Encryption in data management should never be ignored, expert says

By Eric B. Parizo, Senior Site Editor 29 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON D.C. -- Any organization that manages large volumes of electronically stored information (ESI) may be tempted to cut corners on data encryption, but according to one expert, that's a dangerous mistake.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

At the Computer Forensics Show this week, speaker James F. Dawson, former corporate forensic investigations expert with New York-based MetLife Inc., discussed the pain points of managing ESI in support of the insurance conglomerate's litigators.

While it's difficult to manage dozens of concurrent e-discovery matters for an enterprise with approximately 22 petabytes (or more than 22,500 terabytes) of data worldwide, Dawson said that's no excuse not to employ encryption, both at the file level and in the transport layer.

Encryption: Encryption no longer an optional technology: Unravel the ins and outs of how your organization should deploy encryption. Should open source disk-encryption software be used? When it comes to IT security, Michael Cobb recommends encryption devices or software that provide the most effective product for the threat being mitigated.

He said desktop encryption programs have evolved to the point where they are cheap to purchase and easy for the typical end user to work with after only minimal training.

In fact, Dawson's former organization practices what he preaches. "Any data that moves around, even within MetLife, gets encryption," he said, noting that transporting data from one business unit to another often means sending data across national or international borders.

But even if the encryption process is less burdensome for end users, that doesn't mean managing encrypted data is easy for a large organization. At MetLife, Dawson said when an e-discovery process begins and potentially relevant data is found, it's then encrypted, transported to data analysts, decrypted and analyzed. Then pertinent data is re-encrypted, moved to portable media, shipped and then finally decrypted again.

Still, Dawson said, it's worth the trouble to keep sensitive ESI safe and avoid a potentially embarrassing data leak.

"In New York," Dawson said, "you don't want to appear in the Post because someone found the unencrypted disk and was able to check out your data."

Dawson noted that shipping data via courier is particularly troublesome, as up to 5% of shipments typically never reach their destination. While that makes encryption important, he said the process is for naught if encryption passphrases are written on a piece of paper and sent along with the package.

SearchSecurity radio:

As a best practice for transporting encrypted data, Dawson advised providing passphrases by voice via phone or in a voicemail. Or, if a passphrase must be mailed, send it separately, prior to sending the data itself, and have it delivered to a different recipient or address.

For those IT organizations or teams that regularly work with encrypted data as part of a legal or e-discovery process, Dawson recommended setting up a buddy system between technologists and attorneys. That way, he said, IT can learn more about what the litigation team needs, while lawyers get a better sense of what IT can and can't do.

Dawson said that kind of communication also helps attorneys avoid making encryption-related mistakes.

"Attorneys still send email with native email application encryption schemes," he said. "Your kid could practically break that with the decoder ring in a cereal box."

Tags: Disk Encryption and File Encryption,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary