Encrypting Data
by Stephanie Jordan
More than a decade ago, two researchers from Carnegie Mellon University published a study called, Why Johnny Can't Encrypt. In this study it was "discovered" that the average, educated, email pro-ficient user did not know how to use encryption technology. A follow on study several years ago, entitled Why Johnny Still Can't Encrypt found little improvement. If a similar study were to happen today, a different conclusion might be drawn.
"Historically the encryption challenge was one of deployment and for a time performance," concedes John Dasher, director of product management for PGP. "In the last few years, however, we have reached the point that if it was wanted, you could encrypt everything because it no longer is a burden. It is transparent to the end-user." Dasher thinks that in the long term encryption might end up the rule rather than the exception. "Today people focus on sound policy on what needs to be encrypted to satisfy everything from their own internal IT policy to compliance and regulation. But eventually, we will absolutely be encrypting the majority of data."
Dasher is not alone in his predictions. Luther Martin, security architect for Voltage Security and author of Introduction to Identity-Based Encryption notes, "In the past, the big obstacle was that encryption was hard and expensive, but this is no longer true. Our Identity-Based Encryption (IBE) in particular is very easy to use." Martin goes on to give an example of Voltage Security Network (VSN), a security as software service, that enables users to securely communicate while storing secure emails in their own inbox, and communicating with anyone without the need for recipient-side software. "We are at a point now with encryption that it just works. Users can simply hit send secure. It's like magic now. If you go back in time three or four years, it was very complicated." The VSN service has been very successful for Voltage. Announced just earlier this year, the company says 35,000 users signed up in the first six months.
While significant improvements in usability have been made, Taher Elgamal, chief technology officer for Tumbleweed, emphasizes that encryption does not necessarily mean your need for security has been fully satisfied. "Encryption is not a silver bullet. Encryption basically shifts the problem from the data to the encryption key. So that rather than having to protect the whole message, you only have to protect a smaller key. If you forget to protect the smaller key, then you have not really done anything. The improvement is a lot of the systems commercially available today handle the key appropriately, so that people cannot accidentally leak the key."
Overall, encryption technology vendors today are excited by the improvements being made. "We've seen the market transition from the complexity and limited reach of public key-based to new approaches, which greatly simplify the user experience," says Kevin Kennedy, product manager for IronPort Systems. "We're now in the midst of another technology transition-more subtle, but just as important-from Webbased pull to clientless push. This is critical because it eliminates sender requirements to manage complex Webmail infrastructures and allows a re-integration with recipient workflow rather than returning to a server to view messages."
Kennedy also believes, in terms of overall usability, the technology is in a much better place now than five years ago. "We can now send a message to anyone, knowing nothing about their endpoint, and be confident that they can open and view that message on their system with a few clicks and without installing anything. Additionally, integrated product offerings and hosted key management services like the Cisco Registered Envelope Service have cut the time and cost for deployment and eliminated the need for complicated onsite key servers. That's a remarkable accomplishment!" exclaims Kennedy.
"Key management has historically been the hardest part about encryption," acknowledges Dasher. He notes an example of a company that has purchased a security system, and everything works well, until they need to communicate with a business partner, but they cannot open the secure messages. "What PGP has done is to make that transparent. There are a number of ways to address that scenario: the partner can have their own copy of PGP solution, or they can use our Web Messenger, which allows them to get a message via the Web, so that they do not have to install anything on their machine." In late November, PGP announced Secure Delivery, PDF Messenger, which securely delivers encrypted PDFs that can be opened using a standard PDF reader such as Adobe Acrobat Reader. "There is a range of options to account for the inevitable case where you want to securely communicate with someone that does not have your security infrastructure. People want to securely communicate without having to install something," states Dasher.
Encrypting Data
Encryption Drivers |
Encrypting Data |
Encryption ROI |
Moving Forward |
Cost of a Data Breach |
Data Loss Prevention and Encryption