News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Larry Medina's picture
Larry Medina

For the Record

More posts | Read bio

May 22, 2007 - 4:20 P.M.

Encryption pops up again

4 comments

This article in Computerworld discusses some of the changes happening in the encryption environment and also addresses some possible options, such as selective encryption, or newer processes that perform encryption "on the fly", but again I'm not convinced that it isn't another case of someone trying to throw a "solution" at an under researched "problem".

I guess there's only so many topics to talk about, and every time there's another data loss publicized, this one comes up.  While there is  no doubt some information needs to be protected through the use of encryption based on its sensitivity, or the manner in which its used, it isn't a requirement for ALL information.  Even personally identifiable information (PII) only needs to be encrypted if it's  handled in a manner that could potentially expose it to others, while in transit, in storage by a third party, or on a system that could potentially be exposed to unauthorized sources.   It's important to do an assessment of the information you have and how it's managed to determine the need for encryption.

In some cases, business practices need to be closely examined to see if an unnecessary risk is being placed on information and if there is a potential that others could place you at greater risk for exposing data.  The problem is generally related to policies and business practices, and in many cases, organizations become too comfortable and fail to periodically re-evaluate how they do things.

How often does your organization evaluate their practices?  If you ask the question why do we do something in a specific way, and no one can remember why, there's a good chance it could stand a change.  How often are backups generated?  How are they stored? What information is on them?  Is there a way to isolate content that may need to be protected (such as PII) that represents a minor portion of the content on a backup?  What would the benefit/cost be of isolating that information and handling it in a different manner to minimize the volume of data requiring encryption?  What if you could demonstrate an overall savings to your organization by making a suggestion to perform such an evaluation?

Encryption is a tool and it has it's place in the data protection and information management world, but it's not necessarily the only answer. You can drive a screw with a hammer or a screwdriver, if you open your toolbox and have a choice... which one would you use?

What People Are Saying

Add new comment

I came across this company

Submitted by Bill Renquist on June 8, 2007 - 9:18 A.M.

I came across this company called Ceelox (www.ceelox.com) that seems to focus on making encryption security simple. They say that security tools should never make a user feel incapable of using it. They are working hard to make things convenient. They have a really cool email encryption product that is reasonably priced and easy to use that ..pretty cool, private, and convenient.

They also have a product called vault that is drag and drop AES256. It is the bomb..So easy to use.

Reply | Report this comment

I imagine that this is what

Submitted by Anonymous on May 23, 2007 - 3:29 P.M.

I imagine that this is what the Veterans administration contractors said about all of the personal identification information before they lost it. "Even personally identifiable information (PII) only needs to be encrypted if it's handled in a manner that could potentially expose it to others..." Or perhaps they just believe that personal identification information only needs to be encrypted if it is their own peresonal identification information.

Reply | Report this comment

Too true... I'm sure the VA

Submitted by Larry Medina on May 24, 2007 - 3:34 P.M.

Too true...

I'm sure the VA felt this, but I doubt the individual's whose information was exposed shared their level of comfort with how it was handled.

The VA case is exactly what I was referring to... this was a case where an analyst who wasn't authorized to take data home decided to. And a deputy Assistant secretary lost his job because of it.

In instances where "sensitive data", (especially PII) is removed from a system that provides safeguards to it, including password protections, privacy protocols, permissions and other forms of physical security as well, there is an OBVIOUS need for encryption. This is true if the content is placed on removable media for transport, sent to a third party for storage, or placed on an unsecured laptop (for whatever illogical reason), or even transmitted across an unsecured communication system.

The point of my original post was organizations need to put into place controls that limit the commingling of "common data" and "sensitive data" to reduce the amount of information that may require encryption to begin with, and establish protocols for the handling of information that does.

Larry Medina Danville, CA

Records and Information Management Professional

Reply | Report this comment

We need it, but honesty who

Submitted by Lin on May 23, 2007 - 7:24 A.M.

We need it, but honesty who make it?! not at my work ;) and we have a great problem then

Reply | Report this comment

Related Posts

Dept of Energy goes Veterans Affairs one better
EMR/EHR Problems in the UK, are we next?
Continuing the myth that backups and archiving = records management
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
Report: Microsoft may pay News Corp. to delist from Google
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.