It's good to know that at least one positive thing came from the Veterans Administration laptop disaster. The high-profile case, in which about 26.5 million veterans' records were exposed via a lost laptop, and others like it are making it more likely that organizations encrypt their data.
Based on year-end estimates from the Identity Theft Resource Center and Attrition.com, we suggest that that's a good thing.
NewsFactor reports that encryption is required for all "data at rest" on Air Force laptops. This is in line with other signs that use of encryption is growing. The story says the VA meltdown led the government to issue blanket purchasing agreements for "data at rest" for all laptops and removable storage devices. These agreements -- the government's first for encryption -- involve 11 resellers and focus on products from Credent, Skylock, GuardianEdge, Mobile Armor, Pointsec, McAfee's SafeBoot, SafeNet, Spyrus and WinMagic.
The story describes other organizations that have decided to encrypt data, including the Tennessee Department of Revenue (which uses Entrust), U.K.-based Standard Chartered Bank (PGP), Heartland Health (PGP and Microsoft), Career Education Corp. (PGP, Vontu and Cisco's IronPort) and another British company, AirMiles (Ingrian).
This long commentary by the CTO of BeCrypt at SecurityPark describes the advantages and challenges of encryption. Encryption is complex because it is based on the idea that a receiver on a network used by many people can access a key that remains unknown to anyone else on that network except the sending party. That's a difficult idea to execute.
Encryption represents a balance between security and data availability. These goals often conflict, however. This inner tension magnifies the difficulty of transferring the secret key. During the past year or two, however, the need to make data more easily available and the related proliferation of removable storage devices is driving vendors to simplify the process, according to BeCrypt's CTO.
Organizations that are not encrypting need to reconsider their position. U.K.-based BeCrypt offers seven steps to successful deployment. Organizations must decide who has access, put effective processes in place, define simple "shared-secret" procedures for trading encrypted data with external organizations, create a balance between accessibility and security, make processes easy to use and educate users about the risks of poor security.
The nagging fear is whether the industry is closing the barn door after the horse has escaped. This Associated Press story posted at Wired reports that the Identity Theft Resource Center found that through Dec. 18, more than 79 million records were compromised in 2007 in the United States. That's a fourfold increase over the 20 million records compromised in 2006. The story says Attrition.org estimates that 162 million records were lost worldwide. A good deal of the story is spent reconciling the two estimates, though it remains clear a massive number of records were exposed.
The bottom line is that the online world is woefully insecure. While breaches have been reported for years, these numbers suggest that the crisis is gaining momentum. The use of encryption is growing and becoming more sophisticated. One question for 2008 is whether encryption itself is safe. Assuming it is, or can be made to be, the big question of 2008 is whether it, and other security approaches, are growing fast enough.