This post caused a great deal of controversy. Some readers left with the impression that we believe encryption to be obsolete or unnecessary. That was not our intended message; rather it was to expose common problems with conventional approaches to data encryption and what dispersal offers to address them. Other readers disagreed with the veracity of our claims, which is not surprising given that the post lacked technical details to backup them up. To provide technical details in defense of the claims made in this post, we have written three follow up responses: Part 1, Part 2, and Part 3 which we invite you to see.
When it comes to storage and security, discussions traditionally center on encryption. The reason encryption – or the use of a complex algorithm to encode information – is accepted as a best practice rests on the premise that while it’s possible to crack encrypted information, most malicious hackers don’t have access to the amount of computer processing power they would need to decrypt information.
But not so fast. Let’s take a look at three reasons why encryption is overrated.
1) Future processing power
While processing power today may keep encrypted files (that are stored in the cloud, for example) safe, as processing power improves, archived encrypted files will require systematic re-encryption to remain safe from potential hackers. Systematic re-encryption, though, is difficult, laborious and expensive.
2) Key management
To decode the encrypted files, a user needs the encryption key. Unfortunately, managing a large number of encryption keys can be painful. Yes, there are enterprise key management (EKM) solutions that promise the ability to manage and change keys throughout their life cycle – but these serve more as a band-aid to the fundamental pain of dealing with numerous keys. As a chain is only as strong as its weakest link, an enterprise key manager is only as good as the integrated key management systems that use it. If any system downstream from a secure key manager exposes the key, or is not designed to cover a certain threat, the whole thing becomes not secure.
3) Disclosure laws
Beyond technology, breach disclosure laws — that require organizations to notify individuals when personal information has been or at least is reasonably believed to have been acquired by an unauthorized entity – can result in a PR nightmare for a business that encryption can’t resolve. A quick visit to Privacy Right Clearinghouse lists the compilation of data breaches since 2005 that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. Not a short list.
A technologist with a good understanding of encryption methods may be comfortable with some of the breaches or data losses reported due to the strengths of the encryption. But this doesn’t matter in the court of public opinion; once data – encrypted or not – is lost, so is the trust of the general public. Encryption is simply not enough to counter business concerns about the security of their data.
With full disclosure – Cleversafe’s storage solution is based on Dispersal – consider its security benefits. Dispersed Storage technology divides data into slices, which are stored in different geographies. Each slice contains too little information to be useful but any threshold can be used to recreate the original data. Translation – a malicious party cannot recreate data from a slice, or two, or three, no matter what the advances in processing power. And Dispersal does not require the time and energy of re-encryption to sustain data protection.
Maybe encryption alone is “good enough” in some cases now – but Dispersal is “good always” and represents the future.