Encrypt Everything!? Maybe not.

I was working as a Security Architect when the Director of Strategy and Architecture made the announcement that our latest strategy was to “Encrypt Everything”. This was a telecoms company with a distributed IT infrastructure, thousands of staff, and a huge number of networks. The volume of confidential documents created daily numbered in the thousands, let alone the volume of “everything”. Our storage was distributed across 6 data centres; I couldn’t begin to guess how many Terabytes. In short, even though I couldn’t calculate it exactly, I knew this was going to be a big problem.

My strong belief now is that the Director had heard of a close competitor’s intent to encrypt everything, and decided to follow suit. Unfortunately, he hadn’t read the small print, and hadn’t discussed with the CISO or CTO prior to announcement. The competitor was talking about the service it presented to its customers, that is, the network. Not the data. But once a strategy was approved, the die was cast.

It was practically impossible to get this strategy off the ground. Initial cost estimates quickly rose into hundreds of millions of pounds to execute this effectively – much more than the damage caused by a data breach. The director left soon afterwards, but he had unwittingly handed us an incredibly high profile for a data-centric strategy to win out.

The Security Architecture team had previously planned a data-centric strategy well before “Encrypt Everything” was announced. It was simple enough to pick out the bits of this that involved encryption, or could be related to encryption in some way. Our CISO had the ear of the CTO, who supported the strategy from day one and communicated effectively to the board on its benefits: how it retained the intent of “Encrypt Everything” without the cost and complexity.

We quickly focused on data classification and discovery so we could encrypt secret information. We knew the volume of confidential information would be too much to address in the same way, so focused on whole disk encryption for staff laptops and file encryption for confidential servers. With this in place, end to end encryption for Microsoft Office documents, the most widely shared source of confidential data in our organisation, was then possible.

This was, in fact, a relatively small part of our data security strategy, but in terms of getting it off the ground, it was vital. Data classification changes fundamental business processes – email, word processing and spreadsheets all now needed metadata to indicate handling requirements. This may cause initial murmurings of disapproval, but it raises the profile of security, gives people a sense that they are being protected somehow, even if they are not aware of it, and piques interest. On a personal level, we could connect with the workforce.

When data is discovered, there are many things you can do with it – classify, deduplicate, encrypt, permission, or delete for example. Classification prepares it for protection. Deduplication frees up storage and ensures traceability. Encryption protects and deletion ends the lifecycle. Permissions enforce business need to know (especially effective when integrated with the encryption). There are many points between, but without knowing what data you have where, you can’t possibly hope to encrypt anything, let alone everything! In fact, doing so is probably wastes a lot of money and time. That’s not good business.