Six Myths of Information Security (cont'd)
Myth #4 -- Encryption as a primary effective control against data loss
This myth has a long history since encryption technology predates the digital era. Encryption, as the first choice of protection measures against data loss is, almost a sacred cow of information security trade craft. Most practitioners simply take it for granted that encryption (and for that matter DRM) are basic forms of protection that should be your first choice of technologies to help prevent the theft of data.
What we see
Obviously, a large number of basic applications of encryption are vital and necessary protection measures. Automatic protection of content via encryption is a fundamental security protection with well-established value. Whole-disk encryption of laptops, basic channel security via SSL or VPNs, encipherment of database records...all of these have clear value.
The simple truth is that a huge swath of the data loss events we see are not realistically treatable by encryption (or DRM for that matter). A very large percentage of data breach events are happening daily just based on the activity of well-meaning insiders. These employees are busy, in the habit of cutting corners, and often ignorant of corporate policy. These are exactly the same people who are unlikely to make diligent use of encryption or DRM tools. The hard truth to accept here is that availability of encryption or DRM technology is rarely an indicator of how well an organization is prepared to stop data loss. In fact, most of the large scale providers of encryption and DRM technology understand that the key enabling factor that will protect the data is not the digital envelopes they provide, but rather the content-aware automation of the protection of this data.
Across our customer base, we've seen numerous encryption and DRM projects produce disappointingly limited results. In fact, there are numerous dysfunctional DRM and encryption implementations littered across G2000 (n.b.: exceptions already noted above.) Frequently the missing ingredient in many of these failed implementations is an effective means to automatically enforce application of the encryption or DRM protection.
Content-aware automation of the protection of the data is a major driver behind DLP business in G2000 accounts. Many organizations now realize that, without DLP, there is no effective means to take advantage of email encryption or file-by-file application of DRM.
Bottom line summary:
(*) Encryption and DRM are only useful if they are applied
(*) Applying it everywhere all-the-time is simply not viable.
(*) Employees are typically very undisciplined when asked to apply these protection measures
(*) In many cases, encryption and DRM only become effective when they are enabled by DLP