Embracing Enterprise-Wide Encryption

Why haven’t organizations yet embraced enterprise-wide encryption?

What are the benefits?

What are the chief obstacles?

Encryption is being touted as the balm for all the pains hackers create.  But is it?  Maybe.  Or maybe not.  At face value, there’s no doubt.  A hacker breaks into your network and all he can steal is encrypted data – useless to him.  The hackers leaves, tail between the legs, defeated in a way, because he just wasted valuable time.  He got in, but he wasn’t able to steal anything.

Oh wait.

The keys!  For me to be able to read my data, now I need those keys.   And where are the keys?  Oh yes, on the network, where the hacker, lurking for months, finally found them, stole them, and was able to decrypt my data anyway.  And now, we’re back to basics – we lost again.

Encryption is a great step towards stronger security, but you can’t just encrypt your data and think you’re done.   If I encrypt my HDD, I need to remember my password.  And even that can be hacked too – brute force hacked, if nothing else.  If I encrypt the data of an entire enterprise, I need a proper system to manage the keys because the more people are involved in the management, the more delicate this issue becomes AND the more likely it is that those keys may be “lost” (read: stolen or leaked).  Worse of all, even more likely it is that the entire castle will crumble.

Encryption is expensive.   Encrypted data occupies more space than the original copy.  But most importantly, a proper system of key management needs to be in place, and that is not easy to achieve.  So yes, encryption is desirable and it would definitely provide that extra layer of protection that is missing today.  But this isn’t going to happen with a simple push of a button.

It is a major task.

A project requiring proper planning, implementation, and ongoing management.

Given all that, the one area where I would, in all honesty, start (and I’d even go so far as to make it legislatively mandatory) to use encryption is the area of usernames/password databases.  Frankly, I don’t even understand why a company that manages a large database of users would even ever store that database in clear text.  For any hacker to read!! It’s expensive to encrypt all the data, fine, I get it.  But my password?

Please, encrypt it, now.

And use the strongest cypher available.