Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


02:50 PM
Sol Cates
Sol Cates
Connect Directly

FAQ: Understanding The True Price of Encryption

In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.

I'm sure many of you have had mixed experiences with encryption techniques, architectures, and implementations that, in the wake of Heartbleed and the Dual_EC_DRBG scandal, point out the importance of getting encryption right -- and the costs of fixing problems when an implementation is weak, wanting, or compromised.

In those circumstances, the ability to patch or migrate your solution and rekey your data quickly is imperative. But, sadly, the reasons for encrypting data are often mandated, not part of a funded security initiative, and much more expensive than expected. If your organization -- like many others -- is searching for ways to make encryption cost-effective, easy, and scalable, the answers to this list of frequently asked questions may point you in the right direction.

What should I encrypt? There are three key questions to answer. What data needs protecting? (Often you will find that your data protection requirements grow over time.) What form (unstructured files, databases, logs, etc.) is the data in? And where is the data located -- in a datacenter, on your mobile device, in the cloud, or in a remote location.

How should I encrypt? Organizations will typically come up with a matrix of answers and, along with that, a complex web of potential approaches to achieve their encryption requirements. For example, organizations may be required to encrypt their data on a number of different applications. Their options per application will vary, and you could end up with multiple solutions for meeting one requirement.

What about the keys? Some encryption options are native to a platform, yet they lack a key (no pun intended) requirement -- key management -- that most encryption solutions must have to be compliant. We have found that, while encryption is often easy, the complexities of good key management are what organizations struggle with most. If you encrypt data with a key and leave that key with the data weakly protected, you might as well not encrypt it at all.

What risk are you removing? Encryption is often thought of as the ultimate weapon to protect data, but in practice, many implementations fall short on actually protecting data. Data has no defenses for itself; it must rely on the defenses of the environment in which it lives. If an organization encrypts its data with a self-encrypting disk, it is removing the physical risk of theft or data loss. It may have many privileged users and processes that interact with its data, but ensuring that encryption removes the risk is crucial.

Will it be cost-effective? The implementation and maintenance costs of encryption across multiple environments, use cases, and applications can add up quickly. It's not just the cost of licenses, but the operationalization of it, as well. Organizations need to ask themselves the following questions: Do I have to change code? Do I need multiple OS support? Do I need to get a key management solution?

Many Fortune 500 companies face issues with databases and file servers that require encryption because of a regulation called MAS, out of Singapore, that promotes sustained, non-inflationary economic growth through monetary policies and macro-economic surveillance of emerging trends and potential vulnerabilities. One chief security architect came to the realization that it would cost approximately $2.4 million in licensing and more 24 months to integrate encryption into just one custom application. To no surprise, he quickly did the math and found this unappealing.

What's the bottom line? Look for encryption platforms that offer lower total cost of ownership. You will find it easier to get the budget you need and create a secure way of doing business by allowing multiple ways to encrypt your data without having to change the way you run your business.

Sol Cates is the Chief Security Officer at Vormetric. As CSO, he ensures that Vormetric's internal security profile remains robust, while maintaining a strong pulse on technical and business decision-making processes. Cates partners with teams throughout the company and the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/29/2014 | 8:44:59 AM
Re: Cost effective is not enough to win the war
Thank you. I think that file encryption with proper key management can protect media (os files and backups) but not the data flow (that now increasingly is under attack).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:38:52 AM
Re: Cost effective is not enough to win the war
Thanks for your thoughtful comment, Ulf, and also for raising the issue of data security and big data in the context of encryption, cloud computing and the recently released Verizon DBIR. That's a lot to think about! To  your point:

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory. My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

If file encryption "won't stop the bad guys," in the era of cloud and big data, what is it's proper role?

Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/26/2014 | 10:28:49 AM
Cost effective is not enough to win the war
The good news is that the Verizon's "2014 Data Breach Investigations Report," is now available for download.

The bad news, as Wade Baker, principal author of the Data Breach Investigations Report (DBIR) series, says is that: "After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning."

My view is that that we are now more concerned about attackers that are targeting our data flow, including data in memory since the DBIR reported that "RAM scrapers" went from a low #17 in 2012 and shoot up the charts to a very concerning #4 spot in 2013. 

My view is that that we are now less concerned about attackers that are targeting our stored data since the DBIR reported that "Capture stored data" went from a #4 in 2012 and to a less concerning #9 spot in 2013 and "Privilege abuse" went from a #14 in 2012 and to a less concerning #17 spot in 2013.

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory.

My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

An important development was the addition of coarse-grained volume or file encryption will only solve one problem, protecting data at rest, but considering one of the primary goals is using the data, one might suggest that it provided little in the grand scheme of Data security.  Sensitive data in use for analytics, traveling between nodes, sent to other systems, or even just being viewed is subject to full exposure.

What they're seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and data utility. This balance is critical for Big Data and Cloud platforms.

Emerging Big Data and Cloud platforms are presenting new use cases that are requiring data insight for analytics, high performance and scalability for Big Data platforms cannot be achieved by old security approaches.  New security approaches are required since Big Data is based on a new and different architecture.

Big Data is introducing a new approach to collecting data by allowing unstructured data to be blindly collected. In many cases we do not even know about all sensitive and regulated data fields that are contained in these large data feeds. Analysis of the content is often deferred to a later point in the process, to a stage when we are starting to use the data for analytics. Then it is too late to go back and try to apply data security and compliance to regulations.

My view is that we now need to secure the data flow. The bad guys are no longer attacking stored data in files.

Ulf Mattsson, CTO Protegrity
User Rank: Ninja
4/22/2014 | 10:33:00 AM
I'm surpsied there are still software companies that actively utilize encryption schemes such as Blowfish cipher. Even with a 448 bit key it is still considered weak.

It's a poor choice of performance over security.

User Rank: Ninja
4/22/2014 | 8:10:36 AM
Re: Key management must be part of the picture
this is an excellent post

those who have been following the "hacking" problem for a while will have probably realized that a failure to authenticate is a big part of the problem -- possibly the biggest part.   

the commercial sector keeps trying to provide authentication for us.   the Certificate Authorities provision of the SSL, TLS, and X.509 certificate system being the Prime Example.

still, attackers have broken through, -- Comodo and Digi-Notar being examples.

my take on this problem is that they have allowed the "attack surface" to become large.   Those familiar with Phil Zimmerman's original work will note that participation is required -- to maintain a proper Trust Model for PGP keys and/or x.509 certificates -- which rely on public key encryption

the resolution here may be to assign only marginal trust to the current method; each user should generate a key-pair for his/her system -- and then validate and countersign those certificate which require full trust.

examples of certificates needing full trust: Credit Union, online banking, online shopping, IRS reports,-- where there's money there will be scammers

another thing noted by Phil Zimmerman's original work: you must work from a secure o/s.   think about this. what are you using?    what sort of reputation does it have ?   is anything better available?

security is something you do not something you get.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
4/21/2014 | 9:13:31 PM
Key management must be part of the picture
The key point here is, encryption alone is not good protection, even though to many users it is foolproof. On the contrary, encryption key management is what makes the process of encrypting work.
User Rank: Author
4/21/2014 | 4:15:37 PM
Re: Rethinking encryption


I think one of the biggest things to focus on in the advent of Heartbleed, is vendor management...  I had over 20 vendors effected by the Heartbleed bug, and had to focus our efforts on ensuring the vendor was responding quickly with a solution or effective workarounds.  

As with any software/hardware, there will be bugs.  It's the detection, and reaction to them is critical to get right.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:09:46 PM
Rethinking encryption
Thanks for a good overview on the ROI of encryption, Sol. In light of Heartbleed, what -- if any -- specific changes in corporate security would you recommend with respect to encryption. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.
PUBLISHED: 2020-09-22
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the server login page).
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.