The Three Laws of Data Encryption

By Rich

Lately (as in, most of the year) I’ve been seeing a lot of chatter around encryption- driven primarily by PCI and concerns about landing on the front page of every major newspaper in the .

It cracks me up that the PCI Data Security Standard calls encryption, “the ultimate security technology” (I think they pulled that line out of the 1.1 version). Encryption is just another tool in the box, albeit a useful one. There is no “ultimate” technology. Unless, of course, you’d like to pay me a very reasonable fee and I’ll provide it to you. Just sign this little EULA agreement not to disclose any benchmark or… oh heck, not to disclose anything at all.

Earlier this year I published a note over with my employer entitled “The Three Laws of Data Encryption”. While I can’t release the note content here (because of the whole wanting to stay employed thing, and if they don’t make money I don’t) here are the three laws as a teaser (since they’ve been published in a few public news articles). Basically, there are only three reasons to encrypt:

  1. If data moves, physically or virtually. E.g. laptops, backup tapes, email, and EDI.
  2. To enforce separation of duties beyond what’s possible with access controls. Usually this only means protecting against administrators, since access controls can stop everyone else. Examples include credit card or social security numbers in databases (when you separate keys from admins) and files in shared storage.
  3. Because someone tells you you have to. I call this “mandated encryption”.

You G clients should check out the note if you want more details (actually, if any of you start using Gartner because of this blog please let me know via email). While the “laws” are totally fracking obvious I’ve found a lot of people run around trying to encrypt without taking the time to figure out what the threats are and if encryption will offer any real value. Like encrypting a column in a database and having the DBA manage the keys.

What are you protecting against? And “hackers” isn’t the answer.

No Related Posts

[...] and don’t forget about the Three Laws. And if you know products I missed, please drop them into the [...]

By Your Simple Guide To Endpoint Encryption Options |

[...] if we go back to the Three Laws of Encryption, there are circumstances where you might consider multiple layers. The most common case is when we [...]

By When To Layer Encryption |

[...] lead to a lot of introspection and the eventual development of the Three Laws of Data Encryption. We can thus divide database encryption into two [...]

By Introduction To Database Encryption |

[...] the Three Laws people. Use your encryption [...]

By Flashback To 2005- Home Depot and Iron Mountain Lo

[...] acquisition of SafeBoot for $350M encryption is in the headlines again. A while ago I wrote the Three Laws of Data Encryption to help users get the most value out of [...]

By Encryption: The Maginot Line Of Data Security | se

Loss is covered by anything can move physically that you’‘re worried will get into the wrong hands. It actually doesn’‘t cover everything because there are ways to encrypt that are easy to get around if you don’‘t do it right. Thus the recommendation for whole-drive laptop encryption.

PCI is the Payment Card Industry Data Security Standard. Sorry, I shouldn’‘t have cribbed. EDI is data exchange, although I should have said that instead of using the acronym.

By rmogull


You forgot loss, which could be covered by extending #1, but it applies to everything.

If we have the drives or tapes today, and want to make sure that even if someone else gets (access to) them, which need not have anything to do with transportation, then encryption can help protect against unauthorized access.

Since your PCI isn’‘t Peripheral Component Interconnect, what are you using PCI & EDI to mean?

Electronic Data Interchange? Meaning general network traffic, or banking, or something eles?

By reppep

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.