QOTD - Rothke on Encryption vs Data Destruction

"Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data," says Ben Rothke, Senior Security Consultant with BT Professional Services & author of Computer Security: 20 Things Every Employee Should Know.

Ben goes on to explain that
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.

Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
Src: Why Information Must Be Destroyed, Part Two | CSO Online

No comments: