In planning your implementation, consider end-user acceptance, key management, and which data or media to encrypt.

No implementation project goes perfectly smoothly. And security projects can be difficult, not least because of the potential disruption to business processes. Experts agree that thinking about encryption implementation in three parts can help the effort along.

First of all, organizations have to determine what they need to encrypt. In April 2005, online brokerage firm Ameritrade suffered a painful black eye: The company that handled its backup tapes had lost two of them. Ameritrade was obliged to inform 200,000 current and former customers about the loss. Not wanting a second shiner, the company embarked on what CIO Jerry Bartlett calls "a very aggressive four-month schedule" to encrypt backup tapes from both Ameritrade and the newly acquired TD Waterhouse Group Inc.

Bartlett says the $1 billion, Omaha-based company (now TD Ameritrade Holding Corp.) opted to encrypt only backup tapes because, while the brokerage has "a robust risk-management strategy," the tapes were the weakest link.

While Bartlett won't specify all the details of the firm's risk-management policy, he says that when deciding on new encryption projects, his team considers the nature of the data, the risk that other precautions (such as firewalls) could fail, and the maturity of the technology. For example, the company opted to delay database encryption implementation for a year or two because Bartlett is waiting for the technology to become more robust and standardized.

Then there's the issue of key management—the need to make sure the right people have access to the right keys, and that the keys don't get into the wrong hands. Paul Kocher, president and chief scientist at Cryptography Research, points out that policies and technologies regarding keys represent the primary planning requirements in many encryption projects. "Encryption doesn't really completely solve any problem," he says. "It just turns a big problem—hiding data from prying eyes—into a smaller problem—keeping the key from prying hands."

Lost keys can render restoration of data impossible, and can be as big a catastrophe for an organization as a major security breach. Indeed, weak key management can render an entire encryption scheme useless. Organizations must determine how many and which corporate employees need to enter keys before data can be unencrypted. The decision requires a consideration of each user's need to know, how critical the data is, and other policy or technology protections already in place.

And finally, how easily will end users accept data encryption? While CIOs must take end users into account, few see it as a major challenge to encryption. In fact, not one manager in the Enterprise Strategy Group's security survey mentioned end-user resistance as an impediment.

Some encryption projects, such as backup tape, are completely transparent to end-users. And while encrypting a database, application, server-file system or hard drive is a lot less transparent, most systems only require users to enter their username and password in order to receive a key—not an overly intrusive process. In this age of security concerns, end-user complaints are generally muted, not only by privacy laws and specific industry regulations, but also by a company's customer strategy, especially when mandated from the executive suite.

When Memphis-based Baptist Memorial Health Care Corp., a 14-hospital network in the Mid-South, decided to implement a combined port-protection and encryption solution from Safend and Kingston Technology Co. Inc., respectively, users only had to be read the HIPAA riot act in order to lower the decibel of their arguments. Still, Lenny Goodman, director of desktop management at Baptist, says he had to deal with some grumbling as well as legitimate concerns from both end users and managers.

The system prevents anyone from transferring data from any PC or laptop to any removable device except a USB flash memory product provided by Kingston. That means employees are no longer allowed to bring in "marginal" devices such as iPods, and they generally "knew intuitively not to complain," Goodman says.

What data needs to be secured?

Are proper policies in place to manage the security of our keys, and which employees get which keys?

Story Guide:

Part four: Future

Next page: Future

Next: ' Future ' >>

Discuss Technology: Encryption 101   >>> Be the FIRST to comment on this article!

>>> More Past News Articles          >>> More By Larry Stevens