Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analysis: Enterprise Key Management: Page 4 of 16

Let's examine the problem from the bottom up.

Drivers for encryption fall into three general buckets: intangibles, laws and standards. Intangibles include maintaining a good brand reputation and honoring privacy policies and customer trust. Just 7 percent of respondents to the Ponemon study cited ensuring that privacy commitments are honored as a top reason to encrypt sensitive or confidential data. Self-preservation in the form of protecting brand or reputation fared better, at 40 percent.

Laws--especially mandated disclosure laws--intersect with intangibles. In the almost four years since California enacted Senate Bill No. 1386, 30 additional states have pushed through similar legislation stating that organizations must notify residents whose unencrypted personal information may have been disclosed as a result of a security breach ... emphasis on the loophole. Federal regulations like Gramm-Leach-Bliley, HIPAA and Sarbanes-Oxley are perceived as recommending or requiring encryption.

Security vendors don't hesitate to use these regs, along with e-discovery scare tactics, to sell product; we discuss these drivers further in "Prescription for Encryption," below. But one mandate that few can afford to be noncompliant with is the Payment Card Industry Data Security Standard. PCI DSS is set by the PCI Security Standards Council, which represents American Express, Discover, MasterCard, Visa and international credit issuer JCB.

PCI DSS 1.1, which became the standard for all credit-card processors on Jan. 1, mandates encryption before cardholder data is transmitted across public networks. Details go beyond that one broad imperative--the standard is explicit and covers many other situations where encryption may be required to limit data access.