This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."
Download it now to read this article plus other related content.
HOW TO CHOOSE
Most organizations will want to take a layered approach. When it comes to encryption, the general rule is that data needs to be protected at rest and in motion. If data is only encrypted at the storage level, or only while in transit, then the data is not fully protected against potential exposure. Although application-level encryption fulfills both of these criteria, it should be used only to augment your network's security, not as the sole encryption method. The reason is that not every application offers built-in encryption, and those that do have varying encryption strengths.
If a company is not subject to regulations requiring encryption, it's critical to consider the total cost and staff requirements associated with deploying and maintaining the technology. Encryption can cost a significant amount in terms of hardware, software and support, and it is important to make sure the benefits
| justify the expenditures.
Whatever encryption solution a company chooses, it should be transparent to end users and compatible with your network infrastructure. Some encryption solutions cause complications with backing up data or with accessing or encrypting data stored on a SAN. Make sure the solutions you are considering will not cause a significant administrative burden once the initial setup is complete.
While encryption definitely has its place in an enterprise security strategy, a company can't rely on encryption to solve its security problems. Most security experts agree that there is no such thing as a full-proof security solution. Any security mechanism can be circumvented with enough time and effort, including strong encryption. The key to good security is to make a breach more trouble than it's worth. This is best achieved by taking a layered approach to security that involves comprehensive policies and multiple technologies.
This was first published in October 2008