It is much less common today for companies to encrypt "data at rest" -- on servers, desktops, laptops and backup tapes. But protecting files and databases has recently become the focus of encryption projects at many companies. For example, Massar rolled out Ingrian Networks Inc.'s DataSecure Platform, a dedicated encryption appliance that sits between applications and databases. The hardware and software are specially tuned for computationally intense cryptographic processes.
Massar says he uses the Ingrian devices to apply one of the basic principles of encrypting data at rest. "Think of a piece of data as having a life cycle," he says. "I want to protect it as close to its point of origin as possible, so when it comes into my first system, I encrypt it then. Then if I want to funnel it into a back-office system, it stays encrypted, and if I need to back it up to tape, it's still encrypted.
"We are doing this first for our Internet-facing systems, because that's where the most risk is," Massar adds. But the goal is to have one encryption service, so application developers don't have to develop a new encryption routine every time they get a piece of sensitive information.
But Massar acknowledges that such comprehensive, seamless encryption is easier to imagine than to accomplish. He says he has more than 1,000 systems subject to the encryption guidelines of the Payment Card Industry Data Security Standard, and "that requires a lot of architectural decisions."
Organizations moving to encrypt their information at rest naturally look first at the most vulnerable data, which can exit the company in laptops, handheld devices and so on. A computer services firm recently set a policy that the hard drives on all laptops be encrypted using Whole Disk Encryption from PGP Corp. in Palo Alto, Calif., says Lawrence Hale, the firm's chief information security officer. He asked that his employer not be identified.
Companies often balk at encrypting large amounts of data because the mathematical algorithms used in encryption and decryption are computationally intensive. Hale says it can take six to eight hours to encrypt a 60GB to 80GB hard drive from scratch. But that's a one-time job for each drive. Once it's done, the day-to-day incremental encryption and decryption run in the background, unnoticed by users. "The files you bring up open very quickly," Hale notes.