While Moore's Law has taken a lot of the sting out of encryption, Hale says a server that processes many transactions against a large database can become unacceptably slow if care isn't taken. The answer, he says, is not whole-disk encryption but selective encryption at the application or even data-element level. "We will encrypt Social Security [numbers], name, address -- anything that is personally identifiable information," Hale says. In some cases, he says, it's possible to do that using the features embedded in commercial software, such as database applications.
But while going to that level of granularity saves processing cycles, it comes at cost: the effort required to inventory and classify applications and data. In fact, technology per se is not the hardest part of a broad encryption deployment, says Matt Haynes, a security architect at a major telecommunications firm that he declined to name. "The big effort is that you have to identify where the data is. It took us a quarter to do that. The second thing is figuring out policies and procedures: How do you live with this new thing called encryption?"
Haynes recommends tackling an encryption project with two distinct teams: "One to find and classify data, and the other to become experts on the encryption tools and processes themselves."
The work doesn't stop once encryption is in place. "There's process overhead, administrative overhead, and you obviously have to manage that system very closely," Haynes says.
And there's key management. "Once you've got a lot of data encrypted, you'd better damn well be sure you can get it decrypted and know who can get it decrypted," he says.
Still, there are technology choices that can greatly minimize the deployment effort, Haynes says. For example, some approaches to encryption require that applications be modified at each point where they access an encrypted database. "When we first started looking at encrypting data," Haynes recalls, "we understood that the need to make complicated and numerous application changes was going to turn the concept into a many-year, many-million-dollar project." But he was able to avoid such an undertaking by using the Ingrian encryption appliance. It sits between the database and the applications and is largely invisible to the applications. Application-level changes were "minimal," he says.
"Encryption is a strategic initiative," Massar says. "For the past year or so, we have been focused on some very tactical things -- encrypting tapes, laptops, BlackBerries and so on. These are some quick-win situations. But what if I had taken a more strategic approach a couple of years ago?"
For example, if he had re-architected his applications so as not to store data in clients, then he might not have to encrypt the laptops. If the source Massar is backing up to tape had been encrypted to begin with, then he wouldn't need to encrypt the backup tapes. "Maybe if I had done a little work upfront," he says, "I wouldn't have to do these tactical things later on."
Companies rolling out encryption programs tend to focus on well-known difficulties, such as key management. But other surprises await the unwary.
- Search: Traditional search methods may not work on encrypted data, says Harvey Ewing, senior director of IT security at Accor North America. And to search a big database by decrypting every entry as you go is computationally infeasible. The answer: Use a special algorithm to, for example, create a unique hash value for each credit card number, and include that alongside the encrypted credit card number. The hash value can't be converted back into the credit card number if someone improperly gains access to it, but it can be searched on as easily as any other data element.
- Dependencies: Make sure you aren't passing an encrypted data field from one system to another that is expecting to find it unencrypted. "Once you begin encrypting data in one location, if you don't know all the dependencies of where the data is stored and used, then you are going to break things," says Ewing.
- Performance: Despite the march of Moore's Law and the tuning and optimization of hardware and software by cryptography gear vendors, performance is still a concern. "We did hit some stumbling blocks in the way some of our databases interacted," Ewing says. "That can be a problem if you are at the front desk of a hotel swiping a credit card." (With technical help from the vendor, the performance problem proved "manageable," he says.)