Encrypting everything isn’t the whole story

I’m not usually given to marketroidistic behaviour (also known as “making shameless product plugs”), but I’m willing to give it a try once in a while. So here goes.

We’ve just announced the latest version of our Sophos SafeGuard Enterprise and SafeGuard Easy products.

The primary goal of these products is to stop data from leaking out of your organisation, either accidentally or through deliberate criminal activity.

Reliably controlling how data is stored (e.g. forcing laptop drives to be encrypted) and where it is stored (e.g. preventing corporate data being “backed up” onto personal USB devices) puts you in a very strong position – morally, economically, technically, and legally – when it comes to safeguarding your own, your company’s and your customers’ privacy.

Just encrypting everything is a start, but isn’t the whole story. In Australia, for example, the law obliges you to protect the confidentiality of various sorts of data, but it also requires you to maintain data, too, sometimes for many years, so that it can be lawfully audited later.

And even if the law didn’t mind about data which went missing on a whim, it would be poor business practice to lock any of your corporate information down such that you relied on a single person’s availability, knowledge and co-operation to unlock it.

Unfortunately, encryption systems (and I use the word “system” in the sense of “a set of connected things or parts forming a complex whole”, not simply in the sense of “software on an individual computer”) which combine genuine security with safe and manageable key recovery are hard to build. Fortunately, Sophos SafeGuard is just such a system.

Key recovery sounds easy. It isn’t, not least because it’s not supposed to be easy, or anyone could do it.

Key recovery needs to be straightforward, and reasonably quick, so that it doesn’t cost your helpdesk hundreds of dollars every time someone forgets their password. But it also needs to be sufficiently well-regulated that it can only be done under strictly controlled rules, in an auditable fashion, and in such a way that it does not leave the helpdesk with any sort of backdoor for later misuse.

So, check it out. Sophos SafeGuard. Quite a descriptive name, really.

PS. What do you think of my marketing methodology here? As advised in the literature, I avoided the impending doom technique, since I deliberately didn’t mention the likely forthcoming changes in Australian privacy law to compel disclosure in the event of a data breach. And I used only the lightest touch of business conscience pressure with the mention of Privacy Awareness Week. Not too bad for a part-timer, eh?