Encrypting e-mail is a good start, but it doesn't address the security of data sitting on servers and back-up systems. And it doesn't protect data being transported to offsite back-up facilities, a lesson several companies learned the hard way this year when their tapes containing sensitive customer information were lost in transit.

That is one reason many analysts recommend that companies encrypt sensitive data wherever it sits on the network. According to Gartner analyst Rich Mogull, encryption makes sense for backup tapes, laptops, PDAs or other portable storage media containing sensitive information, as well as credit card numbers stored in databases.

Losing tapes is nothing new, says Dave Ellard, senior vice president of corporate development at GlassHouse Technologies. "We've been moving and losing tapes for 30 years, but we never had to issue press releases before when we lost a tape."

In other words, the key difference today is regulations. Privacy regulations include legislation that either strongly encourages some form of encryption of sensitive data or, as is the case with the credit card industry's latest Payment Card Initiative (PCI) standard, formally prescribes the use of encryption.

Then there's California Senate Bill 1386, which requires that companies publicly disclose instances where they believe unencrypted personal information about California residents might have been compromised. The bill has led many companies to believe that encryption could keep them out of the headlines.

A 2004 Gartner report predicted that by the end of 2007, 80% of Fortune 1000 companies would encrypt most of their critical data at rest. "We've since updated this assumption and now predict that by the second quarter of 2006, 85% of large enterprises will have initiated encryption projects," Mogull says.

Slow on the uptake

Yet statistics on the current state of encryption, show surprisingly low current adoption rates. Research conducted by the Enterprise Strategy Group (ESG) showed that 60% of respondents never encrypt back-up data going to tape (see graphic, below). A March report on database security by Noel Yuhanna, a senior analyst, also showed only four of the 24 companies surveyed used encryption of data at rest (see graphic, right).

Jon Oltsik, an ESG analyst, says companies underestimate the potential risk of a data breach and overestimate the amount of work and cost required to encrypt tapes. He also acknowledges that the sheer number of ways to encrypt data at rest contributes to slow adoption.

Chuck Hollis, vice president at EMC, says the decision about what data to encrypt should stem from a data classification exercise."If I had just one application that talked to credit card data, I might make the case of having that application encrypt the data. If all applications do that . . . you might want to go with a [storage-area network ]encryption alternative," he says.

Other encryption hurdles include issues of management and potential performance. Oltsik says performance has been addressed by hardware-based encryption appliances from Decru, NeoScale and Kasten-Chase, which encrypt data as it is being backed up to a tape.