Government Computer News
Crypto is no magic bullet for data protection
Cybereye
Digg
De.licio.us
Slashdot
Technorati
Image:
This was a surprising statement coming from the president of the RSA Security division of EMC, a name almost synonymous with encryption. But Coviello wasn’t dissing encryption. He was continuing a message he has been delivering this year on the need for a holistic rather than product-based approach to security. The caveat against relying too heavily on encryption was a common theme at the symposium where he spoke.
A panel of federal speakers addressed the guidelines from the Office of Management and Budget on protecting personal data. OMB recently gave agencies a September deadline to have policies in place for responding to data breaches and notifying those whose information might have been exposed. Last year, it issued requirements for protecting personally identifiable information, which required among other things encrypting it on mobile or portable devices.
But, “the problem with encryption is that if not managed properly it becomes one of your greatest vulnerabilities,” said Mischel Kwon, the Justice Department’s chief IT security technologist.
Cryptography can provide excellent security, but as with all security, it has limits and trade-offs. Poor key management makes cryptography vulnerable, and any sense of security it provides could prove false. Proper key management with strong cryptography can be burdensome, creating administrative overhead and incentives for users to get around it. Kwon said any policy needs to be practical where it touches technology.
Tim Grance, manager of systems and network security at the National Institute of Standards and Technology, the agency responsible for turning policies into practice, echoed this point of view.
“We can’t suspend common sense and just encrypt the hell out of everything,” he said.
And they are right. I am a fan of encryption, especially when it comes to my personal data that someone else is carrying around. I do not want that data exposed when the laptop is left in a taxi, the USB drive is left in a port of a computer or some thug steals the iPhone. But if good cryptographic security is burdensome, what is the answer?
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
