The Encryption Imperative: Q&A with Larry Warnock of Gazzang
VSM: What do you mean by the encryption imperative?
LW: We all know what encryption is. Cryptography dates back thousands of years to the use of ciphers, but that's not what we're talking about. Today, most companies use encryption as a last line of defense for protecting their ultra-sensitive regulatory data. The encryption imperative is about getting companies to look at encryption as a best practice for securing all their data. The bottom line is, if you have data that your company deems important, you should encrypt it. If it's not important, then why are you hanging onto it?
VSM: What role could encryption have played in preventing some of the high-profile breaches we’ve seen to-date in 2012?
LW: I continue to be amazed at the frequency with which these breaches occur, and they happen in just about every industry: banking, healthcare, law enforcement, retail, social media, etc.
Often when login information is compromised, as it was with the LinkedIn breach this summer, you'll hear that users simply need to create stronger passwords.
We think the responsibility should be shared. If you offer a service that requires a password, the user should create a unique password, and your company should take steps to protect it through crypto techniques like password hashing and SALT.
The steady pace of breaches reinforces the need for encryption as a last line of defense. We've reached the point now where strong encryption, using industry standard algorithms, is so inexpensive, simple to implement, and high performing, there’s really no excuse for not using it.
VSM: What about compliance – can you offer examples of mandates that require encryption?
LW: When it comes to US compliance mandates for data and cybersecurity, most guidelines are noticeably vague, leaving it up to the corporations to determine best practices for maintaining privacy and confidentiality of sensitive data.
Gazzang works with numerous healthcare, financial services, government and SaaS organizations to help them secure regulatory data stored in the cloud. An interesting use case for our big data encryption solution is with a higher-education non-profit organization. They're storing sensitive student data such as grades and test scores in a MongoDB database that needs to be protected to comply with the Family Educational Rights and Privacy Act (FERPA). We're encrypting their data before it comes to rest in MongoDB and ensuring the all-important encryption keys remain separate from the encrypted data.
VSM: Aside from data breaches and compliance, what other business drivers are you seeing?
LW: We expect big data to become a significant driver of business. These days, it’s hard to have a conversation about technology – or policy or healthcare or consumer products – where big data doesn’t come up. But rarely are companies thinking about the security and integrity of that big data project.
It's important that organizations be accountable for securing the massive volumes of social security numbers, email addresses, phone records, health records and intellectual property flying around in the cloud. In big data, protecting this fine-grained information may mean the difference between achieving HIPAA, FERPA, PCI-DSS or FIPS compliance, and receiving a hefty fine.