Since encryption is just one piece of an entire IT security program, it's not a question of encryption alone, but of where it sits in the security program. Let's look at an overall information security program and then bring it back down to earth in terms of encryption.
An information security program, at a high level, starts with a company's inventory of its IT assets: hardware, software, applications, databases and network devices. Each needs to be prioritized by its importance to the business process, which then determines the level of risk associated with the theft of that asset.
The controls based on these risk levels might include, among other things, firewalls, access control systems, physical security, awareness training and, of course, encryption. But encryption doesn't stand alone. It's generally used with something else -- either as part of an access management system or part of a VPN connection through a firewall, and so on.
In the scenario described above, encryption is used as a standalone control by itself, such as for disk encryption or a laptop. In that case, the strength of the control is only as good as the strength of the encryption.
But if a malicious attacker stole a user or root account, the issue isn't necessarily related to whether encryption is as good as the organization's access control policies. The issue could be related to any number of things, such as network security architecture, configuration of access controls or even weak firewall rules.
Encryption has to be looked at as part of an organization's entire IT security program and not by itself, or compared with other controls.
This was first published in April 2008