Posted by : Rob Stevens | Wednesday, June 24, 2009 | Published in

I've just been reading about an interesting product from PKWare. SecureZip is your bog standard compression program with public key infrastructure bolted on allowing for encryption and/or digital signing of the contents. I haven't had much of a chance to use it yet, but setup was very easy, and hopefully I'll get an excuse to put it into action soon.

Nobody who has a clue what they're talking about disputes that encryption and digital signing are necessary technologies. They keep your data secure and un-tampered-with both in storage and during transmission across the Internet. The two main problems with encryption are:

1) It's a pain to set up - SecureZip gets around this. It's very easy to configure - all you need is an email address and it pretty much does the rest for you.

2) Persuading people to use it. I've played with several different encryption technologies before and very rarely end up putting them into use. This is because very few people care enough to bother using encryption and signing (until it's too late and they've had their data stolen).

This second point is the greatest hurdle. You can have the simplest setup in the world, but until you can persuade someone else to start using it there's not much point yourself. Yes, I secure my personal files locally - Transparently encrypting folder contents makes this simple, but the same can't be said of files that I'm sending to people by email, or any other transmission medium. An example that's occurred to me recently during my job hunting is my CV. I've applied for a huge amount of jobs, sending my CV to virtually all of the prospective employers. Whilst I have no real problem with them having the personal details contained in my CV, I wouldn't want those details to be available to all which, as a result of sending out my CV by plain text email, they potentially are. The problem here is that I doubt that the people on the other end would have the necessary systems in place to receive encrypted mail and documents, and as a result my application would probably be discarded. A widely used approach to problems like this is to 'educate the users'. No. I disagree. The Users aren't going to voluntarily do anything that makes their life more complicated. Most of them don't even understand why their work systems have to be password protected. The solution here (I think) is to not give them a choice. In this age of government idiots leaving the entire countries' financial data on a train or whatever, people handling sensitive data should be made to encrypt it. It's possible to do this transparently so that it doesn't impact them too much, and would make stupidity/carelessness based data loss less of a problem.

I'm probably preaching to the choir here. Those who know what I'm talking about agree, those who don't... well, don't.

(0) Comments