I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:
So here are a few scenarios in question:
As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.
I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.
Tags: email, encryption, MA CMR 201 17 Posted in Uncategorized | 2 Comments »
Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.
Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:
In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.
Tags: Check Point, Chosen Security, encryption, GuardianEdge, IEEE, KMIP, McAfee, PGP, PKI, Symantec Posted in Uncategorized | No Comments »
A few years ago, I boldly predicted that PC encryption would go through a technical transition. My instincts told me that software-based encryption from companies like PGP, McAfee (SafeBoot), and Check Point Software (PointSec) would be usurped by laptops and desktops with standards-based (i.e., TCG standards) Self-Encrypting Drives (SEDs).
This seemed like a “no brainer” based upon industry history. For years new Intel chips would include new functionality, as did each Windows release. If encryption came as a standard feature on Seagate, Hitachi, Fujitsu, and Western Digital drives, it was logical that this would become the default configuration. Besides, SEDs are faster and more secure than software, so regulatory compliance activity was sure to add fuel to the SEDs fire.
Fast forward to 2010 and I readily admit that my timing was off. Check Point, McAfee, PGP, and others continue to sell tons of software encryption licenses while few have adopted self-encrypting drive-based systems. Why?
So does all this mean that SEDs are dead? Not at all. In fact there may be a SEDs renaissance any time now. The reason is simple. Some software-based encryption doesn’t protect data if PCs are in “sleep” or “hibernate” mode. Given the start-up time of Windows, many users take full advantage of sleep/hibernate modes, so this is a serious hole. Combine this with the fact that many organizations provide users with administrator access to their PCs and you’ve got a real problem — you can’t claim that a lost or stolen PC was actually protected if this loophole — and user behavior — exists.
Since SEDs overcome this issue, lawyers, auditors, and compliance officers may demand that new PCs come with self-encrypting drives onboard. Sounds extreme, but security-oriented purchasing behavior is already pretty pervasive.
From a security perspective, SEDs are a great option. Combine this with regulatory and litigation pressure and they may gain momentum after all. Software vendors take note, you may be dragged into supporting SEDs sooner than you think.
Tags: Dell, encryption, Laptop, PC, Self-encrypting drives Posted in Uncategorized | No Comments »
CA entered the key management market this week, joining others such as HP, IBM, EMC/RSA, PGP, and Thales. CA’s announcement was relatively quiet, but it is still significant because:
With its focus on the mainframe, CA didn’t get much attention with this announcement, but large enterprises — especially in financial services, defense, law enforcement, and intelligence — will recognize the value here right away.
In the meantime, this announcement also helps the rest of us who care about the confidentiality, integrity, and availability of our data.
Tags: CA, encryption, key management, KMIP, mainframe, Oasis, System z Posted in Uncategorized | No Comments »
Your email: