I have been involved with Data-at-Rest security for about 15 years now, I have seen the Security ‘Hype Cycle’ (http://en.wikipedia.org/wiki/Hype_cycle ) for so many technologies - too many, in fact, and I’m trying to forgot them like my many years of Don Johnson Look-a-like attire in the 80’s (I got rid of all the white linen jacket’s ). Data-at-Rest security has gone from complete obscurity -I regularly presented in meetings with Fortune 100 executives to discuss protecting information on Cell phones, Laptops and desktops and was routinely met with “We have Windows Passwords and that’s more then enough security”; . In 2002 I coined the term ‘Enterprise Mobile Device Security’ (truthfully, an Easter egg from my previous work in Enterprise Document Management Systems (EDMS) - secret’s out) to try to draw a distinction between Data-at-Rest technologies and Systems - but again this has gotten lost in translation in 2009.
I can’t tell you how many conversations I have had recently, in Government and Business alike, and companies have ‘moved on’ looking for the next security hot topic to protect against without completing their Polices, procedures, and implementation around Data-At-Rest. Some are looking to next generation hardware that encrypts information in hardware - without thinking about the management backend required to do enterprise scale user and encryption key management.
Security is hard work, and sometimes that ’stick to it’ ness doesn’t easy convey from the security team to the board room or executive leadership. Looking into 2010, I have a hope that we can make this the ‘implementation decade’. Can we complete our security implementation in 2010? Sure, through hard work and determination we can use technologies and procedures already in existence to provide at least basic protections for Data everywhere it goes. We all need to spend a lot more time thinking about solving problems, and implementing them - at least as much as we do looking for new problems.
So, Implement that Cryptosystem - change that four character password - implement two-factor authentication. I know it’s taken 15 years for us all to get here, but maybe if we complete some of these implementation we won’t have to continually hear about data losses for the next 10 years.