Enterprise Encryption

July's CIPS Vancouver Security SIG meeting was a panel discussion on encryption in the enterprise. Panels can be dodgy, so I really wasn't sure it would be worth the trip. It was.

The panel consisted of representatives from Bell Corporate Security, BC Ministry of Attorney General, Bell Alliance Lawyers & Notaries Public, Accenture Business Services and the Vancouver City Police. In spite of the diverse group there was a clear consensus on most of the issues.

Some take away points that won't run afoul of non-disclosure:

  • Enterprise encryption is hard and costs money, don't do it unless you have to
  • If you go ahead, all of the stakeholders need to be at the table, right down to the people maintaining the hardware
  • Credit card companies have become a big driver for encryption in the enterprise
  • Physical theft of systems with confidential information, especially around notebooks but also desktop computers in remote locations, is another driver
  • The biggest challenge is the Certificate Management and associated infrastructure and process
  • On a small, non-enterprise scale there are some easy wins. Laptop hard drive encryption and SSL were given as examples.
  • No one will tell you how much you have to bleed to make the technology work.