Scrambling in the Desert: Nevada Encryption Mandate Begins Oct. 1


A lot of people in the security industry will be watching Nevada with interest beginning next month. On Oct. 1, a law goes into effect mandating encryption of all transmissions over the Internet that contain identifiable personal information.


That's a heck of a lot of encryption. This Baseline post does a good job of outlining the perceived shortcomings of the new rule. Essentially, technical folks think that the language in the law is far too broad and can be interpreted to mean things besides encryption.


Two major issues are potential structural problems with the law and whether mandated encryption is overkill. There is a third potential set of problems with encryption itself. At an Interop panel last week in New York City, SecureLogix CTO and Vice President of Engineering Mark Collier commented, at a panel entitled "Security Vulnerability in VoIP Products and Standards," that encryption adds overhead that can interfere with quality of service, requires that encryption keys also be encrypted and requires a complex key-management infrastructure.


The Nevada law, written more by attorneys than engineers, may not have taken these issues into account.


Despite any reservation or problem, encryption is, of course, a mainstay in the fight against crackers. Tek Talkin does a nice job of explaining the various forms of encryption. It covers IP Security (IPSec), RSA/RC4, the Data Encryption Standard (DES) and 3DES; Blowfish; the International Data Encryption Algorithm (IDEA), the Advanced Encryption Standard and CAST. It also talks about symmetric key cryptography, asymmetric key cryptography, hashing and passwords.


If the authorities in Nevada are pushing businesses -- in Las Vegas and other points in the state surely an interesting mix of businesses -- to encrypt everything, they clearly are going against the tide. This eWEEK post highlights research recently done on behalf of Certified Mail by Osterman Research. The survey featured responses from 205 respondents. Of them, 47 percent can't encrypt e-mail directly from desktops, 45 percent can send encrypted e-mail manually through their e-mail client and only 13 percent have access to a policy-based e-mail encryption system. Of those with the ability to send encrypted e-mail, 22 percent found it difficult or somewhat difficult, while 44 percent voice no problem.


Encryption is for more than e-mail, of course. This week, Brocade unveiled the Data Center Fabric Manager 10.0, which introduces fabric-based encryption for both physical and virtual servers. eWEEK reports that Brocade is offering a 2U appliance with 32 8-gigabit-per-second Fibre Channel ports and an encryption blade for the DCX Backbone chassis.


Encryption is simultaneously an attractive and problematic approach to security. Scrambling electronic messages is an extremely effective means of protecting data, but also a demanding one. Folks who don't properly plan for and deploy encryption will experience real problems.