In a recent blog on the UK's Information Commissioner's Office web site, the government body explains why data encryption is an important aspect of IT security. Commenting on this analysis, Dave Anderson of Voltage Security explains why this paints an incomplete picture.
“Our observations are that an over-arching data protection framework is the only viable solution if businesses want to ensure that all of their data remains protected and private anywhere it moves, anywhere it resides, and however it is used” – Dave Anderson, Voltage Security
Commenting on an analysis from Simon Rice – the ICO’s group technology manager – Voltage Security welcomes his conclusion, that encryption is key to data security, but cautions that the encryption used by an organisation is only as secure as its key methodology.
Dave Anderson, a senior director with the data security company, says that Rice’s analysis is useful guidance for any company wanting to raise the bar on its data security, but discussing technologies such as Secure Sockets Layer (SSL) or Transfer Layer Security (TLS) as distinct from full disk encryption and file/folder/container encryption may serve to confuse non-technical readers.
“It is always difficult to write an analysis about a complex subject such as data encryption, but I think the Information Commission’s approach in this instance may be too simplistic in attempting to explain all the various options in a single piece. Our approach is similar to that of security risk analysis in that we first analyse the client’s security requirements and only then start discussing the technologies that are best suited to their situation,” Anderson said.
“Taking a modular approach to data security – as Rice implies in his piece – runs the risk that certain elements of the client’s data security may end up with weaker levels of security, and therefore greater risk exposure to compromise than if a holistic approach is taken. Cybercriminals, we have observed, will invariably go for the weakest link in the security chain, which is why a shrink-wrapped, modular or container approach are no longer the most appropriate options,” he added.
The Voltage director went on to say that Rice’s observation that smartphones and tablets can store a large volume of data is spot on, but he then ignores how data can be protected on those devices – as well as moved securely on to and off the smartphones plus tablets, especially against a backdrop of a bring-you-own-device workplace.
And this, Anderson says, is before we introduce cloud computing to the mix, as cloud security requires that data be protected upon its creation, before it moves into and then across the cloud.
Coupled with the increased use of mobile devices for transactions and communications, he adds, this creates a new set of challenges for organisations to protect their data as it moves over mobile devices.
“Against this backdrop, our observations are that an over-arching data protection framework is the only viable solution if businesses want to ensure that all of their data remains protected and private anywhere it moves, anywhere it resides, and however it is used,” he said.
“I also think that talking about the technology in too much depth – as Rice has done – may only serve to confuse some readers. And then to talk about fines of £700,000 in three recent ICO investigations – without detailing the cases, even in a summary format, will add frustration to the confusion. Is this the way to inform and educate business professionals? I think not,” he added.