Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • Networking

    Losing Leaks in 45 Days

    By
    eWEEK EDITORS
    -
    August 14, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Any mention of PGP brings to mind the crypto advocacy of Pretty Good Privacy auteur Phil Zimmermann, who challenged government opposition to strong encryptions broad availability. The present PGP Corp. is a relaunch of Zimmermanns original PGP Inc., following the five-year period when the latter company was owned by Network Associates (which later became McAfee in June 2004).

      The current PGP has gone far beyond the end-user e-mail privacy protection that was Zimmermanns tenacious pursuit. That broadening of interests corresponds in important ways to the broadening data protection challenges faced by developers.

      /zimages/2/28571.gifPGP adds encryption to IBM mainframe and midrange platforms. Click here to read more.

      Robust and scalable security—effectively integrated into the application portfolio—is becoming an expectation in every enterprise rather than a mere handful of hush-hush domains.

      John Dasher, PGPs director of product management in Palo Alto, Calif., spoke with eWeek Labs Technology Editor Peter Coffee.

      With more data encrypted at rest, and more data streams encrypted on the fly, are crypto capabilities increasingly a part of the enterprise developers repertoire?

      When we relaunched PGP Corp., we moved encryption from the desktop—as a double-clickable application where the end user had to do something—down to the transport or network layer. We could monitor network traffic and automatically apply encryption according to centralized policy: no more relying on end users to follow a memo that went out two years ago on what should be encrypted.

      Is encryption as a platform a major battle of perception in the enterprise? Do developers think that using encryption means learning algorithms or acquiring code libraries?

      If you have a sound development team following good practices, no doubt they can implement algorithms to encrypt stuff. Thats the easy part. The question is: How do you scale that in an organization that has thousands, or even tens of thousands, of clients? How do you manage the keys? How do you ensure that policy is uniformly applied? Thats the hard part of the problem.

      Are the encryption algorithm wars pretty much over, in terms of there being a portfolio of algorithms such as PGP and AES and Triple DES? Are we past the point of disruptive crypto innovation?

      There are always attempts at new algorithms. Some of them succeed. Most fail. And year after year, cryptographers and mathematicians and other people of interest are always poking at the existing algorithms to see if they can find weakness.

      Will we see a quantum jump in crypto awareness with Californias law, for example, mandating disclosure of data leaks unless the database is encrypted?

      What weve seen is that a couple of years ago, corporations had to worry about Sarbanes-Oxley. If you werent a public corporation, you kind of didnt care. Californias SB 1386 law kicked the snowball off the top of the hill. There are 27 states with something very similar and five different federal bills pending.

      If you have a disclosure, you have to admit to it, contact the people affected, make financial restitution. This stuff is in the popular press. I think thats changing corporate behavior.

      When the VA [Veterans Affairs] loses 22 million-plus names and Social Security numbers and other personal information, we suddenly have a memo from the OMB [Office of Management and Budget] mandating encryption for all laptops.

      Whats the time frame for that, and what are the implications for people building applications for field sales forces, or for other personnel out there with critical data?

      Its a two- or three-page memo with a couple of attachments, published this past July 23. It basically says, “Youve got 45 days to accomplish four things. Any database extract holding sensitive information has to be erased after 90 days, and you have to log any incident of someone taking data out of the database.” Most DBMS systems today have those capabilities; its just a matter of enforcing it.

      The second item is a time-out function that forces end users to reauthenticate after 30 minutes of inactivity. Windows XP has facilities that allow you to do that; you just have to put them to use. Remote access—your VPN, for example—has to occur with two-factor authentication: a great practice that we totally endorse.

      Will such an accelerated pace lead to point solutions, resulting in one user needing to decrypt data to send to another user wholl re-encrypt it—because they dont have a unified solution? Will there be a lot of unencrypted data moving on the wires, as opposed to encrypting data on its way into the system and passing it around in a standard form for decryption only at a moments use?

      I couldnt agree with you more. The biggest risk is taking a point solution—say for laptop encryption—and rolling that out to tens of thousands of users to find that your system becomes unwieldy with that many users—unwieldy in terms of satisfying policies, and having to undo it. If you dont have time to do it, when will you have time to do it over and get it right?

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×