Since encryption is just one piece of an entire IT security program, it's not a question of encryption alone, but...
of where it sits in the security program. Let's look at an overall information security program and then bring it back down to earth in terms of encryption.
An information security program, at a high level, starts with a company's inventory of its IT assets: hardware, software, applications, databases and network devices. Each needs to be prioritized by its importance to the business process, which then determines the level of risk associated with the theft of that asset.
The controls based on these risk levels might include, among other things, firewalls, access control systems, physical security, awareness training and, of course, encryption. But encryption doesn't stand alone. It's generally used with something else -- either as part of an access management system or part of a VPN connection through a firewall, and so on.
In the scenario described above, encryption is used as a standalone control by itself, such as for disk encryption or a laptop. In that case, the strength of the control is only as good as the strength of the encryption.
But if a malicious attacker stole a user or root account, the issue isn't necessarily related to whether encryption is as good as the organization's access control policies. The issue could be related to any number of things, such as network security architecture, configuration of access controls or even weak firewall rules.
Encryption has to be looked at as part of an organization's entire IT security program and not by itself, or compared with other controls.
Dig Deeper on Database Security Management
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.