Anthem breach shows need for wider encryption of sensitive data

121910326Media reports concerning the Anthem breach have indicated that the compromised personal information wasn’t encrypted. Encryption – strong, modern algorithms properly implemented with tight key management – is the most effective way to protect data in 2015.

How do we know this? Edward Snowden, of course. He made it clear that the NSA is unable to break strong encryption. It’s likely no one else can, either. Many have expressed surprise that the Anthem data, clearly of a confidential nature and describing millions of people, was not encrypted. This may be because Anthem, like many companies operate strictly in their primary business – be it health care insurance, retail, banking or something else. Unfortunately, the reality of 2015 is that almost every business is an IT business, and part of IT is cybersecurity. It’s not an optional component. And when it comes to protecting data at rest or in motion, nothing works as well as encryption.

While encryption algorithms are relatively easy to implement in software, the ecosystem required to support them is much harder to put in place. Encryption systems are all about key management–making sure the proper key for the required operation can be found and used in a properly authorized manner. Some familiar (and older) forms of encryption, like S-MIME for e-mail and whole disk encryption like BitLocker, use a single key per system or user.

In the application space, large, sophisticated database vendors charge millions of dollars for bolt-on encryption modules. Organizations then have to alter their application software to take advantage of this technology, which is both expensive and time consuming.

To be effective and support the multiple applications needing access, multiple keys will have to be used. Distributing and managing the keys for these software modules adds friction to the system and makes it hard to keep everything in sync – raising maintenance and support costs. To further complicate use, glitches in the system could lead to lost data.

There is a better way: adding an encryption abstraction layer in between the application and the data storage and transport that’s invisible to the application and requires little change to either hardware or applications. Think of this as an encryption service or broker. It handles key management, authentication, and the actual encryption.

Such systems interface with existing LDAP-based identity management systems and are available today. While not without cost, such systems are more effective than an application rewrite. Organizations need to realize they are all in the IT business, and make 2015 the year of encryption.

This article originally appeared on and was written by Dave Frymier.