Tom Petrocelli's take on technology. Tom is the author of the book "Data Protection and Information Lifecycle Management" and a natural technology curmudgeon. This blog represents only my own views and not those of my employer, Enterprise Strategy Group. Frankly, mine are more amusing.

Monday, April 10, 2006

Encypt Everything!

Encryption is the encoding of information in such a way that it is useless to use. It renders plain text impossible to read. This is a very good thing if:

  • You have sensitive information you don't want anyone to see. Some examples might be contracts, design drawings, new product information, or bookmarks of web sites that your wife would not approve of.

  • Really believe that someone might be able to see this sensitive information.

  • It is even remotely possible any one who could see your sensitive information would care enough to look at it.

In all seriousness, there is a lot of information floating around that is not for public consumption. Let's be honest, most of us have a list of passwords around. Those who say they don't either use only one password for everything (dangerous!) or are lying. One of the things I find highly amusing is when companies have extravagant document control processes in place and don't bother to encrypt said documents when they sit on someone's hard drive. So much for watching your assets...

Encryption is an interesting way to secure information. It does nothing to keep the bad folks from getting to your data. Instead, it makes the data unviewable and unuseable. It is no longer worth the hacker's time or energy to try and get at something important. Why go through the effort when you can't read the file? Even if the hacker is lame enough to take something, they can't see it or use it so it doesn't matter. In fact, while some idiot hacker is spending time looking at data that they can't use, your network security wizards are tracking the fool down and reporting him to the FBI. Ha ha ha! You can tell, I don't have a lot of respect for hackers but that's another subject.

It is imperative that mobile devices use encryption. It's just too easy for someone to lose a flash drive or CD. If you are transporting confidential information, encryption is a must. This is especially true for backup tapes. If I have to read one more report of backup tapes being lost and data not encrypted, I'll scream. How many times do we have to get hit in the head before we decide to wear a helmet? Many times apparently.

Every time another company reports losing unencrypted backup tapes it makes us all look like idiots. Earth to IT. Come in please. Encryption is a cheap (or free) feature and a checkbox in the software. If your backups are too slow for encryption then they are too slow period and you need to rethink your backup strategy. It's criminal not to use encryption.

The same is true for desktop files. There are lots of good solutions for encrypting files, either individually or through an encrypted drive. Encrypted drives are the easiest. The software creates a file, makes it look like a disk drive and - voila - encrypts anything sent to it. It is so easy that even your average end-user can figure out how to use it. Of course, you usually need to remember a password. Oooohhhh my gawd! How hard is that?

Many of the solutions are pretty inexpensive too. One software package that I like is TrueCrypt. It works great and it's free open source software. That's right friends - Free! It even comes in Windows and Linux flavors. You mount a file, partition, or entire device (like a flash drive hint-hint) and everything is encrypted. Safe. As in "no worries".

So, there are no more excuses left. Either encrypt or be made the fool. And let's be honest, who wants to have to say to the CEO "Um, sir. About those backup tapes..."

No comments: