Laptop and 'edge' encryption
While encryption efforts focus on back-end and off-site storage tapes, Preston says fewer companies are implementing edge-level encryption methods, such as encrypting data on laptops. What's more, basic laptop encryption offers little protection.
"Most people use a Windows name and password. That becomes the key to encrypt the data. If someone actually stole your laptop to steal your data, that key would not stop them for very long," Preston says. A harder-to-crack, global key-management system for Windows exists as part of Microsoft's Active Directory infrastructure, "but not everyone uses it", he adds.
Laptop manufacturers like Lenovo Group are incorporating encryption capabilities into their systems, and Microsoft will add encryption capabilities to the upcoming Vista version of its Windows operating system.
Don't encrypt everything>/h2>
When it comes to assessing what constitutes "sensitive" data, most companies will find that there are only 8 to 12 bits of information per record, on average, that need encryption, says Gartner's Ouellet. Depending on the type of business, this can include credit card information, financial records, health information, intellectual property documents or information about sexual orientation.
"Once you've identified what those bits are, you can choose what solution gives you the biggest carpet covering over the area," says Ouellet. He offers the example of a large retailer that performs online and telephone transactions and holds a lot of credit card information. Within the database, the most sensitive data should be protected.
"Pick the most sensitive fields and encrypt those. Don't encrypt everything, because you're going to kill the performance on the database or have other issues with searching and access," Ouellet says.
Also, keep track of sensitive data elements as they move throughout the process. "They go from one database to maybe a smaller database," Ouellet says. "Is there a way you can leverage centralized storage, like a NAS or SAN, where both databases store their information in the SAN? There's replicated data, but at least it can be protected using an encryption appliance."
Few shortcuts for persistent encryption
Although encryption strategies exist for laptops, databases and backup tapes, transferring encrypted data from one storage level to the next remains a sticking point. In most cases, data must be decrypted and re-encrypted as it travels from one resting place to another.
"There are some solutions that bridge a couple of the different areas, such as laptop encryption and e-mail," Ouellet explains. "But as far as persistent encryption across the network -- not right now."
A few vendors, including RSA Security and nCipher offer key management software that could exchange keys between applications from the same vendor. But that technology is in its infancy, Ouellet says.
Enterprise digital rights management (DRM) technologies have the potential to streamline this process. DRM offers persistent encryption and security, and rights activity that is defined as part of the file itself. "There's a tag that's assigned to the file. If I want to view or print the file, I have to validate that I have the proper access rights for that activity," Ouellet says. DRM becomes even more important if companies need to distribute protected documents beyond the enterprise. Microsoft and Adobe Systems are developing DRM products. Adobe plans to ship its LiveCycle Policy Server in the third quarter of this year.
"In five years, DRM is going to be the most pervasive way to protect your data," Ouellet says. "Until then, there is no hybrid right now that covers everything. You're going to have different areas that are covered with different types of technology."