“Cryptography can be used to secure my data. Therefore, if I use cryptography my data is secure.”
Wrong.
I think Bruce Schneier described it best (paraphrased): Cryptography is like having a really strong front door on your house… 2 foot thick steal, blast proof, the whole 9 yards. A thief isn’t going to try and break through your front door… they’ll just climb through a window!
Security is about the whole system; not just the crypto. xkcd summed it up nicely:
If you enjoyed this article, please consider sharing it!
So true. Another favorite analogy of mine is the Maginot Line — which the Nazi’s simply went around..
Best positions on security are holistic. Take a look at the PCI-DSS standard, which establishes controls for a particular class of data (CC transactions). In addition to encryption at rest (and presumably encryption in transit since the Heartland scandal), there are various procedural, physical, and logical controls as well. While a little light on the specifics of technology hardening required, PCI-DSS, DIACAP and other NIST derived standards are certainly holistic–and that’s healthy.
Reply