to do. And [we talk to developers] about the quality, not only of the crypto, but also of the key management and key recovery across a portfolio of applications. And when information is archived across 10 or 20 years, how can a developer be sure that an administrator will know which application encrypted something, using what keys? A lot of developers are trying to embed encryption deeply in the internals of an application, because thats the way to make it really efficient. The application knows how the data is used. But questions of key management have to be addressed outside the application. Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.