Losing Leaks in 45 Days

Q&A: PGP's John Dasher talks about the federal mandate that encourages security pragmatism but at the same time could invite fragmentation.

Any mention of PGP brings to mind the crypto advocacy of Pretty Good Privacy auteur Phil Zimmermann, who challenged government opposition to strong encryptions broad availability. The present PGP Corp. is a relaunch of Zimmermanns original PGP Inc., following the five-year period when the latter company was owned by Network Associates (which later became McAfee in June 2004).

The current PGP has gone far beyond the end-user e-mail privacy protection that was Zimmermanns tenacious pursuit. That broadening of interests corresponds in important ways to the broadening data protection challenges faced by developers.

/zimages/2/28571.gifPGP adds encryption to IBM mainframe and midrange platforms. Click here to read more.

Robust and scalable security—effectively integrated into the application portfolio—is becoming an expectation in every enterprise rather than a mere handful of hush-hush domains.

John Dasher, PGPs director of product management in Palo Alto, Calif., spoke with eWeek Labs Technology Editor Peter Coffee.

With more data encrypted at rest, and more data streams encrypted on the fly, are crypto capabilities increasingly a part of the enterprise developers repertoire?

When we relaunched PGP Corp., we moved encryption from the desktop—as a double-clickable application where the end user had to do something—down to the transport or network layer. We could monitor network traffic and automatically apply encryption according to centralized policy: no more relying on end users to follow a memo that went out two years ago on what should be encrypted.

Is encryption as a platform a major battle of perception in the enterprise? Do developers think that using encryption means learning algorithms or acquiring code libraries?

If you have a sound development team following good practices, no doubt they can implement algorithms to encrypt stuff. Thats the easy part. The question is: How do you scale that in an organization that has thousands, or even tens of thousands, of clients? How do you manage the keys? How do you ensure that policy is uniformly applied? Thats the hard part of the problem.

Are the encryption algorithm wars pretty much over, in terms of there being a portfolio of algorithms such as PGP and AES and Triple DES? Are we past the point of disruptive crypto innovation?

There are always attempts at new algorithms. Some of them succeed. Most fail. And year after year, cryptographers and mathematicians and other people of interest are always poking at the existing algorithms to see if they can find weakness.

Will we see a quantum jump in crypto awareness with Californias law, for example, mandating disclosure of data leaks unless the database is encrypted?

What weve seen is that a couple of years ago, corporations had to worry about Sarbanes-Oxley. If you werent a public corporation, you kind of didnt care. Californias SB 1386 law kicked the snowball off the top of the hill. There are 27 states with something very similar and five different federal bills pending.

If you have a disclosure, you have to admit to it, contact the people affected, make financial restitution. This stuff is in the popular press. I think thats changing corporate behavior.

When the VA [Veterans Affairs] loses 22 million-plus names and Social Security numbers and other personal information, we suddenly have a memo from the OMB [Office of Management and Budget] mandating encryption for all laptops.

Whats the time frame for that, and what are the implications for people building applications for field sales forces, or for other personnel out there with critical data?

Its a two- or three-page memo with a couple of attachments, published this past July 23. It basically says, "Youve got 45 days to accomplish four things. Any database extract holding sensitive information has to be erased after 90 days, and you have to log any incident of someone taking data out of the database." Most DBMS systems today have those capabilities; its just a matter of enforcing it.

The second item is a time-out function that forces end users to reauthenticate after 30 minutes of inactivity. Windows XP has facilities that allow you to do that; you just have to put them to use. Remote access—your VPN, for example—has to occur with two-factor authentication: a great practice that we totally endorse.

Will such an accelerated pace lead to point solutions, resulting in one user needing to decrypt data to send to another user wholl re-encrypt it—because they dont have a unified solution? Will there be a lot of unencrypted data moving on the wires, as opposed to encrypting data on its way into the system and passing it around in a standard form for decryption only at a moments use?

I couldnt agree with you more. The biggest risk is taking a point solution—say for laptop encryption—and rolling that out to tens of thousands of users to find that your system becomes unwieldy with that many users—unwieldy in terms of satisfying policies, and having to undo it. If you dont have time to do it, when will you have time to do it over and get it right?

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.