Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/16/2009
05:32 PM
50%
50%

Data-Encryption Critics Play A Dangerous Game

Is encryption "overrated" as a data-security tool? Only if your company has a death wish.

Is encryption "overrated" as a data-security tool? Only if your company has a death wish.Cleversafe is a commercial open-source vendor that employs a "dispersed storage" architecture to protect business data. Recently, a blog post appeared on the Cleversafe.org community site with a provocative headline: "3 Reasons Why Encryption Is Overrated."

The post's author builds his case with three key points:

- Advances in CPU power inevitably turn today's "uncrackable" encryption into tomorrow's mincemeat.

- Key management -- a serious challenge for bigger companies -- can turn a promising encryption solution into an operational nightmare.

- Disclosure laws still force companies to reveal data-loss incidents -- and accept the PR consequences -- whether or not the lost data is encrypted.

As the blog post acknowledges, Cleversafe offers an alternative data-security solution that disperses data across a global storage network. The dispersed data slices are too small to give an attacker useful information, and users without the proper credentials are unable to retrieve and reconstruct the dispersed data.

It's an interesting solution, and its open-source technology base makes it especially interesting to me. For now, however, let's focus on the issue at hand: Is encryption really "overrated" as a data-security tool?

In this case, I think the term "overrated" isn't just an exaggeration. It's downright dangerous.

The idea that any tool offers perfect security is a red herring. Every security tool balances usability against effectiveness. And every security tool will, sooner or later, present opportunities to a determined, skilled attacker.

Will an encryption tool like TrueCrypt offer foolproof, totally effective encryption? Don't count on it. What it will do is buy a company time -- years, in many cases -- before even the most determined attacker can bring the resources to bear to defeat strong encryption.

Key management is a legitimate issue. Yet many encryption tools feature key-escrow features designed specifically for larger companies. If key management is a concern, seek out these products and evaluate them accordingly.

Frankly, the third reason the Cleversafe blog post mentions is a cop-out. Encryption will protect a company's customers and quite possibly reduce its legal liability in case of a data-loss incident. Dealing with PR fallout is always an unpleasant experience, but it's a cakewalk compared to the prospect of admitting that your company allowed a laptop full of unprotected customer records or credit card numbers to disappear.

Encryption is "overrated" only if you think it's perfect -- a foolish assumption from the get-go. For everyone else, it's overrated only if your company's goal is to get out of business as quickly as possible.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.