Home » Resources » [Overview] When Are Encryption and Cryptographic Erasure Not Enough?

[Overview] When Are Encryption and Cryptographic Erasure Not Enough?

Download Best Practice

Should organizations rely solely on encryption and cryptographic erasure as a means of protecting data? In this document, we’ll discover why the answer to that question is a resounding no. The ideal way to approach data protection, and specifically data sanitization, is to implement a multi-tiered, layered approach that goes beyond encryption alone.

What is Encryption?

Encryption is the process of converting information or data into a code to prevent unauthorized access. Encryption is completed by using an algorithm to encode the data so that it can only be deciphered with an encryption key.

What is Crypto-Erase?

What is Cryptographic Erasure (CE)?
This wiping method uses the native command to call a cryptographic erasure, which erases the encryption key. While the encrypted data remains on the storage device itself, it is effectively impossible to decrypt, rendering the data unrecoverable.

Proper implementation of Cryptographic Erasure follows a 3-step process:

1. Find and overwrite crypto keys and password
2. Verify full encryption of media
3. Create tamper-proof report

Pros, Cons & Risks

Pros

• CE can take only a few seconds to complete.
• Proper implementation can render data unrecoverable.

Cons

• Self-encrypting drives can have implementation issues.
• Keys must be stored and managed – without secure storage and management, these keys are vulnerable to attack.
• Most CE does not provide any form of verification.

Risks

• Encryption has a “use by” shelf life. As cryptography advances rapidly, algorithms that were once considered “strong” can be broken.
• If encryption is not in place (but the organization thought it was) or, it’s removed, turned off, flawed or broken, ALL of the organization’s data on the device is then accessible.
• Executive travelers can be ordered to unlock encryption on laptops when crossing sensitive borders.

Download Best Practice.

You may be interested in:

What is Common Criteria Certification, and Why Is It Important?

Understanding the financial risks of cybersecurity complacency

The New Jersey Privacy Act: What You Need to Know

The newly signed New Jersey Privacy Act impose new obligations on businesses when it comes to handling consumer data. Here is what you need to know to stay in compliance.

IBM® Launches Infrastructure Data Erasure—And These 5 Storage Network Benefits Come With It