On the surface, encryption has always seemed a no-brainer. Why expose confidential information to prying eyes when you could protect it by scrambling it? But even though encryption technologies have been widely available for more than 10 years, they have been slow to catch on.
Things are starting to change, however. A succession of high-profile, high-pain mishaps -- including stolen laptops, lost tapes and litigation associated with data breaches -- has seized the attention of management, and not just IT management. Meanwhile, hardware and software vendors have whittled away at the traditional objections to encryption, including performance penalties and the difficulty of managing keys.
Now, companies that have a great deal of sensitive data are beginning to move beyond the tactical point products they might have used years ago to high-level encryption "platforms" that provide services to applications, databases and networks companywide.
"We are deploying an architecture that will give us the ability to manage encryption seamlessly across multiple operating systems and multiple back-end systems and encrypt anything we deem sensitive," says Harvey Ewing, senior director of IT security at Accor North America. The encrypted data could be personally identifiable information, such as names, addresses, Social Security numbers or telephone numbers, or it could be medical or financial data that is subject to government regulations.
Accor, a Texas-based manager of economy lodging chains, including Red Roof Inn and Motel 6, uses Key Manager from RSA Security Inc. to centrally manage the encryption keys of its 1,300 properties. The product allows different applications to share encrypted data without the need for each one to have its own keys. "The key management server is the nerve centre of all our encryption processes, and it takes the management of individual keys out of the picture," Ewing says.
Accor has short-circuited one of the major problems in encryption. Managing keys can be complex and risky, and it has been a major impediment to the broad rollout of cryptography. The difficulty arises because encryption comes into organizations "organically, not strategically," says Jon Oltsik, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. "It's the piece that many people will get wrong over the next two to three years."
Oltsik predicts that hard drives, tape drives, new versions of database software and the like will eventually include encryption functions, and companies will bring them in one at a time. "Next thing you know, you've got five key management systems and all kinds of complexities," he says. "The biggest risk now is disaster recovery; either you'll have to recover five different key management systems to get a business process up or you'll do a good job of backing up four of them but lose the keys on the fifth and tank the whole process."
IT security manager Marc Massar says his company, which he asked not to be named, processes more than half of all card transactions around the world. He says the company has for many years protected its transactions with narrowly focused products that do specific things like encrypting the personal identification number in an ATM transaction. These products are geared toward protecting "data in motion," Massar says.
There are several ways to encrypt data in motion; options include Secure Sockets Layer (SSL) for the Internet and the IPsec standard for "tunneling" -- establishing a secure tunnel in an otherwise nonsecure network. "These kinds of products are fairly well established, and they paved the way for e-commerce several years ago, especially SSL," Massar says. "Nobody would question the need to encrypt a credit card number across the Internet anymore."