Enterprises Need Encryption to Secure Private Data

Security experts urge users and enterprises to adopt full disk encryption and proper key management to secure sensitive data from accidental exposure.

Concerns about data breaches and privacy violations would spur enterprises to adopt encryption and use it effectively, according to security experts.

Organizations are beginning to assume that the firewall has already been compromised and are relying on ubiquitous encryption to protect data across the enterprise, according to Jeff Hudson, CEO of Venafi. In the past, security measures assumed that firewalls and other perimeter defenses were enough to keep the bad guys out. Recent high-profile data breaches proved that attackers were able to still get into the network, and had free rein because the data was not protected at all, according to Hudson.

Venafi predicted that 2012 would be the "year of ubiquitous encryption."

Along those lines, privacy rights organization Electronic Frontier Foundation recommended that users "commit" to full disk encryption on all their computers. Encrypting the entire drive would help secure private data, including business documents, Web-surfing history, information about other people and email communications, even if the computer is lost or stolen, Seth Schoen, EFF's staff technologist, wrote on the EFF blog Jan. 3.

"Don't put off taking security steps that can help protect your private data. Join EFF in resolving to encrypt your disks 2012," Schoen wrote, noting that there are several easy-to-use tools available, including Microsoft's BitLocker or TrueCrypt.

Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key, according to Schoen. "Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer," he wrote.

Organizations need to make sure that all data, regardless of whether it is stored in-house or managed by a third-party provider, is protected by either encryption or tokenization, Ulf Mattsson, CTO of Protegrity, told eWEEK. Incorporating these data-security measures may add some complexity, but the protections would wind up saving the organization money in the event of a data breach, Mattsson said. Taking the time to protect the data would expose the organization to less damage post-breach, he said.

In a recent survey of 500 IT professionals, more than a third admitted to losing USB drives and portable devices containing unencrypted personal and company data, iStorage found. Over half said they transported data without encrypting it first, according to iStorage.

Organizations that have adopted encryption still encounter problems because they are not following best practices for encryption key management, according to Hudson. Organizations struggle to keep track of what keys are being used and who has access to them. Encryption would be a "defining issue" in the year ahead, he said.

When employees leave, they may take the keys with them, leaving the organization unable to access the data, Tim Matthews, senior director of product marketing at Symantec, told eWEEK. A recent Symantec study found that poor key management and lack of control over the technologies being used could cost the organization an average of $124,965 a year.

Cloud services will also need to start thinking about encryption as users start worrying about their personal data and enterprises try to protect the corporate data leaving their networks, according to Geoff Webb, director of product marketing at Credant Technologies. Users have a "real desire" to take back control over the files they put in the cloud, Webb said. Storage and collaboration services will begin offering user-owned data-security and encryption options, according to Webb. Salesforce.com acquired Navajo Systems in August to provide customers with data-encryption capabilities.

After the European Union issued a mandate that security breaches involving unencrypted data need to be disclosed to local regulators, several large telecommunications companies started offering encryption services to minimize the risk of data exposure. As industry regulations and laws evolve to address unencrypted data, organizations will find it necessary to encrypt the data from the get-go, Jon Heimerl, director of strategic security for Solutionary, told eWEEK.

The Health Information Technology for Economic and Clinical Health (HITECH) Act is a good example, as it states that if an organization loses health care data, as long as it can show that it protected the encryption key and took proper data security measures, it does not need to disclose the incident.

"You don't have to make this overcomplicated; even hard drive encryption and database encryption can go a long way to protect your cool data," Heimerl said.