I have a long and tattered history with cryptography. Ever since I learned about Bob and Alice I was smitten. I knew it was important, because cryptographic algorithms could be used to protect sensitive data and provide strong authentication and non-repudiation on transactions. I even started a company in 1998 to make the public-key flavour of cryptography easier to use.
Yet at every turn, customers voted with their dollars to prove encryption and public key cryptography were just not interesting. It was too hard to use, too expensive and too much work to integrate into the infrastructure. The folks who pioneered the space did themselves a huge disservice by talking about the underlying mathematics of cryptography. Though they meant to prove the security of the technology, it had the effect of scaring everyone away.
But the game is not over and encryption will have its day in the sun. Encryption has always been one of those weird cousins who show up at all the family functions. You’re not really sure why they keep showing up, because no one really talks to them, then, one day, they blossom and find their voice. They are cool and you are glad they are part of the family.
The fact is that customers need encryption. One of the top imperatives of most CIOs today is to protect private data. If you don’t, you’ll be in hot water with the regulators and your customers. To complicate matters, lawyers are increasingly suing the pants off transgressors for the emotional distress caused by not taking proper care of private information.
By scrambling up the data as it rests in databases, file stores and email systems, you will be okay — even if a laptop is lost. If your favourite shipping company loses a backup tape, no worries — the data is encrypted. If the National Security Agency is sitting there with a big packet sniffer, not a problem — they can’t decipher anything. There will come a time when we think back to those crazy days when data was stored in the clear, but it won’t be for a while.
Examining the single instance of mass-market encryption success — SSL — is very instructive when it comes to solving the issue of perception of complexity. You are a network or security professional, so you probably know SSL involves public key cryptography. But do you care? Of course not. You get the lock in your browser and all is well, right? The point is transparency. No one knew or cared what made SSL work. What we need is an encryption utility that works all the time. Customers don’t want to worry about key management. They don’t want to get poked in the eye when they can’t recover encrypted data off a backup tape. They can’t afford to add more help- desk resources when folks lose a key ring. It needs to be there and be transparent.
Clearly we’re not there yet. There is still infrastructure to buy (or rent). There are still keys to manage and users to train. But we are making progress. Encrypting sensitive outbound email is pretty much transparent. The user never even knows the message is sent securely. Database encryption done right has no impact on the applications that the user sees. Done wrong, it’s a train wreck — but that’s a topic for another day.
A few vendors are hard at work trying to make you forget that encryption exists. PGP and RSA Security, the two biggest encryption brands, are building partner networks to move key management out of the application and into the infrastructure. PGP’s Netshare technology makes encrypting data at rest on file servers transparent to users. Companies such as PostX and Voltage are working to hide encryption in other applications through packaged developer kits.
To be clear, encryption is not a panacea. Encrypted data doesn’t help if you have employees who decrypt the data, then take it off-site on their laptops. Nor is it very useful at stopping an insider attack.
But the tipping point will be when we don’t have to talk about encryption anymore. It will just be there. Users won’t be any the wiser, but their data will be protected. Encryption is going to happen, but don’t tell anyone. You may ruin the secret.