View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 1, 2012

Guest blog: Encryption – is it useful?

Si Kellow, chief security officer (CSO) at Proact, writes for CBR about encryption and what companies can do to ensure they remain safe

By Cbr Rolling Blog

Encryption is an area of information management that causes problems: does the data need to be encrypted at rest or when in motion? Does the classification of the data mean that there are different encryption requirements?

It’s probably worthwhile having a look at the history of encryption and encipherment.

The desire to protect information from casual viewing has been around for over 2,000 years. In 405BC General Lysander received a message that had been written inside a belt, and the only way to read it was to wind it around a pole of a certain size.

Julius Caesar invented a cipher that was (with the limitations of education in Roman society) very hard to crack but it was Mary Queen of Scots who pushed encryption up to another level, by using symbols, not just for letters but entire words.

This meant that simple frequency analysis became harder without knowing the key. Although encryption has long been used to assist secret communication, nowadays it is commonly used in protecting information within IT systems.

Today, one of the greatest causes of concern when it comes to data is who can get access to the information that lies within.

Whether it is data that is at rest, such as information held on a computer disk and storage device, or data in transit, information being transferred via networks, internet and wireless devices – the question is: would it be possible for a nefarious party to remove the disk, or intercept the connection and access the data?

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

If the data isn’t encrypted then most definitely it can be accessed from a drive, as can be judged from the number of freely downloadable tools available to assist.

When talking about encryption there are a number of "usual suspect" questions, for example: Does it do full disk encryption? How do I recover the data in the event that the person who knows the password leaves the company?

Full disk encryption is usually reserved for end users and their laptops. It is easier to encrypt the whole drive than to specify certain data paths. The limitations are that in order to boot the machine the drive has to be unlocked, so if the user is overseas and forgets their password you’d better hope that the helpdesk is available 24/7.

In terms of recovering the data, if the encryption keys are lost, retrieving it will depend on how the solution was implemented. If Hardware Security Modules (HSM’s) are used, this will usually require a quorum of administrators to be present before the keys are released. The different models might require this to be in the form of physical keys, or smartcards.

Encryption is enabling the vision of being able to access data anytime and from anywhere but at the same time the proliferation of mobile devices and use of the cloud has also introduced new security challenges – so when it comes to data protection, any security strategy should look to encompass encryption and key management.


Si Kellow, CSO, Proact.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.