This Content Component encountered an error

Data protection services and strategies for enterprise CIOs

Tools and Technologies: Data protection software and systems <<previous|next>> :Identity access management compliance: Consider roles people play

Encryption no longer an optional technology

01 Oct 2008 |

Unravel the ins and outs of how your organization should deploy encryption.

For many years, encryption was something companies could choose to use if they wanted an extra degree of security for their data. However, the days of optional encryption are gone forever. Today, companies in a variety of industries are subject to regulations that mandate encryption and other security measures, and face stiff penalties for failure to adequately protect their data. Even if a company is not subject to these types of regulations, many states have laws requiring companies to disclose security breaches in which unencrypted customer data has been compromised.

Consequently, it is no longer a question of whether a company should use encryption, but rather how a company should encrypt data. The first step in planning an encryption strategy is to understand the primary types of available encryption solutions: storage, network encryption and application-level. While each offers benefits, there are also drawbacks to take into account.


PCI is far more prescriptive than HIPAA when it comes to encryption.
by Marcia Savage

What do regulations such as HIPAA actually require in terms of encryption? The HIPAA Security Rule lists encryption as an "addressable" technical safeguard, which means it's not mandatory but must be addressed. "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate," the rule reads.

Like many regulations, HIPAA is intended as guidance rather than mandates, says Richard Mackey, vice president of consulting at SystemExperts. Ultimately, a risk analysis is required to determine the specific security measures a business should implement. "You're supposed to conduct a risk analysis to figure out the real risks, the likelihood of an attack, and what methods would be effective in protecting against those attacks," he says.

Far more prescriptive is the Payment Card Industry Data Security Standard, which provides specific direction on encryption. Requirement 3.4 lists four ways organizations can make the Primary Account Number (PAN) unreadable wherever it is stored: strong, one-way hash functions; truncation; index tokens and pads; and strong cryptography with associated key management processes.

Then, there are the state laws (at least 44) requiring notification of breaches involving personal information, many of which make exemptions for encrypted data.

Related Content

Related glossary terms

Terms from − the technology online dictionary
Identity Theft and Data Security Breaches

Related Resources