Perils of Encryption

Today’s SANSBITES email has a blurb on the Department of Transportation laptop that went missing while holding data on 133,000 Floridians. Apparently the data was originally encrypted, the later it wasn’t.
John Pescatore of Gartner comments, “Who knows what really went on, but rushing out encryption of stored data without thinking through all the issues (like indexing and archiving, just to name two common problems) often results in self inflicted wounds or the encryption being disabled.”
That sounds familiar. After OMB M-06-16 required encryption, many government agencies have been running around implementing ill-considered encryption plans.
I have been trying to hold off this groundswell for encryption until we can implement it correctly using a Certificate Authority. Now suddenly we’ve uncovered a major problem. The backup software only allows you to restore encrypted files to yourself. If you lose your computer, and get the administrator to restore the files to a new computer, the backup software will not allow restoration of encrypted files. This is a huge problem. You can protect your important data with encryption, but don’t plan on getting it back in case of disaster. We’re pressuring the vendor to change this behavior.