By Andy McCue, 7 December 2007 14:00
NEWS
Policies, processes and a "corporate ethos" of care of data are more important in securing sensitive information than using encryption technology.
Encryption has been back in the spotlight following the HM Revenue & Customs data breach that led to two CDs containing unencrypted records of 25 million people on the child benefit database getting lost in the post.
But two-thirds of silicon.com's 12-strong CIO Jury IT user panel said technologies such as encryption need to be part of a more holistic approach to security that includes training for staff and strict enforcement of policies.
Nic Evans, European IT director for Key Equipment Finance, said: "More important is a corporate ethos of care of such data."
Encryption on its own can give a false sense of security, according to Florentin Albu, ICT manager for the European Organisation for the Exploitation of Meteorological Satellites (EUMETSAT).
He said: "However, when used in the context of an information management/information security framework, it can become an effective way to mitigate certain corporate data risks. Even so, it would be just one piece of the jigsaw - you need to combine it with other technologies (authentication, authorisation, etc) and information management practices (data classification, data handling, etc) in order to become effective."
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
Even with encryption technology there are weaknesses that could lead to data being compromised. Steve Clarke, director of systems and operations, AOL Broadband, said: "Encrypted data still needs to be viewed, which means it must be unencrypted - giving rise to opportunities to store the data without its encryption. By implementing policy, processes, appropriate training and rigorous enforcement our data stands a chance of remaining secure, but encryption alone is not the panacea."
James Findlay, head of ICT for the Maritime & Coastguard Agency, said: "Encryption only forms part of the solution. Organisations must have robust policies and processes in place to ensure the integrity of both data and systems."
Another survey by security company CheckPoint found just under half of IT chiefs have deployed encryption within their organisations.
But those in favour of greater use of encryption to secure data include Graham Yellowley, director of technology services for investment bank Mitsubishi UFJ Securities International.
He said: "This is a minimum requirement for securing any data, whether this be for internal or external dissemination. Encryption strength needs to be considered with at least 256 bit key encryption for real security."
Richard Steel, CIO for the London Borough of Newham, added encryption should be used "where the data must be mobile and combined with two-factor authenticated access".
Today's CIO Jury was
Florentin Albu, ICT manager, EUMETSAT
Alastair Behenna, CIO, Harvey Nash
Mike Buck, architecture manager, Yorkshire Water
Steve Clarke, director of systems and operations, AOL Broadband
Nic Evans, European IT director for Key Equipment Finance
James Findlay, head of ICT for the Maritime & Coastguard Agency
Neil Harvey, head of ICT, Food Standards Agency
Jane Kimberlin, IT director for Domino's Pizza Group
Jacques Rene, CTO, Ascend
Richard Steel, CIO, London Borough of Newham
Richard Storey, head of IT, Guy's and St Thomas' NHS Foundation Trust
Graham Yellowley, director of technology services, Mitsubishi UFJ Securities International
Want to be part of silicon.com's CIO Jury and have your say on the hot issues for IT departments? If you are a CIO, CTO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com
Comments
There are 7 comments. Join the discussion
1. Andy Lankester
I agree with almost all of the article but encryption can at least stop accidental or deliberate theft/loss of sensitive data in transit which seems to be a major problem for the UK government.
2. James Robertson
This title 'Encryption not the key to data security' is a bit misleading, you simply can't compare technology with policies and procedures like this.
I like to think of technology, policies and procedures being complimentary like the components which make up a mobile phone.
3. Graham Coles
If the data is encrypted, you can control access to it through policies which dictate which people in the heirarchy can get a hold of the keys.
Without encryption you are relying solely on policies telling people what they can or can't do but not preventing them from doing it.
Would the junior at HMRC have had access to the key to view the records in the database? Maybe, but would he have been allowed to export the entire database in the clear. No.
Encryption can be used to enforce policies. Had the software only allowed data to be exported in encrypted form, would we have had 25 million records floating around readable by anyone? No.
I would say encryption therefore IS the key to data security where it is properly used and can enforce the policies laid down for the data access.
4. Sarah
Obviously encryption will help.
However, I think the heart of the problem is to do with the lack of 'due care and attention' by the people involved. People need to understand that this data is as valuable as cash and they should look after it as if it were THEIR cash.
Until everyone understands this, these kind of incidents will continue to occur. No amount of correct policies and procedures will actually stop this happening; it will just ensure that the correct way is documented.
5. paul m
excelent title!
6. Peter Gilford
Encryption is a tool not a strategy. You wouldn't say that "a hammer is a table" - it is one of a set of tools that can be used to construct a table. In the same way encryption can be used to achieve the desired objective of securing data. Furthermore, the finished product depends mostly on the skill (or otherwise) of the craftsman.
7. Meths Cebrian Ferrer
Encryption provides confidentiality and integrity but it doesnt provide, availabiltity, authentication and non-repudation.
Yes, Encryption is not the key but it is part of the over all control towards in-depth Data Security!