The "simple" truth about security

It all sounds so simple. You save your data to a tape cartridge. When you have enough cartridges, you put them in a box and send them off to be stored.

And yet, we can't seem to go a week without some company reporting another -- usually boneheaded -- data loss. This time it's Time Warner wearing the dunce cap: The media giant lost 40 tapes with personal information on about 600,000 current and former employees as the tapes were in transit to a storage facility.

Earlier this year Bank of America reported a similar data security mishap, and in April Ameritrade lost a tape containing the names of 200,000 clients. Those incidents look less like examples of the work of brilliantly cunning "24"-style cyberterrorists and more like the work of, well, just plain ineptitude. It's as if the crackerjack spies from "Alias" have been done in by the bumbling residents of Hooterville.

The Time Warner tapes were lost March 22 when a shipping container holding the 40 tapes went missing during a routine shipment to an off-site facility by a third-party firm, Iron Mountain. Time Warner has been fairly forthright in saying that it plans to start encrypting all data saved to backup tapes.

There are a variety of encryption products out on the market for different uses. Decru and NeoScale Systems offer file-level encryption products that protect data residing on various storage systems. Both offer on-the-fly encryption and decryption of data flowing in and out of storage systems, taking some of the complexity out of the process. Simple, in other words.

If you want to get a bit more nitpicky about what you encrypt, nCipher and Application Security have products that allow you to encrypt just the important stuff -- such as credit card numbers.

"We just added support for IBM DB2 and Microsoft SQL Server for SecureDB," says Richard Moulds, vice president of marketing at nCipher. SecureDB already supports Oracle databases.

According to Moulds, encrypting the key pieces of data is easier and faster than encrypting the whole database. "A lot of information travels around an enterprise that only needs the key parts encrypted. Most of the data would be of little consequence if it got out, but if those key parts are compromised, you can find yourself in real trouble," Moulds explains.

Moulds also points out that encryption should be part of a security process, not just a technique to use when data is leaving a secure perimeter. "I believe encryption will become a part of the underlying technology for a security infrastructure. But it has to be relatively simple and fast," Moulds says.

Ah, "simple." Now where have I heard that before?