With all of the benefits that encryption offers, why are there not many more large-scale encryption successes? While many of the encryption hardware appliances are touted as plug-and-play, getting encryption to work in the enterprise is a significant undertaking. Effective encryption requires many things, including the following:
* Attention to detail
* Good design
* Good project management
* Comprehensive documentation
* Responsible ownership
Many companies are simply not willing to commit sufficient time and effort. This has created the situation where many of the encryption roll-outs that have been attempted have been nothing more than stop-gap solutions to keep the auditors and customers happy. Simply getting it done often takes precedence over proper key management, documentation, processes, etc. These and more combine to help impede encryption implementations from becoming ubiquitous.
This effort to simply get it done does not jive with an effective and optimally deployed encryption solution. The problem is that such a reactive approach to encryption often results in a highly fragmented encryption infrastructure deployment, which may likely collapse upon itself not long after deployment.
In fact, Eric Ouellet writes in Tactical Deployment Scenarios for Corporate Encryption [registration required] that organizations should understand that it may take two or three years to complete all the activities involved within the more-complex encryption deployment scenarios. This is primarily due to internal political sensitivity, application testing and workflow or database use modifications. Organizations are recommended to break their encryption projects into smaller, more manageable portions, while keeping the bigger picture in mind when deploying solutions to address their encryption requirements. This combines both tactical and strategic planned implementation which helps to ensure the overall success of the endeavor.