/

The ‘golden age’ of encryption?

AFP-JIJI

Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information.

Major data breaches at Target and other retailers have made data security a boardroom issue at companies large and small. And stunning revelations of widespread snooping by U.S. intelligence agencies have also rattled companies and the public.

For venture capital, that has opened up a new area of growth in the tech business.

In February, Google Ventures led a $25.5 million round of venture funding for Atlanta-based Ionic Security, a 3-year-old company that works on encryption — the scrambling of data before it is shipped or stored.

Other encryption companies, including Toronto-based PerspecSys and San Jose, California-based CipherCloud, have announced major fundings.

The funding rush could hearken a “golden age” of encryption, as one expert puts it. But the industry also faces barriers to a tool that until recently was not a hot commodity.

Concerns about encryption range from practical challenges, such as the difficulty people have when searching for something in their encoded data, to government opposition toward privacy technology.

“People are afraid of it because they don’t understand it,” said John Kindervag, a vice president and principal analyst at Forrester Research. But he called the wider use of encryption “inevitable, because there’s no other way to solve the problem.”

Kindervag said the industry is between one and two years away from “some big revolutions” in the field. “It just needs to happen,” he added.

But Venky Ganesan, a managing director with venture capital firm Menlo Ventures, believes major advances are further off.

“Encryption slows down,” Ganesan said. “Just imagine if every room in your house was locked and you had to open and close it every time you go in. You would be frustrated.”

  • phu

    This is asinine… computer cryptography is not so archaic that it comes anywhere close to the door metaphor. My hard drives and phones are encrypted; using this type of encryption typically requires entering a passphrase when the operating system starts (or even just logging in successfully).

    There is little or no practical difficulty in searching encrypted volumes. In fact, as far as the end user is concerned, it’s almost always transparent — and, when it’s not, it’s typically either poor user interface design or it’s BY design, intended as such by the software creator(s).

    The accurate and relevant point here is that governments and major corporations are strongly and sometimes successfully opposing (and in some cases undermining) good encryption practices. It’s worth noting, however, that normal users typically simply are not sophisticated enough to seek out, choose, and effectively utilize crypto solutions. Not only that, it’s been shown repeatedly recently that the most popular “secure” services and methods are often the best-marketed, NOT the safest, and can be both opaque and ineffective.

    • Ebenizer Froggybottom

      tell that to a guy who thinks his cdrom is a cup holder.

      • phu

        I’m not sure what you’re disagreeing with. The user you describe pretty obviously falls into the “not sophisticated enough” category, and the fact that there are users who have absolutely no idea what’s going on with their computers doesn’t make cryptography inaccessible by definition, any more than people who don’t know how to drive make cars impossible to use.

    • heterodox

      This sentence:

      “[N]ormal users typically simply are not sophisticated enough to seek out, choose, and effectively utilize crypto solutions.”

      Should read:

      “Current crypto solutions are too complicated and inconvenient for normal users to seek out, choose, and effectively utilize.”

      • phu

        To a point, I believe both my statement and yours are true. I don’t see why they would be mutually exclusive; even the best-designed software is opaque to many users who only tolerate computers because they’re hard to avoid and make little if any effort to understand them.

  • Ulf Mattsson

    Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security. Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements.

    So how did this happen?

    - First, compliance is often used as a guide to the least possible amount of security necessary to comply.

    - Second, regulations are based on best practices to provide a baseline of security for past threats, not a solution to maximize security for the future.

    - Security auditors often come in selling a solution, rather than looking for a problem.

    - In other cases, auditors are paid to come in and find what they’re told to find by the very company they’re supposed to be assessing!

    - Many companies rely on access controls and firewalls for security, even though they consistently fail to prevent breaches.

    - Monitoring approaches like SIEM solutions are fogged by noise and usually find evidence only after a breach has already occurred.

    Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself.

    Decoupling the assessment from the solution is vital to an unbiased audit.

    I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed.

    In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.

    Studies have shown that users of data tokenization experience up to 50 % fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users.

    With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.

    Ulf Mattsson, CTO Protegrity

  • Ebenizer Froggybottom

    people don’t understand computers, period. it is evolving so fast, it is impossible for the lazy (most people) to catch up. 5 years ago, i talked to a person who thought his cd rom player was a cup holder, i wonder what that person will have to say about encryption today.