Apr 19 2007
By Ira Winkler
I was just reading how the IRS lost 500 laptops that likely contain sensitive information. In response, they want all laptops to be encrypted. I am actually very much in favor of that.
Unfortunately though, the encryption is made out to be a magical cure for lost laptops, and it is not. While encryption does potentially add an exponential layer of complexity to compromise data, that is only the case when the encryption is properly implemented. It also assumes that the data isn’t accessed via an application that automatically decrypts the data to provide it to the user.
I have seen several cases where encryption keys have been taped to the laptops. More frequently, the passcodes are trivial. Again, encryption, when properly implemented, can stop a major compromise of information and significantly decrease risk. But just decreeing the use of encryption without providing guidance of proper implementation, and most importantly, enforcement of a strong implementation, will render the encryption useless.
Related posts:
Posted by Ira.Winkler on Thursday, April 19th, 2007, at 3:31 am, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Arthur | 19-Apr-07 at 5:13 am | Permalink
Unfortunately though, the encryption is made out to be a magical cure for lost laptops, and it is not.
But it is a magical cure for having to announce that you have lost 500 laptops and really isn’t that what this is all about? Getting egg of their faces and not actual security.
Larry J. Hughes, Jr. | 22-Apr-07 at 12:32 pm | Permalink
Another thing that worries me - those with oversight are likely to monitor results with the 1040 approach: If you checked line 42, continue to line 43. If not, then encrypt all your laptops and return to line 42.