Who cares about encryption?
Mobility holds the, ahem, key
Workshop Poll Results We're used to getting a hundred or so responses from the mini-polls we run, but the 383 responses to our recent encryption survey were indicative of just how important this area is to people. In it, we wanted to gauge the gap between aspiration and reality when it comes to encryption – what you think is necessary, versus what you have in place.
Up-front it's worth reminding ourselves that online polls are self-selecting, that is, people don't tend to respond unless they have an interest in the area. In this case, it's fair to say that we're going to get a good few people with an interest in IT security in general, not to mention encryption in particular, and the results should be read with this in mind.
Before we get onto the difference between expectation and reality, let's consider what respondents told us were the drivers for encryption. As you can see in Figure 1, top of the list was compliance with regulations such as PCI. In addition, many of you are storing increasing amounts of sensitive data, and/or seeing an increasingly mobile workforce – and certain respondents are reacting to recent breaches.
This is interesting enough – though perhaps it doesn't tell us anything new. The tendrils of regulation are extending, the amount of data stored is growing and workers are increasingly mobile. For the record, answers to the "Other" option (not shown) tended to focus on customer pressure and perceptions, for example about reputation. We'll come back to these drivers in a moment, but for now let's look at the state of play across the sample as a whole. We can start to glean some value from this, not least in seeing where respondents felt attention should be spent (Figure 2).
The top three ideal-world targets for encrypting everything are, in order:
- Data stored on notebooks used by mobile workers
- Data stored on smartphones and other portable/handheld devices
- Data stored on desktops/notebooks used in home locations
It's no coincidence that all three are to do with distributed/mobile working. Keep in mind the self-selection factor – so the absolute levels of response in terms of current usage will be higher than those in a balanced sample. What's more interesting is the relative gap between the ideal-world position and what's actually in place (Figure 3).
Looking at the delta between the ideal world and reality, clearly respondents believe that there is work still to be done across the board. The third point is how this figure relates to the first, "drivers" chart above. While compliance is seen as the top driver, the key areas where attention needs to be placed when it comes to encrypting data are all related to mobility. This is a fair indicator of how challenging the nature of the increasingly mobile workforce can be, when it comes to complying with regulations.
The executive who found himself personally responsible for a data breach when his laptop was stolen from his house may have been taken by surprise, as there is a lingering mindset that security is a central infrastructure thing. But rules and regs like PCI are not fussy about which particular part of the IT infrastructure is involved, be it a SAN in the data centre, or an SD card in a phone. It's all just IT.
I'm with pengwyn
Larger keys are a must. My preference is TrulyMail Portable (for email) which uses 4096 bit one-time symmetric key wrapped in an asymmetric key. I don't understand why PGP limits users to 1024 bits in their keys? Are they trying to make it easier for the snoops?
Not sure they are the same problems
... but both of them are very real. A lot of IT departments do think that 'security' means "don't allow any other programs" and so prevent the user from installing encryption. Especially (shock horror) Free Software like GPG, they seem to be terrified that having any GPL software will cause all of their own data to be made Open Source and worthless. Or something like that.
Portability: GPG and PGP and products based on them are compatible, at least at some levels. I don't know of any standard which is implemented at the disk or memory stick level though, except for TrueCrypt which is a de facto standard (Open Source, although several Linux distributions regard it as non-free due to the licence conditions). But in general it is true that there is a lot of non-compatibility in such products.
Don't compare Symmetric and Asymmetric Key Lengths
RSA is an asymmetric cipher, AES is symmetric. The keylengths are therefore not directly comparable. NIST guidelines indicate that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.