• United States



by Dave Gradijan

InfoWorld: Unlocking Encryption Management

Dec 20, 20077 mins
Build AutomationCSO and CISO

Someday, encryption features built into a wide range of IT products — from operating systems and messaging gateways to hard drives and storage systems — may work in concert to offer central policy enforcement across different types of network assets and devices.

Until that day arrives, however, companies embracing the tools have become dependent on standalone encryption platforms to give them distributed control and policy enforcement across their IT systems.

Long known as much for their complexity and demand for hands-on care and feeding as they have been valued for their protective qualities, encryption platforms are finally finding their way into a number of large businesses.

This growth in adoption has been driven by the proliferation of data protection regulations and based on the availability of products that address the hardest elements of encryption technology — policy enforcement and key management, industry watchers contend.

“The performing of the encryption itself is something that generally belongs close to whatever type of data you are trying to encrypt, whether that is e-mail, network traffic, or a database, but companies are buying into technologies today that allow them to do centralized policy enforcement and key management,” said Paul Stamp, analyst with Forrester Research.

“It’s great in theory to say that all of this activity needs to happen in the infrastructure components themselves,” he said. “But that’s not a reality yet in terms of allowing for centralized management, so customers are turning to these platforms in the meantime.”

End-users agree that encryption has long been a security process they desired to implement but couldn’t stomach based on issues of complexity.

The arrival of more usable encryption technology over the last few years has helped eliminate some of the traditional roadblocks, according to some corporate users.

“From my previous experience with e-mail encryption, I had two major concerns with using the tools: Key management and any dependence on the end-user to make the systems work right,” said Michael Gabriel, corporate information security officer for Career Education Corporation (CEC) a higher-education provider that operates more than 75 colleges, schools, and universities.

“I haven’t ever seen an encryption project where management wasn’t a major sticking point, that has been the history of the technology, but it seems that the vendors are finally getting it right,” Gabriel said. “Compared to mapping the business process, putting the technology in place was a breeze. The only real sticking point was getting the data flow.”

CEC is using encryption tools made by PGP in cooperation with its data leakage prevention and e-mail filtering systems to protect sensitive information being passed among its employees.

Gabriel said that PGP’s embedded key management capabilities may be the most valuable aspect of the system — a feature that simply didn’t exist in the past.

Other PGP users echoed those sentiments, saying that encryption tools have advanced significantly over the past several years in terms of eliminating the management headaches that have made it challenging to deploy the systems on a wider basis.

At American National Insurance Company, IT leaders said that the financial services company had been considering broader use of encryption for several years before the combination of more streamlined technologies and increasing pressure in the form of compliance regulations encouraged the firm to dive in.

Today, the company is using PGP tools to both obscure sensitive e-mails and provide whole disk encryption to protect data stored on its desktop and laptop computers.

“We’d been looking at encryption closely since at least 2005, driven largely by the laws and compliance regulations that were being passed; we needed better e-mail security because we realized after sampling that we had a problem, and knew that we wanted to better protect sensitive information on our computers,” said Ken Juneau assistant vice president of Information Technology Services at ANICO.

“The e-mail product simply sits in the mail flow, and any outbound messages that need to be get encrypted,” he said. “Key management was simply the biggest differentiator. The system has almost no overhead in terms of administration; if a key needs to be created, the system handles it, and most end-users never know that the e-mail is being encrypted, which is ideal.”

With the PGP whole-disk encryption system ANICO is using, Juneau said that key management and the ability to automatically create end-user credential recovery tokens have also proven as easy to use as the insurance company had hoped.

Inside smaller organizations, the ability to find encryption platforms that allow for simplified installation and management has been even more acute as the realities of smaller IT staffs make it even harder to deal with any widespread usability issues, experts said.

Jason Parks, information systems analyst for Northern California’s Butte County Department of Information Systems, said that deploying encryption several years ago was not an option for the government body before it found tools made by vendor Voltage Security that adequately address those issues.

“The tools have gotten a lot better, which allowed us to move forward with our plans,” Parks said.

“We didn’t want to do a bunch of certificate management, and we wanted an easy end-user experience as well. Using the system we have in place, we don’t have to give a lot of complex instructions to the users,” he said. “We have a limited amount of full-time IT staff in the county, so we couldn’t do this until we found something that addressed all the traditional issues with encryption management.”

Over the course of the two years that Butte County has been working with Voltage’s e-mail encryption platform, the IT specialist said that the product has become even more refined and less intrusive to end-users.

“It’s great to see that the encryption vendors are making progress,” said Parks. “Encryption is something that a lot of smaller organizations like us need that was not a realistic proposition in the not-too-distant past.”

Even the vendors themselves admit that encryption tools have changed dramatically in the last several years, allowing end-users to benefit from the protection that the technology can provide without creating massive headaches related to installation and maintenance.

“We’ve been trying hard as an industry to find ways to make encryption work better for customers. The issues with this technology have never been related to the level of protection but are more about cost and complexity of the tools,” said David Thompson, director of product management at Voltage. “We’re trying to change the cost and usability model, and it seems like the time has come when encryption has truly become more feasible for larger numbers of organizations.”

Phillip Dunkelberger, chief executive of PGP, said that the key to the encryption industry’s continued growth and success will be based on its ability to create tools that allow organizations to protect their data without getting in the way of end-users simply trying to do their jobs.

The ability for companies like PGP to continue to make their systems easier to use and maintain will lie at the heart of that progress, he said.

“IT operations are being asked to do more with less. They have smaller budgets for new technologies, greater needs to use information for issues of competitive advantage, and yet they’re dealing with huge issues of risks and security threats,” Dunkelberger said.

“The security industry has done itself a disservice by selling [fear, uncertainty and doubt], but we’re much better served by looking harder at trying to help lower the cost of ownership and management for these products that address data protection,” he said. “How we can do this without adding complexity will be the key to our growth in the future.”

By Matt Hines, InfoWorld (US)