Encryption is a hot topic these days. I write about both encryption and physical security on this blog, and some people find this curious. I believe there is a good deal of overlap in these two topics, however. This post will discuss encryption versus physical security, and why each matters in protecting data.
Encryption Versus Physical Security
Bottom line up front: encryption is a LAST RESORT for protecting data-at-rest! As privacy- and security-focused people, we all love encryption. Encryption is fun. It gives us a feeling of control over our data. Encryption is an active step we can take, and something to tinker with. And good encryption with strong authentication works and you should use it. But, encryption is – or should be – secondary to physical security. This is because encryption doesn’t actually become a factor until your data have left your physical control.
How do you give up physical control? There are a number of ways we all give up some measure of control every day. If you leave your home unoccupied, the computers, hard disks, flash drives, and other media there are at least somewhat susceptible to theft. I constantly see students leave computers in conference rooms during lunch breaks. Even I am occasionally guilty of leaving my computer in my hotel room when heading out for dinner. There are some instances when maintaining physical control of your devices may be impossible: arrest, incapacitation, etc. There is also another way we surrender physical control of data: by placing it in motion.
Encryption & Data-in-Motion
Encryption takes on a whole new importance when we think of data-in-motion. Data-in-motion is essentially data about which we have made the decision to give up physical control of. We all put data-in-motion by sending it via email, uploading it, downloading it, etc. This necessitates using hardware that we don’t control. By doing so we make it possible to access our data remotely and the list of parties that can see it is ponderous. By putting data “on the wire” we are trusting encryption alone to protect it.
The point of the preceding paragraphs is twofold. First, I hope it makes your realize the importance of having good physical security and maintaining control of your devices. That truly is the “ninety-percent-solution” to protecting data. Secondly, I hope it makes you think twice before you put your data in motion. Do you really need to send that attachment? Do you really need to upload those files to Dropbox? Encryption works, but recognize it for what it is: the last ditch, last line of defense for your data.