Encryption 'not enough to prevent data loss'

Encryption 'not enough to prevent data loss'

You have to protect the keys too, warns security expert

Encryption alone is not be enough to prevent disasters like the loss of the personal information of 25 million benefits claimants late last year, according to a leading security company.

There were many calls for sensitive data to be encrypted as a matter of routine following the loss by the HM Revenues and Customs in Newcastle of two disks containing the data. Other instances of data losses have since come to light.

Modern encryption can be regarded as unbreakable but if its use becomes common the attention of criminals will shift to the other weak links – people, and the keys used to encrypt and decrypt the data, said Richard Moulds, executive vice president of strategy at NCipher.

‘Most of the information that is lost today is not actually as a result of attacks at all, it's as a result of information just simply being mislaid or lost. Clearly information needs to be encrypted as it goes over the internet because the internet's a wild and scary place,’ he told a NetEvents forum in Barcelona.

But an enormous amount information in lost offline ‘because back up tapes fall off the back of a truck, or laptops get left in taxicabs.’

Even if the information is lost the people responsible may have to take action on the assumption it has been stolen which can be almost as bad, Moulds said. His company made sure that even if data is stolen it is rendered useless.

This meant having a regime in place not only to encipher data but also to protect the keys. “There have been cases where people have left the keys on tapes holding the encrypted data. It may seem that searching out a key from a mass of data is like searching for a needle in a haystack but it can be done. Keys by their nature have to be random, and there are ways of identifying them.”

Encryption of sensitive data on laptops is not secure enough in itself he said. The key should be held on some form of smart card, with some kind of biometric to ensure that only an authorised person is using it.