The encryption challenge

The encryption challenge

IT managers know the movies get it wrong. A teenager with a laptop cannot crack multiple layers of encryption -- unless that laptop is connected to a supercomputer somewhere and the teenager can afford to wait a few billion years.

Encryption works. It works so well that even the government gets stymied, as demonstrated by the lengths to which the FBI went to access an iPhone used by one of the San Bernardino, Calif., shooters.

So in the face of ever more damaging stories about data breaches, why aren’t all government agencies encrypting everything, everywhere, all the time?

Encryption can be costly and time consuming. It can also be sabotaged by users and difficult to integrate with legacy applications.

Furthermore, according to a recent 451 Research survey of senior security executives, government agencies seem to be fighting the previous war. Instead of protecting data from hackers who’ve already gotten in, they’re still focusing on keeping the bad guys out of their systems.

Among U.S. government respondents, the top category for increased spending in the next 12 months was network defenses -- at 53 percent. By comparison, spending for data-at-rest defenses such as encryption ranked dead last, with just 37 percent planning to increase their spending.

Part of the reason for those figures is that government agencies overestimate the benefits of perimeter defenses. Sixty percent said network defenses were “very” effective, a higher percentage than any other category, while government respondents ranked data-at-rest defenses as less effective than respondents in any other category.

There was a time when that attitude made sense. “Organizations used to say that they wouldn’t encrypt data in their data centers because they’re behind solid walls and require a to get in,” said Steve Pate, chief architect at security firm HyTrust.

That attitude, however, runs counter to the modern reality that there is no longer a perimeter to protect. Every organization uses third-party service providers, offers mobile access or connects to the web -- or a combination of all three.

A security audit at the Office of Personnel Management, for example, showed that use of multifactor authentication, such as the government’s own personal identity verification card readers, was not required for remote access to OPM applications. That made it easy for an attacker with a stolen login and password to bypass all perimeter defenses and directly log into the OPM systems.

An over-reliance on perimeter defenses also means that government agencies pay less attention to where their important data is stored than they should.

According to the 451 Research survey, government respondents were among those with the lowest confidence in the security of their sensitive data’s location. Although 50 percent of financial-sector respondents expressed confidence, only 37 percent of government respondents could say the same.

In fact, only 16 percent of all respondents cited “lack of perceived need” as a barrier to adopting data security, but 31 percent -- or almost twice as many -- government respondents did so.

Earlier this year, the Ponemon Institute released a report showing that 33 percent of government agencies use encryption extensively, compared to 41 percent of companies in general and far behind the financial sector at 56 percent. In that survey of more than 5,000 technology experts, 16 percent of agency respondents said they had no encryption strategy.

On a positive note, the public sector has been making headway. Last year, for example, only 25 percent of government respondents to the Ponemon survey said they were using encryption extensively.

“This is showing heightened interest in data protection,” said Peter Galvin, vice president of strategy at Thales e-Security, which sponsored the Ponemon report. High-profile data breaches have drawn public attention to the issue, he added.


How Apple makes encryption easy and invisible

Do you know how many times a day you unlock your iPhone? Every time you do, you’re participating in Apple’s user-friendly encryption scheme. Friday, the company hosted a security “deep dive” at which it shared some interesting numbers about its security measures and philosophy as well as user habits. To be honest, we’re less concerned ...

Apple and FBI to testify before Congress next week over encryption

Over the past few days, Apple has made it abundantly clear that it will not comply with the FBI’s demand that it write a new piece of software to help bypass built-in iPhone security measures. On the contrary, Apple has said that it wants the FBI to withdraw all of its demands while adding that ...

The Netherlands will not weaken encryption for security purposes

The Dutch government believes that confidence in secure communication and storage data is essential for the development of the Dutch economy. The Netherlands will not follow the trend of weakening encryption for security purposes, according to a statement by the Dutch Minister of Security and Justice. In contrast, with the United Kingdom where the Investigatory ...

In The Debate Over Strong Encryption, Security And Liberty Must Win

When Sen. Chuck Grassley (R-Iowa) gaveled a Senate Judiciary Committee hearing into session on Wednesday, he called it the "start" of a conversation about privacy, security and encryption. Frankly, it was just the latest forum for a much older discussion. While it may have been the beginning of a long day on Capitol Hill for FBI ...