Saturday, 3 May 2008

Encryption does what?

A couple of weeks ago, after I wrote a piece about data security, a friend of mine wrote to me to say he had chosen 'none of the above' for the question 'why do we encrypt'. My answer was 'to keep data secret'. His argument was that encryption was actually only preventing physical theft.

I think this is a bit of marketing spin, and not really looking at it from a pure security viewpoint. The fact that my friend was a very successful SE, now Engineering Director for a software company may confirm this. Let me explain. Of course encrypting deters from physical theft, if it is known about. So without splitting too many hairs, let's assume my friend meant that it prevents access to the data after it has physically been taken. Therefore physical theft hasn't been prevented or deterred, so there is no benefit to the encryption. So what are we left with? Well, the data is still secret of course.

OK, now let me assume that company X has bought encryption and is now boasting about it in the newspapers. Data thief Y, external to the company, with no knowledge of the systems, thinks twice before stealing from company X, and steals from company Z instead, as there are easier pickings. Great marketing of encryption. But what happens when encryption becomes a commodity, as it surely must if current storage trends continue. Assume all valuable data is encrypted, what is the best way to crack that encrypted data?

Well, personally I'd steal the physical device and take it home, get my botnet to search out a few thousand PCs for extra computing power and set them to work on breaking the algorithm. So, does encryption really deter physical theft?

Once again the successful crackers are going to be internal people, who already have access to the data. You still need to make sure your physical controls and policies are strong, even when you have all of this put to rights.

No comments: