Manage Learn to apply best practices and optimize your operations.

Is encryption only as good as an organization's password management and access control policies?

Is data encryption helpful if a system's root or admin account is hacked? Learn more about this identity and access managment dilemma.

I understand the usefulness of encryption if someone physically steals a disk. However, if someone hacks a user account or root account, encryption won't stop a malicious hacker from stealing as much data as the victim account can access, correct? So is encryption only as good as an organization's password management and access control policies?
Not only is encryption only as good as an organization's password management policy, but also as its encryption key-management policy, or the strength of the encryption algorithm, for that matter. In other words, encryption is only as good as the encryption system itself. It can't be compared to the strength of other IT security controls.

Since encryption is just one piece of an entire IT security program, it's not a question of encryption alone, but of where it sits in the security program. Let's look at an overall information security program and then bring it back down to earth in terms of encryption.

An information security program, at a high level, starts with a company's inventory of its IT assets: hardware, software, applications, databases and network devices. Each needs to be prioritized by its importance to the business process, which then determines the level of risk associated with the theft of that asset.

The controls based on these risk levels might include, among other things, firewalls, access control systems, physical security, awareness training and, of course, encryption. But encryption doesn't stand alone. It's generally used with something else -- either as part of an access management system or part of a VPN connection through a firewall, and so on.

In the scenario described above, encryption is used as a standalone control by itself, such as for disk encryption or a laptop. In that case, the strength of the control is only as good as the strength of the encryption.

But if a malicious attacker stole a user or root account, the issue isn't necessarily related to whether encryption is as good as the organization's access control policies. The issue could be related to any number of things, such as network security architecture, configuration of access controls or even weak firewall rules.

Encryption has to be looked at as part of an organization's entire IT security program and not by itself, or compared with other controls.

More information:

This was last published in April 2008

Dig Deeper on Database Security Management-Enterprise Data Protection

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.