Small Business Defense – Encryption

I think we can probably all agree that the right way to deal with yesterday’s attack is to build a system where only the right and trusted individuals have access to sensitive data. I think we can probably also agree that this will never happen in your average small business. Rearchitecting your data storage system, doing data classification and identifying user roles is just too much work, and any project that requires that much churn and does not impact the bottom line will never get approved.

So, let’s accept the reality that you’re not going to follow my advice and you are fully committed to an insecure paradigm. How can you minimize your losses?

They key here is to look for a system that allows your data to be readable by the right people, and unreadable by the wrong people. Naturally, this means encryption. There are a lot of encryption solutions out there. Lots of people will tell you that theirs is better than the others. Some will throw bit length at you, some will talk algorithms, some will focus on speed.

None of this should matter to you.

You want a solution to a problem, not a fight over mathematical intricacies, so here’s the deal.

• The system has to be publicly verified. If the word “proprietary” appears anywhere in the marketing material, it has probably been unverified and is too weak to use.
• The system should be inexpensive. If you have to count where you’re using it and pay accordingly, you won’t use it everywhere you need to.
• The system should handle key management. If an attacker can get the key to unlock the data, you’ve lost.  If the valid users lose the key to unlock the data, you’ve lost.

That’s it.  Three simple rules.  Nothing else matters, because right now you don’t have encryption technology in place so any encryption technology that you deploy will be a win.  Don’t spin your wheels picking solutions.  Get a list together, throw out everything that doesn’t fit these three rules and randomly pick one of the very few solutions remaining.

Then, after you’ve used it for a year or three, you should know enough about encryption to pick a solution that truly matches your business needs.  Best of all, you won’t be out much money and you won’t have lost much data during the learning process.

As a quick note to get you started, TrueCrypt is free and can encrypt entire hard drives and GnuPG is free and can do a lot (it can be hard to use though). On the commercial side, PGP has a 30 day free trial, after which is cripples itself. It’s still usable, but not quite as usable as it used to be.