|
(Don't) Just Encrypt It
Ben Halpert / October 2007
Mobile Enterprise
Welcome to Law Number Three in our four-part series titled Ben's Laws of Mobile Data Security. Law Number Three addresses the tactical realities organizations face when ensuring that sensitive information is protected.
What do I mean by tactical realities? If the media is reporting on a laptop theft that leads to the compromise, or potential compromise, of millions of individuals' identities, other organizations want to ensure that they are not tomorrow's leading story. As a result, these organizations may require point solutions, such as laptop encryption. However, point solutions will only shift the target.
While encrypting data on a laptop is a
|
great idea, does it really solve the problem? One organization, that will remain nameless, exemplifies why point solutions may not work as initially intended. In 2006, this organization was subject to a laptop theft in which millions of records containing personal information were stored in an un-secure manner. In 2007, the same organization, at a different location, experienced a theft of an external hard drive. That unprotected drive also contained the personal information of millions of individuals. That same group underwent an audit, and it has been recently disclosed that thousands of its I.T. devices are unaccounted for that may contain personal information.
These events are unfortunate, to say the least, for both the organization and the affected individuals. And, of course, such potential compromises are not
isolated to this one organization.
If an organization takes a tactical
|
approach to responding to incidents that could lead to a potential information compromise (laptop theft leads to encrypted laptops, external drive theft leads to encrypted external drives, etc.) then point solutions will get implemented. However, once you have a solution that protects the laptop hard drive, one that protects removable media, one that protects PDAs and smartphones, one that protects backup media, one that protects......You get my point. What you end up with is an unmanageable menagerie of solutions that cannot be integrated. The administrative and user impact of point solutions will become overly burdensome.
So what is the solution? Check back next month to find out!
|