- Nokia's new N97 vs. the iPhone
- Talk-powered cell phones?
- FBI: Copper thieves jeopardize U.S. infrastructure
- 10 Microsoft research projects
- Smartphone smackdown: Storm vs. iPhone
Encrypting data is becoming a requirement. How well you need to manage the keys that are used to encrypt the data is still open to debate.
The state of Iowa recently became the 43rd state to pass a data breach law that requires a company to give its consumers notice should the company discover its consumer's personal information is compromised. In states with laws like Iowa, the primary concern is ensuring that data stored to tape is encrypted so in the event the tape is lost or stolen, the data is considered unrecoverable.
Yet some states do not consider encryption alone sufficient to ensure that the data is unrecoverable. Pennsylvania adds a stipulation that companies need to have proper encryption key management policies in place. This guarantees that encrypted data on tape cannot be decrypted should someone manage to get their hands on both the tape and the key used to encrypt it.
Laws like this open up a loophole as to what constitutes proper encryption key management policy. It is no secret that encrypting data stored to tape can be done at a number of points (backup software, tape drive, etc) in the backup process. Yet to encrypt data at any of these points may require no more than providing a one word password to the software to encrypt the data. But whether or not that constitutes a proper key management policy is unclear.
Encryption is becoming a part of the corporate landscape, partly out of necessity and partly because state laws are forcing it upon companies. But laws differ by state and, at this stage in the game, companies cannot assume that just because they have encrypted data or implemented encryption key management that they are either completely protected from future legal liabilities or have complied with the law.
Jerome Wendt is the president and lead analyst at DCIG Inc. You may read his blogs at www.dciginc.com.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (2)
Soap box anyone?By Anonymous on August 22, 2008, 5:08 pmConsider the enormous security burdens and risks of today's fortune 500 enterprises: they manage thousands and thousands of keys and certs to encrypt and thereby...
Reply | Read entire comment
Are you sure?By Anonymous on August 22, 2008, 11:33 am"Pennsylvania adds a stipulation that companies need to have proper encryption key management policies in place. This guarantees that encrypted data on tape cannot...
Reply | Read entire comment
View all comments