Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


02:50 PM
Sol Cates
Sol Cates
Connect Directly

FAQ: Understanding The True Price of Encryption

In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.

I'm sure many of you have had mixed experiences with encryption techniques, architectures, and implementations that, in the wake of Heartbleed and the Dual_EC_DRBG scandal, point out the importance of getting encryption right -- and the costs of fixing problems when an implementation is weak, wanting, or compromised.

In those circumstances, the ability to patch or migrate your solution and rekey your data quickly is imperative. But, sadly, the reasons for encrypting data are often mandated, not part of a funded security initiative, and much more expensive than expected. If your organization -- like many others -- is searching for ways to make encryption cost-effective, easy, and scalable, the answers to this list of frequently asked questions may point you in the right direction.

What should I encrypt? There are three key questions to answer. What data needs protecting? (Often you will find that your data protection requirements grow over time.) What form (unstructured files, databases, logs, etc.) is the data in? And where is the data located -- in a datacenter, on your mobile device, in the cloud, or in a remote location.

How should I encrypt? Organizations will typically come up with a matrix of answers and, along with that, a complex web of potential approaches to achieve their encryption requirements. For example, organizations may be required to encrypt their data on a number of different applications. Their options per application will vary, and you could end up with multiple solutions for meeting one requirement.

What about the keys? Some encryption options are native to a platform, yet they lack a key (no pun intended) requirement -- key management -- that most encryption solutions must have to be compliant. We have found that, while encryption is often easy, the complexities of good key management are what organizations struggle with most. If you encrypt data with a key and leave that key with the data weakly protected, you might as well not encrypt it at all.

What risk are you removing? Encryption is often thought of as the ultimate weapon to protect data, but in practice, many implementations fall short on actually protecting data. Data has no defenses for itself; it must rely on the defenses of the environment in which it lives. If an organization encrypts its data with a self-encrypting disk, it is removing the physical risk of theft or data loss. It may have many privileged users and processes that interact with its data, but ensuring that encryption removes the risk is crucial.

Will it be cost-effective? The implementation and maintenance costs of encryption across multiple environments, use cases, and applications can add up quickly. It's not just the cost of licenses, but the operationalization of it, as well. Organizations need to ask themselves the following questions: Do I have to change code? Do I need multiple OS support? Do I need to get a key management solution?

Many Fortune 500 companies face issues with databases and file servers that require encryption because of a regulation called MAS, out of Singapore, that promotes sustained, non-inflationary economic growth through monetary policies and macro-economic surveillance of emerging trends and potential vulnerabilities. One chief security architect came to the realization that it would cost approximately $2.4 million in licensing and more 24 months to integrate encryption into just one custom application. To no surprise, he quickly did the math and found this unappealing.

What's the bottom line? Look for encryption platforms that offer lower total cost of ownership. You will find it easier to get the budget you need and create a secure way of doing business by allowing multiple ways to encrypt your data without having to change the way you run your business.

Sol Cates is the Chief Security Officer at Vormetric. As CSO, he ensures that Vormetric's internal security profile remains robust, while maintaining a strong pulse on technical and business decision-making processes. Cates partners with teams throughout the company and the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/29/2014 | 8:44:59 AM
Re: Cost effective is not enough to win the war
Thank you. I think that file encryption with proper key management can protect media (os files and backups) but not the data flow (that now increasingly is under attack).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:38:52 AM
Re: Cost effective is not enough to win the war
Thanks for your thoughtful comment, Ulf, and also for raising the issue of data security and big data in the context of encryption, cloud computing and the recently released Verizon DBIR. That's a lot to think about! To  your point:

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory. My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

If file encryption "won't stop the bad guys," in the era of cloud and big data, what is it's proper role?

Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/26/2014 | 10:28:49 AM
Cost effective is not enough to win the war
The good news is that the Verizon's "2014 Data Breach Investigations Report," is now available for download.

The bad news, as Wade Baker, principal author of the Data Breach Investigations Report (DBIR) series, says is that: "After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning."

My view is that that we are now more concerned about attackers that are targeting our data flow, including data in memory since the DBIR reported that "RAM scrapers" went from a low #17 in 2012 and shoot up the charts to a very concerning #4 spot in 2013. 

My view is that that we are now less concerned about attackers that are targeting our stored data since the DBIR reported that "Capture stored data" went from a #4 in 2012 and to a less concerning #9 spot in 2013 and "Privilege abuse" went from a #14 in 2012 and to a less concerning #17 spot in 2013.

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory.

My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

An important development was the addition of coarse-grained volume or file encryption will only solve one problem, protecting data at rest, but considering one of the primary goals is using the data, one might suggest that it provided little in the grand scheme of Data security.  Sensitive data in use for analytics, traveling between nodes, sent to other systems, or even just being viewed is subject to full exposure.

What they're seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and data utility. This balance is critical for Big Data and Cloud platforms.

Emerging Big Data and Cloud platforms are presenting new use cases that are requiring data insight for analytics, high performance and scalability for Big Data platforms cannot be achieved by old security approaches.  New security approaches are required since Big Data is based on a new and different architecture.

Big Data is introducing a new approach to collecting data by allowing unstructured data to be blindly collected. In many cases we do not even know about all sensitive and regulated data fields that are contained in these large data feeds. Analysis of the content is often deferred to a later point in the process, to a stage when we are starting to use the data for analytics. Then it is too late to go back and try to apply data security and compliance to regulations.

My view is that we now need to secure the data flow. The bad guys are no longer attacking stored data in files.

Ulf Mattsson, CTO Protegrity
User Rank: Ninja
4/22/2014 | 10:33:00 AM
I'm surpsied there are still software companies that actively utilize encryption schemes such as Blowfish cipher. Even with a 448 bit key it is still considered weak.

It's a poor choice of performance over security.

User Rank: Ninja
4/22/2014 | 8:10:36 AM
Re: Key management must be part of the picture
this is an excellent post

those who have been following the "hacking" problem for a while will have probably realized that a failure to authenticate is a big part of the problem -- possibly the biggest part.   

the commercial sector keeps trying to provide authentication for us.   the Certificate Authorities provision of the SSL, TLS, and X.509 certificate system being the Prime Example.

still, attackers have broken through, -- Comodo and Digi-Notar being examples.

my take on this problem is that they have allowed the "attack surface" to become large.   Those familiar with Phil Zimmerman's original work will note that participation is required -- to maintain a proper Trust Model for PGP keys and/or x.509 certificates -- which rely on public key encryption

the resolution here may be to assign only marginal trust to the current method; each user should generate a key-pair for his/her system -- and then validate and countersign those certificate which require full trust.

examples of certificates needing full trust: Credit Union, online banking, online shopping, IRS reports,-- where there's money there will be scammers

another thing noted by Phil Zimmerman's original work: you must work from a secure o/s.   think about this. what are you using?    what sort of reputation does it have ?   is anything better available?

security is something you do not something you get.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
4/21/2014 | 9:13:31 PM
Key management must be part of the picture
The key point here is, encryption alone is not good protection, even though to many users it is foolproof. On the contrary, encryption key management is what makes the process of encrypting work.
User Rank: Author
4/21/2014 | 4:15:37 PM
Re: Rethinking encryption


I think one of the biggest things to focus on in the advent of Heartbleed, is vendor management...  I had over 20 vendors effected by the Heartbleed bug, and had to focus our efforts on ensuring the vendor was responding quickly with a solution or effective workarounds.  

As with any software/hardware, there will be bugs.  It's the detection, and reaction to them is critical to get right.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:09:46 PM
Rethinking encryption
Thanks for a good overview on the ROI of encryption, Sol. In light of Heartbleed, what -- if any -- specific changes in corporate security would you recommend with respect to encryption. 
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...