What should you do if you can't realistically encrypt everything, like many people are interpreting many of the security regulations to say? |
 |
| 14 Mar 2007 | Kevin Beaver |
|
|
((Content component not found.)) Bottom line: Don't do it. You have to look at the security vulnerabilities in your own environment, determine what is at risk, decide just what you're trying to protect and follow the security/compliance laws and regulations pertaining to your own industry. Then, make informed decisions based on your specific needs and situation. Don't encrypt just because some auditor tell you that it's a best practice. Don't encrypt because a compliance manager says that it's the only way to secure everything. We all know that's not true, especially in back-end storage, such as large SAN/NAS environments -- you can typically encrypt some key storage assets, but it's just not realistic to encrypt everything.
When I'm performing security assessments, I do see several situations where storage systems or devices are at risk; mainly with laptops and mobile storage devices. We've all heard stories about laptops being stolen where the hard drive wasn't encrypted. Then the information is compromised. Passwords (if they're used) can be reset or circumvented easily enough with readily available hacking tools. Ultimately, laptops are often one of the biggest security problems that an organization must face, along with PDAs, smart phones and other external drives. Encryption at the laptop or mobile device level can prevent a security breach even when the storage device is lost or stolen.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
|
|
|
|
