Comment Re:Encryption (Score 1) 127
Yea, I work in the security industry and I don't really agree. I hear what you're saying about considering each application and you're not wrong, but I think the potential benefits of this easily outweigh the negatives. It will apply pressure to companies who really do need to encrypt their data and just cannot get the will from the business to do it.
Its not a magic bullet, but especially in the absence of any legitimate way to wipe data from databases in a secure manner it's a reasonable compensating control to put in place. It really depends on the actual implementation whether or not the encryption will help if the server is compromised while it's running. If companies encrypt at the database or table level and implement things decently then at least it's not just a matter of compromising the server and copying the entire database off to get the information. Web based attacks are probably going to compromise the database's security, but at least information secured in this way would be safe(er) from network based worms and other malware. That is not a trivial or uncommon attack vector, and I think it's worth serious consideration.
The other aspect of this is that it would force a lot of companies to implement real key management procedures in order to not lose access to their data. Once they need to do that to maintain the business, they'll be much more receptive to rotating and expiring keys, etc. because it's a low hanging fruit. Right now key management is kind of a nightmare and not something I see a lot of companies handling effectively. If you have to deal with key management in order not to take down your entire business being more selective about who has access to those keys, split knowledge, etc. become a much more realistic proposition. That will demonstrably increase security as well as compliance with other regs/standards.
I'm both a Libertarian and a security professional...I am suspicious of government regs but I think they are needed in this case. The industry is not keeping up with the security landscape well enough, and this stuff is far enough out of the public's line of view that it has the potential to negatively impact their lives out of nowhere, and there is no ability for them to audit or verify a companies security measures before engaging with them. I think that is a threat to the public welfare, and something that does fall within the role of government. Implementing encryption in this way is not going to be that onerous, and it will have a tremendous impact on people who really REALLY do need to encrypt their data at the price of a bit of a hassle for those who don't. As this becomes more widespread key management and implementation of encryption will also become easier, making it less onerous for people who don't necessarily need extremely tight security.