Data privacy regulations driving encryption

Other factors, chief among them compliance with regulatory requirements for banking, healthcare and credit-card processing, are driving encryption of sensitive information around the world.

Outside of government, banks have long been the most ambitious in the commercial sector in deploying encryption. "We use PGP to encrypt sensitive data," says John Meakin, group head of information security at UK-based Standard Chartered Bank about encrypting mobile laptops for business travelers. "We have to satisfy regulatory requirements."

These include the European Union Data Protection Directive, Japan's Personal Information Privacy Act, and Canada's Personal Information Protection and Electronic Documents Act. In the United States, the well-known drivers are the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act.

"There are many state and federal regulations we have to comply with, such as Sarbanes-Oxley and HIPAA," says Helen Thompson, CIO at Heartland Health. The hospital makes use of encryption to ensure that patient information shared with health-insurance companies via the Internet is encrypted using either PGP or Microsoft Windows encryption.

Oftentimes companies adopt the approach of encrypting outgoing e-mail at the gateway.

Career Education, which operates 80 post-secondary schools in the United States, Europe and the Middle East, now deploys the PGP Universal Encryption Gateway for encrypting outbound e-mail containing sensitive information in student records.

The sensitive information is detected by the Vontu data-leak-prevention gateway after the IronPort mail filter checks for authorized routes, and if the e-mail needs to be encrypted, it's sent to the PGP Universal Encryption Gateway. "This is all part of our privacy initiative," says Michael Gabriel, chief information security officer at Hoffmann Estates, Ill.-based Career Education.

The Payment Card Industry Data Security Standard is a set of security requirements for organizations accepting credit- and debit-card payments. One of the requirements specifically requires encryption of card data, and its effect is spurring ever-greater use of encryption.

"If you don't adhere to PCI, you risk fines against you, and you wouldn't be able to accept credit cards," notes Gavin Woolnaugh, infrastructure manager at UK-based AirMiles, which has deployed Ingrian Networks point-to-point appliances for encrypting credit cards.

Drawbacks to encryption?

PGP Director of Product Management John Dasher says the main barrier to encryption use over the years has been finding methods to exchange public encryption keys easily with large numbers of people outside the organization, such as business partners. Keys are used to encrypt and decrypt information.

The approach PGP has taken is to make its key look-up function automatic through a global directory. "We have hundreds of thousands of entries in it now," he says.

"Just encrypting data is not the hard part," says Paul Kocher, president and chief scientist at Cryptography Research, the San Francisco-based firm for design and analysis of security systems, who says the Advanced Encryption Standard is the most popular cryptography algorithm used in business today. "How do you decide how to regulate who should have access to keys? The strength of an encryption system is only as strong as the key."

Some security vendors argue encryption can actually be viewed as a threat, too.

"Encryption could be used as a way to mask bad behavior," says Tom Bennett, vice president of marketing at Oakley Networks. "There should be a mechanism to monitor if someone is using encryption as a way to hide something."

Oakley's endpoint-monitoring software can be used to determine if a very sensitive file is being encrypted in violation of the corporation's security policy. "If a CAD file is encrypted and sent out early one morning, we'd be able to replay that event and reconstruct what happened," Bennett says.