Encryption Made Easier

Just about everybody inside and outside of IT believes that sensitive data should be encrypted, wherever it is stored. Yet, too many enterprises and IT departments don't -- as we see in headlines every week. How many stories have you read about lost or stolen tapes and drives that were not encrypted or hard drives and MP3 players bought on Ebay that contained personal or confidential business information? Groups of vendors are collaborating to make it easier to use and manage encryption. Will that change the bad habits of IT departments?

Most of the world's major hard drive makers and an industry standards group have rolled out specifications for full-disk encryption and encryption key management apps for all types of storage devices that are designed to make it easier to use encryption to protect your important data. The idea is that more companies will use encryption if it is baked into the hardware.

The effort was spearheaded by the Trusted Computing Group and backed by vendors such as Fujitsu, Hitachi GST, IBM, LSI, Seagate Technology, Samsung, Toshiba, Wave Systems, and Western Digital. It is meant to cover a wide range of storage, from consumer products and PCs to drives used in large storage arrays. The specs cover storage interface interactions, which cover storage connections and interface specifications; detailed requirements for fixed storage media in PCs and notebooks; and drives in data centers.

A related but independent effort has been launched by a group of vendors to simplify the implementation and management of encryption technology across large enterprises. Vendors such as Brocade, HP, IBM, LSI, RSA, Seagate, and Thales (formerly nCipher) have created the Key Management Interoperability Protocol, which aims to supply a single protocol for communication between enterprise key management services and encryption systems. They plan to submit the protocol to industry groups for adoption as an industry standard.

Together, these efforts may help to eliminate some of the excuses that many in IT put forth as their reasons for not using encryption: It is too complicated; there are too many different encryption methods and products; it will be too hard to recovery the encrypted data; approaches for managing the encryption keys vary with each product; it hurts performance, etc.For those reasons and others, many -- if not the majority of -- companies don't use encryption. But that is going to change as more states pass laws with severe fines for the exposure of personal data. Some, such as Nevada and Massachusetts, are mandating full disk encryption on laptops that contain consumer data. That means more companies will start using encryption despite reservations.

There is a good chance these new industry efforts and specifications will help ease the adoption and use of encryption technology. The specs are new and will probably be revised and improved as more IT managers weigh in on their features and functions. That's a good thing, and should only improve what appears to be a good start in making encryption easier to use and manage. Will this change your attitude toward encryption?