Ask the Expert

Is encryption only as good as an organization's password management and access control policies?

I understand the usefulness of encryption if someone physically steals a disk. However, if someone hacks a user account or root account, encryption won't stop a malicious hacker from stealing as much data as the victim account can access, correct? So is encryption only as good as an organization's password management and access control policies?

    Requires Free Membership to View

Not only is encryption only as good as an organization's password management policy, but also as its encryption key-management policy, or the strength of the encryption algorithm, for that matter. In other words, encryption is only as good as the encryption system itself. It can't be compared to the strength of other IT security controls.

Since encryption is just one piece of an entire IT security program, it's not a question of encryption alone, but of where it sits in the security program. Let's look at an overall information security program and then bring it back down to earth in terms of encryption.

An information security program, at a high level, starts with a company's inventory of its IT assets: hardware, software, applications, databases and network devices. Each needs to be prioritized by its importance to the business process, which then determines the level of risk associated with the theft of that asset.

The controls based on these risk levels might include, among other things, firewalls, access control systems, physical security, awareness training and, of course, encryption. But encryption doesn't stand alone. It's generally used with something else -- either as part of an access management system or part of a VPN connection through a firewall, and so on.

In the scenario described above, encryption is used as a standalone control by itself, such as for disk encryption or a laptop. In that case, the strength of the control is only as good as the strength of the encryption.

But if a malicious attacker stole a user or root account, the issue isn't necessarily related to whether encryption is as good as the organization's access control policies. The issue could be related to any number of things, such as network security architecture, configuration of access controls or even weak firewall rules.

Encryption has to be looked at as part of an organization's entire IT security program and not by itself, or compared with other controls.

More information:

This was first published in April 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: