Encryption? Give it a rest
Everybody knows that it's easier to hit a stationary target than a moving one, yet considerable resources are being used to encrypt data in motion.
Any hacker can tell you that data 'at rest' is much easier to access, but security efforts are being targeted in the wrong place, using complex, costly encryption schemes for data in motion.
I recently watched a popular technology TV show that explained how Ethernet broadcasts all communications between two computers to all of the nearby computers, allowing a hacker with a sniffer (software that captures network traffic) to see other users' data.
This was true in the old shared-loop days prior to 1994, but today most enterprises transfer data on switched networks. Data is transferred from point to point with no visibility of that data by other network-attached devices.
This foils most sniffer-based hacking attempts from outside the corporate data centre. If the hacker is in the data centre itself, you have a very serious and very different problem. In that case the hacker could circumvent the security by loading the sniffer onto the server itself.
The amount of resources put into encrypting data travelling over the network seems disproportionate.
For example, iSCSI incorporates IP Security, which can encrypt data as it is transferred between two devices, preventing a hacker with a sniffer from seeing the contents of that data.
But any hacker would have to be lucky to get access; he or she would have to know in advance which packets to capture and decrypt from the thousands of packets per second travelling over a particular network segment.
It is much easier for the hacker to get to the data when it is resting on a device such as a server.
Hacking a standard server is easier; locating the data and uploading it to a secondary location is easier than decoding it packet by packet.
The lack of focus on encrypting data while at rest is surprising. With all the attention being paid to encryption of data in motion, we need new software that introduces keys on workstations and servers to ensure that only trusted users can access the data from trusted workstations.
This would raise the security bar and foil remote hacking attempts. In most cases, additional encryption schemes are unlikely to help.
Geoff Barrall is chief technology officer at BlueArc.