Encryption on way, but keep it secret

I have a long and tattered history with cryptography. Ever since I learned about Bob and Alice I was smitten. I knew it was important because cryptographic algorithms could be used to protect sensitive data and provide strong authentication and nonrepudiation on transactions. I even started a company in 1998 to make the public-key flavor of cryptography easier to use.

Yet at every turn, customers voted with their dollars to prove encryption and public key cryptography were just not interesting. It was too hard to use, too expensive and too much work to integrate into the infrastructure. The folks who pioneered the space did themselves a huge disservice by talking about the underlying mathematics of cryptography. Though meant to prove the security of the technology, it had the effect of scaring everyone away.

But the game is not over, and encryption will have its day in the sun. Encryption has always been one of those weird cousins who show up at all the family functions. You're not really sure why they keep showing up because no one really talks to them. Then one day, they blossom and find their voice. They are cool, and you are glad they are part of the family.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I have a long and tattered history with cryptography. Ever since I learned about Bob and Alice I was smitten. I knew it was important because cryptographic algorithms could be used to protect sensitive data and provide strong authentication and nonrepudiation on transactions. I even started a company in 1998 to make the public-key flavor of cryptography easier to use.

Yet at every turn, customers voted with their dollars to prove encryption and public key cryptography were just not interesting. It was too hard to use, too expensive and too much work to integrate into the infrastructure. The folks who pioneered the space did themselves a huge disservice by talking about the underlying mathematics of cryptography. Though meant to prove the security of the technology, it had the effect of scaring everyone away.

But the game is not over, and encryption will have its day in the sun. Encryption has always been one of those weird cousins who show up at all the family functions. You're not really sure why they keep showing up because no one really talks to them. Then one day, they blossom and find their voice. They are cool, and you are glad they are part of the family.

The fact is that customers need encryption. One of (if not the) top imperative of most CIOs today is to protect private data. If you don't, you'll be in hot water with the regulators and your customers. To complicate matters, lawyers increasingly are itching to sue your pants off for the emotional distress you caused by not taking proper care of private information.

By scrambling up the data as it rests in databases, file stores and e-mail systems, you will be OK - even if a laptop is lost. If your favorite shipping company loses a backup tape, no worries - the data is encrypted. If the National Security Agency is sitting there with a big packet sniffer, not a problem - they can't decipher anything. There will come a time when we think back to those crazy days when data was stored in the clear, but it won't be for a while.

Examining the single instance of mass-market encryption success - SSL - is very instructive in how to solve the issue of perception of complexity. You are a network or security professional, so you probably know SSL involves public key cryptography. But do you care? Of course not - you get the lock in your browser and all is well, right? The point is transparency. No one knew or cared what made SSL work. What we need is an encryption utility that works all the time. Customers don't want to worry about key management. They don't want to get poked in the eye when they can't recover encrypted data off a backup tape. They can't afford to add more help desk resources when folks lose a key ring. It needs to be there and be transparent.

Clearly we're not there yet. There is still infrastructure to buy (or rent). There are still keys to manage and users to train. But we are making progress. Encrypting sensitive outbound e-mail is pretty much transparent. The user never even knows the message is sent securely. Database encryption done right has no impact on the applications that the user sees. Done wrong, it's a train wreck - but that's a topic for another day.