Monday, 15 June 2009

Not on crack

No sooner do I start up on the old blog again than Mike pitches in and pushes me off my training wheels. Thanks Uncle Mike. No, I'm not really being a whining limey/pom bastard or whatever you call us these days. But Mike, you aren't in the UK, and, with respect, you are the one on crack.

The only people doing any projects at all at the moment are government departments. They have all been handed down mandates to encrypt their data. Every financial institution in the country has suddenly realised that they are incredibly vulnerable. The world is a different place. The UK doesn't always follow the US, not when the drivers are different.

[By the way, the reason I've been 'away' for 9 months is because I was on a top secret assignment inside one of these institutions. You think everyone's got data security sewn up already? Not by a long chalk.]

Oh, and as to your "it's too damn hard and costs too much money" - maybe if you're still in 1995. I've been in the encryption game for coming up to 10 years now, and the market is more buoyant than ever, despite the fact that money is being cut elsewhere.

Come forward to the 21st century, and we don't have to use PKI any more. We don't even have to know much about keys unless we're installing. PGP didn't become the standard for encrypting email by accident my old mate. Cheap, usable and really so simple that even a Senior Vice President could install it. :)

Friday, 12 June 2009

Is encryption finally going to have its day?

I think so, for a number of reasons:

The Government is handing down mandates.
After a number of high profile incidents, including an MoD laptop left on a train, the rules are being tightened across government departments. Despite the NHS being told that they have to strip budgets back to the bare minimum, they are still being told that encryption of sensitive information is a priority. This is nothing short of amazing for encryption.

Networks are maturing to the point where encryption really makes a difference.
5 years ago encryption didn't really make any difference. If you encrypted information, you felt safe, but anyone gaining access to your systems (normally an insider with a legitimate user account anyway) could take the information along with the keys. So all you were encrypting was the infiltrator's route to your valuable data. These days networks have intrusion detection, application firewalls, database protection, security policies that actually make sense (OK, not ALL networks!). In this situation, encryption really is valuable and not just a feel-good factor.

Regulatory bodies are catching up with the meaning of encryption.
Leading on from the previous point, where the networks are catching up, possibly due to the regulations they have to comply with in many cases, the regulatory bodies are also understanding the ramifications of what they have previously mandated. Where PCI made sure that people were securing their networks, many people have also noted that to encrypt huge databases of information is often impractical. OK for the big retailers, but for level 4 merchants to use the same kit is frankly preposterous. A more pragmatic approach has allowed people to follow compliance without meaningless application of rules, allowing the security to catch up first before the compliance drowned it out.

So all things are converging towards encryption being a) required by law, b) required for compliance, and c) actually very useful. Maybe later I'll explain the choice of product I'm backing.

Thursday, 11 June 2009

De facto

Always good to pad out a post with a bit of Wikipedia:
De facto is a Latin expression that means 'concerning fact'. In
law, it is meant to mean 'in practice but not necessarily ordained by law' or 'in practice or actuality, but without being officially established'.

Basically, it's stuff which happens because people want it to happen like that, and they vote by doing. It is often said that RSA SecurID is the 'de facto' standard for two-factor authentication, and I would concur that there is really very little competition. Cisco is the de facto standard for switches and routers, Microsoft for Operating Systems, Google for search engines and so on.

I've worked with encryption for a loooong time now (yep, 4 'o's worth), and whereas RSA BSafe is de facto for browsers, there hasn't really been anything you would call widely accepted as 'the way forwards in encryption'. I should know, I've worked for most of them at one time or another, and none of them has been able to gain the market share or trust they want.

But, without me noticing, and that's often the way, there was always someone there in the shadows, waiting quietly, lurking in my emails, and on bulletin boards, in forums and in applications. Using exactly the same principles of key exchange as SSL - the only other real 'standard' in encryption (ok, "key exchange", you pedant) techniques - PGP have actually been there for years.

So much so that the UK government have just announced that they are using PGP for their whole disk encryption, and email. That's a pretty big deal when pretty much every government department has been told to encrypt everything from now on, or else. More on this later... for now I have more reading to do on PGP. As the bandwagon rolls into town, I'm jumping on to see if I can't ride it through.

Surely THIS TIME encryption's going to be the next big thing??