Wednesday, June 28, 2006

Encryption: Am I missing something?

Today, I came across Deni Connor's blog entry Bush catches onto data security mentioning that Office of Management and Budget issued security guidelines (PDF version). As with everyone else in the media, it seems OMB is also recommending encryption for data-at-rest as a way of securing data.

Six months ago, I also posed a question to Hu Yoshida at HDS (See Waiting for my Marriott Letter) about his comfort level with encrypted versus unencrypted state of lost data. To which, he responded:
My vote would be for encrypted and not lost. But since it is lost, it would make me feel more comfortable if the data were encrypted. (See More Comfortable, encrypted and lost?)
I am sure most IT people have some awareness of technical issues with encrypting data-at-rest like key management and encrypt/decrypt performance, etc. I am not a cryptography expert and my concern is very simple and non-technical:
Can anyone assure me that current encryption level used for data-at-rest will not be cracked in the future?
I prefer immediate feedback instead of delayed gratification so I rather see the impact of my personal data loss immediately instead of five or seven years down the road. At least if my data is compromised tomorrow and proper disclosures were made, I know where and how my data was lost, who is responsible and what corrective actions needed to prevent further misuse.

But if the same data is compromised five years later, I have no information on the source of data that was compromised, recourse and leverage with organizations responsible for it. Most organizations may not even accept legal responsibility claiming that they offered credit monitoring for limited period in return for individual waiving any future claims.
With encryption of data-at-rest, are we trading peace of mind today for getting screwed tomorrow?
With the current disclosure practices and lack of fraud detection methods, I feel that encryption is going to create an underground "futures" market for trading lost data.


  1. I never thought of it as you put it. This is definately a topic that needs more discussion. Sadly, I could see using encryption as a way of executives getting off the hook for being responsible for exposing information.

    "Oh, the loss of that disk was an unfortunate incident. We will take steps...yadda yadda to prevent it from happening again. Our customers can be assured that it is encrypted and the customer data on it is completely safe".

    Meanwhile, said executives leave the company a year to two later, before the data is eventually decrypted and used.

  2. Drew,

    Agree with your comments. I wonder what kind of liabilities hospital will have if a patient dies because a prior encrypted CT Scan couldn't be accessed due to the unavailability of encryption key.

    IMO, encryption is being used as a technical solution to something that requires process solution.

    What do you see as potential pitfalls of encryption in your environment?


  3. With some basic understanding of encryption, these types of questions (although valid) can be tempered.

    First: Humans are only human. Accidents will happen, meaning backup tapes will fall off the backs of trucks. No amount of process can keep accidents from happening. As such, I'd rather encrypt any data I have to protect against this type of thing happening.

    Most people who come across backup tapes, or lost laptops don't care much about the information on them. If the data is encrypted, most people will give up trying.

    Second: With 128-bit encryption, it would take about about 0.25 Septillion years to break the encryption key using current hardware. Many vendors are moving towards 256-bit or more encryption. This is exponentially harder then its current predecessor. I don't think 5 years is even close to a reasonable estimate of how long an average attack would take.

    128-bit encryption offers 10^128 different combinations. Try the math.

    The key is to purchase a solution from a trusted security vendor like Entrust. Their key management is used globally in critical application for governments, health care and large financial institutions. Microsoft is developing better management into their PKI, but the clear leader is still Entrust.

    The question "Can anyone assure me that current encryption level used for data-at-rest will not be cracked in the future?" is an easy one. No. Ask any security expert, and they will tell you security has a shelf life, and constantly needs improvement.

    I don't have any problems with companies not having to publish losses if the data is encrypted. Security companies increase the security in their software well before it has to be. Data encrypted with 128-bit encryption would probably take about 40 years to break with the right hardware. You will begin to see a shift towards 256-bit encryption that pushes the possibility into the hundreds of thousands of years. By the time technology evolves so this number is reduced to 40 - companies will already be on 512 or 1024 bit keys.