The Case for Encryption

News Analysis: Data encryption has become a necessity, but choosing the right type of encryption depends on a company's specific needs and its tolerance for complex implementations.

With privacy-protection laws and regulatory-compliance guidelines hardening in virtually every industry, IT managers who dont have encryption in place should be scouring the marketplace for an appropriate solution.

There is a wide range of encryption solutions, providing many ways to protect business data. Some encryption systems are easier to implement than others, however, so when evaluating products, IT managers will have to balance their organizations security needs with IT staffers tolerance for complexity.

IT managers need to know their specific needs before diving into the encryption market—the perfect encryption solution for one company could be overkill for another.

Application-level encryption delivers the strongest data protection, but its too difficult to implement for many companies. Application-level encryption may be necessary if a company has several databases but not for protection of reference data (such as medical images, blueprints, office files, presentations and video) or backup media.

/zimages/5/28571.gifEncryption and backup go hand in hand. Read more here.

IT managers who are concerned about protecting removable media—such as tapes sent to an off-site data vault—but not about the data stored in their organizations data centers could likely get by with a tape-encryption appliance or by adding encryption software to backup servers.

Storage-level encryption solutions, from vendors including Decru Inc. and NeoScale Systems Inc., are fairly easy to deploy. Many of the data-theft incidents in the past few years could have been avoided if the victimized companies had only implemented these products to protect storage systems and tape media.

Storage-level encryption devices are ideal for protecting removable media because the encryption/decryption can usually be done in the data path without having to alter applications in any way.

For example, when a backup application is writing data to tape, the encryption solution sits between the backup server and the tape library, quietly encrypting data that passes through it.

Solutions that encrypt on the storage level typically run close to wire speeds, so latency should not be a factor unless large amounts of data are being moved quickly.

Application-level encryption products are more difficult to deploy than storage-level encryption solutions, but they provide exceptional security granularity.

/zimages/5/28571.gifClick here to read about a recent data theft at MCI

Solutions such as Ingrian Networks Inc.s Ingrian i321 DataSecure Appliance can selectively encrypt specific columns in a database and make them unreadable to employees who do not have the proper security authorization.

However, application-level encryption products cant simply be popped into a data center on a spare weekend. They require the addition of special connector software to the protected database server, often requiring the assistance of a database administrator.

Proceed with caution

In addition, because many databases are mission-critical, eWEEK Labs strongly suggests that IT managers create test environments to ensure that databases can still interoperate with whatever applications they need to after the encryption solution has been implemented.

Application-level encryption solutions run concurrently with database transactions (each transaction is encrypted and verified individually), so latency is another concern, and performance tests should also be run in a nonproduction environment.

Regardless of the type of solution implemented, IT managers must carefully manage keys—at the end of the day, encryption is pointless without responsible key management.

There are pluses and minuses to every encryption solution, but with careful planning and intimate knowledge of business needs, IT managers can harden their infrastructures without breaking business processes.

Senior Analyst Henry Baltazar can be reached at .

Storage or app level?

Physical and file-share-level encryption


  • Relatively easy to implement
  • Protects against theft of storage devices and servers


  • Does not protect against application-level attacks

Application-level encryption


  • Provides security granularity
  • Allows encryption of specific data fields


  • Requires extensive performance and interoperability tests
  • Latency may be a concern

Source: eWEEK Labs

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.