Gartner Blog Network

Encryption Won’t Always Save You, but it Certainly Will Cost You

by Ramon Krikken  |  June 20, 2012  |  1 Comment

I have encryption on my mind again a lot lately. It certainly has something to do with work in progress for presentations I’m giving at our Catalyst 2012 conference (“Protecting Data in the Public Cloud: Encryption, Obfuscation, or Snake Oil?” and “Scenarios: Encryption, Tokenization, Anonymization, or None of the Above”). But it’s also because I’m seeing an increase in talk about encryption in general. Not just interest, but a real push for encrypting data as much and often as possible.

Although I can understand the occasional article having lines like referring to LinkedIn’s passwords as “lightly encrypted,” I really do not have much sympathy for experts prescribing encryption for most security ailments … especially because its often discussed without fully weighing its side effects (increased risk of data destruction and an empty wallet being two of the more prevalent). And in some cases these side effects are definitely worse than the cure.

A case in point: lately I’ve been getting a lot of customer questions about encryption data in applications and databases. When I ask why they want to encrypt, the answer is often that someone (e.g., a business partner or auditor) tells them it’s “required by regulation” or “best practice.” Although they mention encryption, very few – if any – regulations can be said to mandate it, especially inside the data center. And whether it is a best practice – even though some data shows fairly signification adoption of database encryption – is certainly up for discussion in my book.

Lucky for us, encrypting applications and databases isn’t exactly cheap and sticker shock usually leads to re-assessment. But even when a team is convinced they should implement such encryption, asking the question “who and what are you trying to protect from / have you performed a threat assessment?” is often met with silence. We end up discussing the limitations of encryption and may well come to the conclusion that the investment (implementation as well as ongoing management costs) might be better spent on different preventative controls (e.g., finer-grained access control) or altogether different types of controls (e.g., activity monitoring). In short:

  • Don’t encrypt data unless you have to or unless it provides appropriate protection for a given use case.

But one thing is almost certain for the foreseeable future: overcoming a perception that encryption is always the primary control choice is difficult at best.

For those who want to evaluate whether encryption is an appropriate control, my recently published “Solution Path: Choosing and Implementing Encryption” [subscription required] discusses how to approach encryption from an architectural / planning perspective, and incorporates the above advice.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: security  

Tags: application-encryption  application-security  catalyst-na  data-masking  database-encryption  database-security  encryption  snake-oil  tokenization  

Ramon Krikken
BG Analyst
2 years at Gartner
15 years IT industry

Ramon Krikken is a Research VP the Gartner for Technical Professionals Security and Risk Management Strategies team. He covers software/application security; service-oriented architecture (SOA) security; structured and unstructured data security management, including data masking, redaction and tokenization...Read Full Bio

Thoughts on Encryption Won’t Always Save You, but it Certainly Will Cost You

  1. Great insight Ramon. I work with DigitalPersona and we get the question about encryption on the end point frequently. But when we drill down on the topic with customers, what they really want is more cost-effective layers of authentication and access control. When they find out what it takes to deploy and manage desktop encryption, they often decide that the cost in time and money is not worth the headache. – Majhon Phillips for DigitalPersona

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.