« Mobile Japan | Main | E-commerce from Strato »
March 15, 2007
Where's my data gone?
Data loss/breach/leakage has been on my radar again this week. I met encryption specialist PGP – which stands for 'Pretty Good Privacy', not ones to blow their own trumpet, as you can see – and worked on a couple of vendor research-type stories which highlight the problems IT managers are facing with lost and stolen corporate information. The trick is to find a way of ensuring only the right people send the right data out of your organisation, and if stuff gets lost on removable devices or laptops, making sure it's going to be useless to whoever finds it.
There is a reasonably simple answer to all of this – encryption, but it's still primarily the concern of early adopters only, according to the analysts. I get the impression a lot of firms think that encryption equals PKIs, laboured implementation and management headaches, although the truth is somewhat more simplistic: Seagate has even started manufacturing hard disks with encryption capabilities baked-in. And the stakes are pretty high these days for data breaches, as each reputation-diminishing headline proves.
PGP is an unusual company in that it began life selling solutions to enable human rights organisations to communicate safely via email, according to the press blurb, and founder Phil Zimmerman is certainly a passionate advocator of civil liberties. He told us how the original technology was designed with hacking threats from enemy governments in mind…all very cold war-Harry Palmer stuff if you ask me. But they soon realised that the evolving business landscape and the changing nature of threats provided a natural fit for encryption solutions.
We also had a good old rant about ID cards and the potential infringement of civil liberties that could occur if more efficient ways to log, control and police the population are found. "People are always talking about making things more efficient," said Zimmerman. "But if the job of the police is made really easy then basically you've got a police state. Things would be 'more efficient' if the police had total access to all your information all the time." Which is a fair point, as was another that was made – that any ID card system set up today could be abused by the government of tomorrow, or next week, or next century.
There was also a bit of a debate about the need for encryption on VoIP traffic. As the world gradually switches over to Voice over IP networks, the threat becomes more obvious – the criminals have an excellent opportunity to hack in and create havoc leveraging information gleaned from conversations. Blackmail, extortion, ID theft, the list goes on…but there is a solution.
It is a concern to me that encryption is still seen as a technology for early adopters, but with the lack of clear legislation demanding businesses protect their stored data it is unfortunately not a surprise. It is important we take the responsibility as an industry to educate businesses and consumers on the need to prioritise the security of data stored, not just through headlines like Nationwide losing customer data but also through the education of preventative methods to stop incidents like this happening. Adding to the lack of encryption adoption is the confusion in the market from the sheer number of encryption methods available; big server companies like IBM and SUN now offer embedded tape encryption, which opens up issues, such as how to manage proprietary solutions and multiple, disparate keys in organisations with heterogeneous storage environments. And so the need for education continues.
Posted by :Henk Jan Spanjaard, EMEA VP marketing, Decru | March 21, 2007 12:53 PM