Thursday, August 27, 2009

Moveable Data and Encryption
by Gerald Trites, FCA

There has been a great deal of emphasis in recent years on the idea that data moves around systems. At one time, many years ago, data was fixed in one place, usually on disks in a glass house, but since the advent of networks in the 1980s, this has changed substantially. More recently, change has taken place again, with the growth of portable handheld units, like the Blackberry and smart phones. These new portable devices are extremely powerful and can handle a lot of data. Also, there has been a trend to wireless networks, so data is literally flying through the air.

When data is on the move, the security issues become much more difficult to manage. In other words, it becomes much more difficult to prevent hackers from grabbing the data, literally from out of the air. Also, even common laptops have presented a risk of data loss, since they are so portable and can easily be forgotten or stolen. Stories abound in the press of these kinds of data loss events.

All this means that encryption has become a central method of protecting data. Companies that do not have an encryption policy that focuses on moving data are putting themselves at risk. Not only is the risk one of losing sensitive information to competitors, but there is a risk of losing information about their customers or employees that is private and puts the company at risk of legal action.

So encryption is a necessity. But simple encryption is not enough. Much research goes into finding methods to break encryption codes. People have always been challenged by the activity of breaking codes, since the earliest times in history. Many argue that the code breakers at Bletchley Park during the second world war essentially made victory possible because of their success in breaking German codes. By inference, it then follows that the Germans lost the war because of inadequate data security. Much is at stake with good data security.

The wireless data encryption (WPA) that is used for wireless networks is a good example of encryption that does not do the job. It has been broken several times, most recently by a group of Japanese academics. That means that the WPA system is not adequate for high security. Companies need to use at least WPA 2 in order to be secure.

Encryption policy is a must in a modern company. The policy must not only cover the data on the move, it must deal with the question of the adequacy of the encryption methods acvailable and what level of security is needed in the company.

No comments: