Where does one start rolling out encryption across the enterprise?
I always tell people three things they need to do to get started. First, figure out what sensitive information your business handles -- what it takes in, what it processes and what it puts out. Second, find out where it's located. And third, analyze how it's at risk.
Once you've done these three things, you can figure out what additional controls, like data storage encryption
, are going to be needed to make things more secure. Focus on visibility and control, and minimizing exposure. You're always going to have residual risks, and you're always going to have some form of exposure. But, focus on the best ways to minimize that exposure. Think of the worst-case scenarios and keep a handle on the urgent and important, especially right when you are getting things off the ground.
Get off to a good start, and you don't have to drain the ocean all at once. Data storage encryption, especially if you take on a laptop encryption project, can be a beast. Start small and continue to optimize to get better year after year. If you take this approach, you're more likely to get it right the first time, and you won't have to go back and rework everything a of couple years down the road.
Check out the entire Storage Encryption FAQ guide.
This was first published in October 2007