Encryption Works Wonders, But Causes Its Own IT Headaches

The most aggressive users of encryption for PCs, databases, and networks can spend hundreds of thousands of dollars on product licenses, training, and support. The added software and hardware layers can slow systems performance, particularly when data packets must be decrypted to be examined by firewalls and intrusion-prevention systems. The alternative is to assume that all encrypted data is coming from a trusted source and let those packets through without inspection. Encryption handled poorly--when decryption keys are lost or stolen or become predictable because they're used too long--is the kiss of death for sensitive data.

"Encryption has to be real and affordable and practical," says Dennis Heretick, chief information security officer at the Justice Department. Heretick prioritizes encryption based on risk. Removable media containing sensitive information must be encrypted, for example. But he realizes that encrypting all information in the Justice Department's databases would mean "a huge performance hit." If Heretick determines that encryption isn't practical for a particular data store, he'll rely on other means of security, such as keeping that database off the network.

While the Justice Department has been encrypting data on laptops for several years, the Department of Veterans Affairs discovered the value of encryption too late, leaving personal information on about 26.5 million veterans and their spouses exposed when an agency laptop and unencrypted hard disk drive were stolen in May. Besieged by Congress and veterans, the VA in August signed Systems Made Simple to a $3.7 million contract to install encryption software from GuardianEdge Technologies and Trust Digital on all its laptops by mid-September. The VA missed its self-imposed deadline but has made "good progress," according to an agency spokeswoman. The department plans to add the software to all of its desktops, as well as enforce the encryption of all data stored on flash drives and CDs.

In lockstep with the VA, the U.S. Army is mandating that each laptop it uses in the field be outfitted with encryption software from Pointsec Mobile Technologies, Credant Technologies, and Microsoft's Encrypting File System. The Army plans to make use of the encryption features in Windows Vista when they become available. (For more on Vista and other emerging encryption tech, see story, New Laws, New Technologies Sell IT On Encryption.)

Indeed, a growing number of organizations are encrypting their databases, laptops, network traffic, and E-mail as they try to mitigate risk. The VA laptop theft prompted Clay Johnson, deputy director for management at the White House Office of Management and Budget, to issue a June 23 memo with security recommendations to all federal departments and agencies. One of the four recommendations was that government agencies encrypt all data on laptops and handheld computers unless classified as nonsensitive.

Still, companies must view widespread encryption with their eyes wide open. Even by the vendors' own admissions, encryption technology presents many difficulties. It sucks up a lot of IT time and makes it harder to share information. Then there's the management of the keys used to decrypt messages. If they're stolen or otherwise fall into the wrong hands, encrypted data becomes vulnerable. If keys are lost, it can become impossible to retrieve data. "If I encrypt this information, how can I be sure that I'll be able to recover it in five years? What about in 25 years?" says Richard Moulds, VP of marketing for nCipher, a provider of encryption hardware and software.

Now You See It ...
Encryption makes sense for certain uses. It essentially wraps a sealed envelope around data, obfuscating information so that no one, except the person with the decryption key that unseals the envelope, can make sense of the information. Unencrypted data, in contrast, moves exposed along networks, like a postcard wending its way through mail delivery.

Encryption bogs down networks and systems by pulling data aside and disguising it before dispatching it on its way. Latency's severity depends on a number of factors. If a system encrypts many small data packets, it takes more time than when a lesser number of larger data packets are encrypted. Latency diminishes when users depend on a hardware device rather than software to perform encryption. The ability to simultaneously send multiple encrypted data streams also cuts latency.

Sophisticated data thieves can overcome encryption through brute-force techniques that try every possible permutation of a key, but such attacks take time and require knowledge of how encryption systems work, know-how beyond the scope of the average laptop or data thief. Passwords are easier to crack, and even biometric devices that require fingerprint, iris, or other types of user identification can be routed around by removing the hard drive and installing it in another computer.

That's why many companies that deal with people's financial or personal information are locking down their laptops. By the end of September, Capital BlueCross plans to encrypt data on all 600 of its laptops. "With encryption, if you take out the hard drive, it's useless," says Kent Podvin, director of IT process. Capital BlueCross also is encrypting data stored on PDAs and removable media.

Despite rising angst about data loss, companies still use encryption sparingly. Only 19% of 966 U.S. companies in InformationWeek Research's Global Security Survey 2006, conducted in partnership with Accenture in May and June, cite new or expanded use of encryption among technologies most beneficial to their regulatory compliance efforts, for example. Respondents placed greater emphasis on infrastructure and application security as well as improved document and storage management. Among U.S. companies that use cryptography tools to protect their information systems, 64% rely on Secure Sockets Layer, while 22% use Pretty Good Privacy, or PGP, encryption. Both percentages are virtually unchanged since 2004. Pretty Good Privacy is a public key encryption program written in 1991 and the de facto standard for E-mail encryption, though it also can encrypt data on PCs and servers.

This Won't Be Easy
Encrypted data mitigates the effectiveness of network security appliances that inspect traffic moving into and out of a network. Encryption also can inadvertently create ways for attackers to plant "bombs" on a network because intrusion-prevention/detection systems and firewalls can't examine encrypted data, says Bob Gleichauf, CTO for Cisco Systems' security technology group. It's a mistake, he says, to apply encryption in response to regulations rather than pressing risks. "People think encryption is a cure-all, but it requires vigilance in how you manage it," Gleichauf says.

IT decision makers must take into account the sensitivity of information, its vulnerability to attack, how much their organization is willing to spend on encryption, and the IT team's knowledge of encryption and ability to manage it.

Paul Needham, director of product management for Oracle database security, says database encryption is becoming more popular, even if only a minority of Oracle customers do so. One hurdle: Most applications weren't built to work with encryption. That includes legacy applications written to let call center staff, retail clerks, and other employees access data that they need displayed on their computer screens.

Oracle has tried to address this disconnect with APIs that developers use to connect tools to encrypted information within databases. With Oracle 10g Release 2 in July 2005, the company began offering what it calls transparent data encryption. The company embedded encryption in its data definition language, or DDL, meaning database admins can encrypt tables within the database rather than the entire database. When an application requests data, those newer databases know data has to be decrypted before it's delivered to the application.

But transparent encryption presents its own problems. Alexander Kornbrust, CEO of security research firm Red-Database-Security, reported in January that Oracle's transparent data encryption feature was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Oracle corrected that bug in its January critical patch update.

Database encryption has little appeal for Capital BlueCross. "We looked at encrypting data in our Oracle databases, but that had tons and tons of overhead," says VP of IT Kent Whiting. Instead, Capital uses firewall technology to protect most of its data from external access.

A Pricey Proposition
It's difficult to attach a general cost to encryption, given that it comes in different strengths and can be applied to PCs, networks, and databases. The cost of desktop encryption software can start at $59 per unit, as with PGP Corp.'s software. PGP Desktop users manage their encrypted desktops using the company's Universal server, priced at $169 per user for a perpetual license or $69 per user annually.

But there are a lot of service costs as well. Replacing a key or digital certificate--the latter assures senders of data that they're communicating with someone they trust--can cost $250 per key or certificate, and sometimes up to $1,000 using manual procedures. Compare that with password changes, which generally cost $45 per reset password. Creating a back-end encryption infrastructure is considerably more expensive. NCipher's nShield Hardware Security Module for cryptographic key storage and management starts at $6,000 per appliance. Its KeepSecure appliance for encrypting data at rest in databases and other applications averages about $80,000. Adding the company's keyAuthority key management and distribution software tacks on at least another $100,000.

Encryption could be a cost-saver if vendors figured out a way to scale it to more end users--to secure customer interactions, in particular. Financial services companies, for instance, would love to reduce the number of paper statements they mail to clients each month, if only vendors could come up with a way to encrypt mass E-mail blasts cost-effectively. "This would be a killer app for encryption," says Richi Jennings, lead analyst with E-mail consulting firm Ferris Research, who adds that it would kill phishing scams perpetrated by fraudsters posing as banks.

Worry, Worry, Worry
More than anything, the urge to encrypt comes from the belated realization that sensitive data is walking around on laptops. But encrypting laptop files and data can be difficult and require additional work. Some encryption software doesn't recognize updates to PC apps, forcing IT teams to uninstall encryption software before they update apps or operating systems, and then re-encrypt the hard drive. That can take several hours per unit.

Capital BlueCross has been encrypting as many as 40 of its laptops weekly. The installation of encryption technology takes less than five minutes, and the encryption takes place in the background while employees use their computers. However, Capital BlueCross' IT team can spend up to four hours per PC performing diagnostics and testing the installation of Utimaco's SafeGuard Easy full disk-encryption software. That software is then integrated with the health care provider's Active Directory security controls. The IT staff has been doing this extra work one day a week on average over the past two months. SafeGuard Easy is among a set of Utimaco products priced at around $250 per PC to provide encryption, personal firewall, antivirus, anti-spyware, and asset management.

SafeGuard Easy encrypts all applications that run on a PC's hard drive with no noticeable effect on users, other than adding a new logon screen when they boot up. Capital BlueCross chose SafeGuard Easy because of its integration with back-end management capabilities, especially its PC-imaging backup and upgrade processes. The insurer initially started encrypting laptops to protect client health information but has extended the program to protect other sensitive company information, VP of IT Whiting says.

Arkansas BlueCross BlueShield encrypts certain client data to meet government regulations, such as the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley, though encryption isn't specifically mandated by those regulations. "When it's personal health information or personally identifiable information, we err on the side of caution," says Bob Heard, VP of IT infrastructure.

Arkansas BlueCross BlueShield plays the same balancing act as many other companies: It's going to do what it must to protect data, but it knows the costs rise if encryption is applied to data a lot of people need to access, because that will mean more software and more support. "Encryption is very, very important to us based upon certain types of data, but it's not used on a broad scale where it's applied to anything and everything," says CIO and senior VP Joe Smith. "There's a practical matter of knowing what you need to protect."

Companies sometimes throw encryption at the wrong risks. "I run into enterprises implementing encryption in places where it's not necessarily needed, but their backup tapes are being sent out unencrypted in the hands of $6-an-hour couriers," says Paul Kocher, president and chief scientist of Cryptography Research. "Encrypting backup tapes and laptops is an absolute no-brainer because it's low cost and the benefits outweigh the risks." IBM and Sun Microsystems are betting on that; both are coming out with storage systems that can automatically encrypt data as it's recorded onto magnetic tape.

Data broker ChoicePoint requires all third-party data sources to encrypt any data sent to it on disk or tape. ChoicePoint isn't taking chances after scammers in 2004 tricked it into giving them personal information, leading to $25 million in fines, fees, and tech upgrades. It's become an encryption zealot. "Everyone's laptop is now encrypted, even if you don't have access to sensitive data," chief marketing officer James Lee says.

It's understandable that a company like ChoicePoint with so much personal data--and a reputation so much at risk--would embrace encryption broadly. But the decision to encrypt data should be made only after a thorough assessment of the cost-benefit. Remember, an investment in encryption is more than a shopping trip for new hardware and software. It's a new approach to security that requires constant management over the lifetime of your data. Make sure what you're protecting is worth the effort.