Why didn't this happen sooner? Seagate Technology has just announced a hard disk drive for laptops and other mobile devices that automatically encrypts all data as it goes into and comes out of the drive. Result: Nothing on the drive is accessible unless you know the password. If you lose your laptop with a drive like this installed, that's all you lose. The data is safe from prying eyes -- a thief can't even boot it up.
Sure, the Feds can probably still get at your data. But the bad guys you're most worried about won't have a chance.
Actually, that probably explains why this hasn't happened sooner. That automatic encryption could get mighty inconvenient.
For example, when users forget their passwords, they don't want to have to rebuild the contents of their hard drives from scratch. They want to tell IT, which resets the passwords so everybody can just go back to work.
And when things get munged on an executive's hard drive and all his un-backed-up presentations, reports and notes appear lost, he doesn't want his drive reimaged. He wants IT to use specialized tools to poke around on the disk and reassemble those deleted files.
That likely won't work with Seagate's "full disc encryption" drives. They're designed to be black boxes that work independently of operating systems. You put the data in and get the data out through a tightly defined interface. But you don't get a lot of room for poking around.
So when seamless hard-drive encryption finally gets here (by next spring, according to Seagate), our tools and tricks for dealing with hard-drive hiccups won't work. We'll hear screams the first time things go wrong. Then we'll hear demands that the encryption be turned off, or that the drives be replaced with conventional hard disks that make data recovery easier.
We'll need to be prepared for those screams and demands. We'll have to explain the business case for seamless encryption (better security, reduced liability risk, less exposure to data-protection laws). We'll want to be ready with easier ways of doing backup, along with a well-designed way to file away copies of those hardware passwords.
Stocking up on asbestos earplugs might be a good idea too.
But as unpleasant as this transition is likely to be, we need it. Data just keeps getting harder to control. We can't seem to stop users from copying it onto laptops and then losing them. We try to block industrial spies and crackers, worm writers and key loggers, but too often they get through. Meanwhile, between the Sarbanes-Oxley Act and privacy laws, the stakes keep getting higher.
We've got to protect that data, and it's clear the answer is encryption.
It's also clear that we won't successfully add encryption ourselves. We can't make it transparent enough. If users have to do anything special, they won't. So even if we provide it, encryption won't get used -- unless it's invisible.
And unless it's built into the hardware, where no one can tinker with it, tweak it or turn it off.
Users won't like the fact that we can't do those things. Many of us won't, either. We like having that fine control for fixing problems at a low level. Tinkering is in our DNA.
But we can't afford that anymore -- not if the price is security. Besides, if we're really going to serve our organizations' business needs, that's the wrong level to be working at anyway. We need encryption to be built in, not bolted on. And not just built into laptop hard drives, but networks and file servers and tape backup systems, too.
That way, we can stop thinking about encryption and concentrate on how IT can make the business better, not just safer.
And that can't happen soon enough.