Tuesday, February 3, 2009

Heartland and end to end encryption

Interesting to note that Robert Carr, CEO of Heartland is now calling for end to end encryption. In his words...

"I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed"

How this encryption will be implemented is another story - do we go with one product to protect data at rest (not one but one for each device!), one for networks, etc? I think this is a bad move - each time you move sensitive data from one device/network to another, you go through a decrypt/encrypt cycle - and guess what happens when you decrypt?

I think only a data or information-centric approach to data protection can truly give you this end to end protection for data. Protect your data once, the protection remains with the data wherever it goes - is this not what you really want?


GovernmentSecurity.org said...

So now the CEO with one of the largest failures in financial information security has decided to grace us with his infinite knowledge. I find it a bit laughable. Also the fact that he thinks that end to end encryption would have any effect on preventing the breach in his own company worrisome. His own network was compromised and it wasn't from a failure of encryption.

Manu Namboodiri said...

Agreed that the Heartland network was compromised. However, I think in these days, you have to assume that your network will be compromised and figure out how you can protect data even so, possibly with encryption.

End to end encryption is a very hard thing to do by just trying to protect the infrastructure - I don't think it can be done cost effectively or without putting up hardships in normal user work flows. They have to think information-centric, i.e. protect the data not just the infrastructure to really achieve this.