Despite added costs and complexity, business and government sectors are becoming wedded to data encryption, even though at times it's like an arranged marriage driven by regulatory compliance and fear of data-breach fiascos.
"We now require encryption for data at rest on laptops in the Air Force," says Greg Garcia, member of the senior executive service of the U.S. Air Force and director of the 754th Electronic Systems Group at Gunter Air Force Base in Montgomery, Ala. The group sets security policy for the 500,000 laptops used by the Air Force.
"The contract we awarded for this grew out of what happened at Veterans Affairs," Garcia points out, alluding to the data-breach fiascos of this year and last that led to millions of veterans' personal information being exposed on lost and stolen laptops.
The VA data-breach incidents spurred the White House Office of Management and Budget, the Department of Defence and the civilian-side General Services Administration to look at government wide approaches for "data at rest" encryption.
The outcome was the U.S. government's first-ever blanket purchasing agreements (BPAs) for data-at-rest encryption products to protect sensitive but unclassified data on government laptops and removable storage devices.
BPAs were awarded in June to 11 resellers, including Intelligent Decisions, MTM Technologies and GovBuys.
The encryption products on the lists include Mobile Armor's Data Armor, SafeBoot's (acquired by McAfee for US$350 million in October) SafeBoot Device Encryption, Information Security's Secret Agent, SafeNet's SafeNet protectDrive, Encryption Solutions' Skylock At-Rest, Pointsec Mobile Technologies' Pointsec, Syprus' Talisman/DS Data Security Suite, WinMagic's SecureDoc, Credant Technologies' CredantMobile Guardian and GuardianEdge Technologies' GuardianEdge.
State and local government viewpoint
What's known as the data-at-rest encryption BPAs are also available for use by state and local governments. The Tennessee Department of Revenue is going its own way in adding encryption to its mobile laptops by deploying Entrust encryption software this fall.
"Our data is very confidential, and we have a mobile workforce of about 300 auditors and revenue officers who travel across the country as well as the state," says Don Derrick, director of information technology resources. "Our strategy is to encrypt these devices first."
The two Entrust software products, Entrust Entelligence Disk Security and Media Security, costs US$149 and $28 per licensee, respectively. The department cannot afford to give encryption software to all its employees, although the department now requires encryption to keep personal financial information protected on a mobile computers carried from place to place.
"This is our policy now, and if you're writing to a DVD or CD to be given to a citizen, any confidential data has to be encrypted there too," says Derrick. The citizen would get a password courtesy of Tennessee to decrypt the data.
While the agency didn't decide to deploy encryption specifically because of the VA data-breach incidents, Derrick acknowledges it's hard to forget them.
Data privacy regulations driving encryption
Other factors, chief among them compliance with regulatory requirements for banking, healthcare and credit-card processing, are driving encryption of sensitive information around the world.
Outside of government, banks have long been the most ambitious in the commercial sector in deploying encryption.
"We use PGP to encrypt sensitive data," says John Meakin, group head of information security at U.K.-based Standard Chartered Bank about encrypting mobile laptops for business travelers. "We have to satisfy regulatory requirements."
Continued: Data regulation
Related content:
Another data breach at Veterans Affairs
Data breach is not one-size-fits-all
Passport Online breach adds to privacy chief's audit list
icon.
