Encryption's Hard Truths

IRVINE, Calif. -- Data Protection Summit -- Encryption is no cure-all for enterprises' data security woes, warned Gordon Hughes, associate director of the Center for Magnetic Recording Research (CMRR) at the University of California San Diego, during a keynote here yesterday.

A recent report from the Ponemon Institute revealed that about two thirds of large U.S. businesses currently have some sort of encryption strategy in place, although Hughes told users not to get carried away with the hype: "Data encryption is not a panacea." (See Encryption Set to Go Mainstream.)

Hughes, who tests ATA and SCSI drives for the National Security Agency, instead urged users to think about the effect of encryption on storage virtualization, data de-duplication, and compression. "If you leave the data encrypted everywhere, it defeats all these functions," he said, echoing CIOs' recent concerns about encrypting virtual data. (See Tales From the Virtual Crypt, What's the Key to Excellent Encryption?, and Vendors Push Virtual Security.)

De-duplication, which is set to be one of this year's hottest storage technologies, also poses some real challenges when it comes to key management. (See Users Look Ahead to 2007, Dealing With De-Dupe Doubts , and New Wave of CDP Rolls In.) "If every user has the same data encrypted with different keys, you're not going to be able to detect the duplicate data."

Hughes also talked about the lack of encryption standards, urging users not to get too excited about short-term results from industry bodies like the Trusted Computing Group. (See Red Tape Trips Up Security.) "It's a great idea, but it's not going to happen instantaneously," said Hughes, highlighting the challenge of getting so many different vendors to work together. "I don't think it's going to happen for several years."