Encryption: An “unapproachable” subject?
In a recent SearchMidmarketSecurity.com article, contributor Mike Chapple says, "Unfortunately, many security practitioners don't fully understand encryption due to the technology's ill-deserved reputation as the unapproachable domain of mathematicians and cryptographers." Do you agree?
And what encryption task do you find most challenging: Securing websites? Encrypting email? Protecting laptop data? Implementing VPNs?
Software/Hardware used:
And what encryption task do you find most challenging: Securing websites? Encrypting email? Protecting laptop data? Implementing VPNs?
Software/Hardware used:
ASKED:
February 15, 2010 8:34 PM
UPDATED:
May 1, 2010 9:17 AM
Answer Wiki:
Depends on what level of understanding is required. There is definitely the scientific level that is mentioned in this question, but there is also understanding the risks, management, application of encryption. Often the risks, management and application of encryption can be more challenging than the scientific and algorithm development. That is because these topics involve multiple parties such as the user interface and the management of an encryption system. That would be the user and IT... and then don't forget the accountants who want you to justify the costs of any particular encryption system.
Managing a secure connection to a website is one thing using SSL certificates but managing endpoint encryption on mobile devices is entirely different. Key management, encryption standards, and user interaction are all elements no matter the purpose of encryption.
To see all answers submitted to the Answer Wiki: View Answer History.
I would like to add that there are a number of hardware devices that only exist to encrypt communications. As these devices become smaller and more integrated into more customary items, it would not be far-fetched that an individual could update their encryption key on a monthly basis much as you would a password.
For this reason I would say that websites are the most difficult as a so much information can be intercepted in transport and users can be so quickly fooled.
When it comes to laptops or other personal computing devices, these could be encrypted by the user who would only need to know how to install the software and manage their key. A VPN could be maintained separate from public view and encrypted through dedicated hardware.
I recently wrote about this for SearchCompliance.com – encryption is indeed the great security control that nobody’s using.
I find the most challenging part is getting management on board…Many people fear encryption because of the bad reputation it’s had in the past. The encryption vendors have – by and large – solved this problem…it’s time to move on and just do it. The government’s all but forcing it on businesses anyway via HITECH, state breach notification laws, etc.
As far as i know the following are important issues/topics to bear in mind and which probably concern infosec guys when considering encryption methods:
*End-to-end security – whats the point in encryption if the cleartext is exposed somewhere in the lifecycle of the data
*Encryption standards – some older tech’s such as the original DES can be defeated in a relatively short time period
*Key Management – managing a KDC or millions of keys in a asymetric implementation is something to think about, but for both implementations its weakness is still down to the key!!!!!
Encrypting email is no easy task. The problem is that even if you can get an encryption package setup on your end you still have to depend on your recipient to get the software configured properly on their end. If they are technical people, this might be possible. However, for non-technical people, forgetaboutit!
Encrypting hard drives and websites is not difficult.