I think that's a reasonable question to ask any service provider. If you are holding information about me, what measures are you taking to stop it falling into the wrong hands?
Over the last few years, we have seen a number of high profile data losses reported in the media. For the individuals affected, it can be a traumatic and difficult experience and no amount of regulatory action, hefty fine or compensation can alter the fact that it would have been better for all concerned had the data not been lost in the first place.
For organisations who perform work on behalf of other companies, it is becoming common place for the work provider to insist that all data held by their work partner is secure. Some work providers are now performing security audits on their partners and failure to comply can lead to termination of contracts.
That same requirement can now be seen from consumers. Media coverage has made us all too aware of the nightmare we face when our data is lost; and as a result, we are starting to ask questions of our service providers and voting with our feet when assurances cannot be met.
So how should businesses deal with this? Well, with the introduction of GDPR in a few months, doing nothing is no longer an option. There are many aspects to data security, but one that is relatively simple to implement is encryption.
You can choose to encrypt a full file system such as a disk, protecting that device from theft, loss or inappropriate decommissioning. And with many operating systems now including this functionality as standard, why wouldn't you simply turn it on?
But what if data has the potential to move from device to device, such as a database? Leading database vendors provide encryption at file level, ensuring protection inside the database no matter where it lives. Often described as ‘security at rest' or ‘transparent database encryption (TDE)', all information is encrypted as it is saved and decrypted when it is read. With the relevant keys in place, it's completely invisible (hence the term transparent) to authenticated end users of your applications whilst keeping the data safe when archived to other locations.
Whilst this all sounds simple, and in practice it is, there is one critical administrative responsibility – key management. Similar to locks on your front door, if you give someone a copy of your key or leave the key in the lock, you are leaving yourself vulnerable. The same with encryption, the fundamental system administrator task is to protect the key.
For users of our Visualfiles Case and Matter Management system, a TDE module is available that utilises industry standard cyphers and key stores. Allowing you to pick an appropriate encryption strength and key management policy, it operates in the background with no noticeable impact for your users. A full service offering is available for implementation, documentation explaining key management and a product video should you like to see it in action.
So, why isn't everyone encrypting databases? Implementing security features such as encryption has a cost, and for some, investing in infrastructure software may not appear to offer the same levels of return as similar investments in productivity software. But if you are a consumer or provider of services that has experienced data loss – then the potential fines, financial loss and all-round inconvenience might just warrant that investment.