MCI Data Theft Intensifies Encryption Debate

Recent data breaches are driving enterprise interest in encryption and data protection products, but security professionals say the tehnology may not be the best way to prevent data theft.

Recent reports of embarrassing data breaches, coupled with stringent data privacy regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley Act, are softening long-standing reluctance by the private sector to adopt encryption technology, industry executives say. But experts advise organizations to plan carefully before introducing encryption and warn that the technology may not even be the best way to prevent data theft.

Incidents such as last weeks disclosure of the theft of sensitive data on 16,500 current and former MCI Inc. employees typifies the forces driving enterprise interest in data encryption and protection tools, experts say. The data was on a laptop stolen in April from a car belonging to an MCI analyst, said Linda Laughlin, a spokesperson for the Ashburn, Va., company.

MCI disclosed the theft in keeping with a 2003 California law known as SB (Senate Bill) 1386 that requires companies that lose sensitive consumer data to inform those affected by the theft. The MCI theft is only the latest in a months-long string of such incidents affecting organizations such as Bank of America N.A., ChoicePoint Inc., Wachovia Corp. and several major universities.

/zimages/2/28571.gifClick here to read about a recent computer breach at Stanford University.

SB 1386 and the public disclosures it has prompted have accelerated interest in data protection technologies. SB 1386 lets companies that encrypt sensitive data forgo notifying customers if that information is stolen. That sunny view of data encryption will turn it into the lowest common denominator for satisfying regulations in years to come, say encryption advocates.

But companies cant clamp encryption on top of production networks, databases and file systems without breaking business apps and slowing network traffic to a crawl, said David Friedlander, an analyst with Forrester Research Inc., in Cambridge, Mass.

The trick is to apply encryption strategically and in a way that doesnt require changes to applications, employees or business partners who use the information, said Ted Julian, vice president of marketing at Application Security Inc., of New York.

Protecting critical databases should be a priority for any company hoping to avoid an embarrassing incident, Julian said. "You dont get 100,000 customer records any other way than by getting into the database," he said.

Still, Julian said he recommends encryption as a "second or third," rather than first, step in securing information assets. Companies should do detailed discovery and vulnerability assessments of assets, such as forgotten and embedded databases that can be easy targets for hackers, he said.

/zimages/2/28571.gifClick here to find out how IT managers can stay a step ahead of hackers.

Once organizations know which assets are potential targets, they can decide which ones actually contain sensitive information and use encryption to secure only that data.

Thats what IT administrators at Beth Israel Deaconess Medical Center did. The Boston hospital uses Social Security numbers to look up patient records, but the data is considered very sensitive, so the hospital encrypts it in its database. When someone enters a Social Security number to look up a record, it is encrypted, or hashed, and compared with the hashed version in the database, said John Halamka, the hospitals CIO.

Organizations also need to do a better job of protecting data on workers computers, experts agree. Encryption can shield data on laptop hard drives and mobile devices. Evolving digital rights management technology from Microsoft Corp., Adobe Systems Inc. and smaller players, such as Liquid Machines Inc., can protect documents and data even if they fall into the hands of criminals, said Forresters Friedlander.

However, organizations should also strengthen auditing and data access policies and perform more stringent background checks to prevent being victimized by the biggest source of attacks: company insiders. Companies are only beginning to weigh the impact of data breaches such as those at MCI, said Richard Moulds, vice president of marketing at encryption vendor nCipher Corporation Ltd., of Cambridge, England.

"People have been hiding behind their firewall and assuming that everything within their perimeter is trustworthy," Moulds said. "Theyre only just starting to come to terms with the issue of how to protect their content."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.