ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said:

      But it is not reasonable to think you'd "encrypt" paper. You would do whatever reasonable things you could do to protect it. Lock it up a rest, and keep it from being stolen if it is out on the town.

      What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

      BRRABillB 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @BRRABill
        last edited by

        @BRRABill said:

        It is certainly reasonable to think you'd encrypt a laptop.

        Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

        BRRABillB 1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill @scottalanmiller
          last edited by

          @scottalanmiller said:

          What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

          Because there is no reasonable way to encrypt paper.

          There is a very reasonable, easy-to-use, and inexpensive way to encrypt disks that I have demonstrated healthcare organizations use.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill @scottalanmiller
            last edited by

            @scottalanmiller said:

            @BRRABill said:

            It is certainly reasonable to think you'd encrypt a laptop.

            Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

            Sure, it would be reasonable if it was possible.

            If you are implying you cipher the text on the page, well, again that's not reasonable because how could anymore read it?

            WIth a SED, the user has to do nothing more than they are used to doing, which is log in to their machine.

            One is impossible, and silly.

            The other is widely used, and acceptable to the only organization that matters in the HIPAA fine discussing, the OCR.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • BRRABillB
              BRRABill
              last edited by

              You can see, there are many safeguards with paper as well.

              But since there is no way to encrypt paper, it doesn't apply.

              http://privacyoffice.med.miami.edu/awareness/tips/protect-paper-records-with-sensitive-information

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @BRRABill
                last edited by

                @BRRABill said:

                @scottalanmiller said:

                What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

                Because there is no reasonable way to encrypt paper.

                There is a very reasonable, easy-to-use, and inexpensive way to encrypt disks that I have demonstrated healthcare organizations use.

                That's debatable. Encrypting data is only easy as long as you decrypt it and leave it unprotected when going to the end user. Encrypt that data end to end and it gets very hard.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said:

                  @scottalanmiller said:

                  @BRRABill said:

                  It is certainly reasonable to think you'd encrypt a laptop.

                  Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

                  Sure, it would be reasonable if it was possible.

                  If you are implying you cipher the text on the page, well, again that's not reasonable because how could anymore read it?

                  WIth a SED, the user has to do nothing more than they are used to doing, which is log in to their machine.

                  One is impossible, and silly.

                  The other is widely used, and acceptable to the only organization that matters in the HIPAA fine discussing, the OCR.

                  Impossible? It's literally identical to the digital way. It's VERY possible. if it was not, computers could not do it either.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said:

                    You can see, there are many safeguards with paper as well.

                    But since there is no way to encrypt paper, it doesn't apply.

                    http://privacyoffice.med.miami.edu/awareness/tips/protect-paper-records-with-sensitive-information

                    There is EVERY way to encrypt paper. We can all do it. Kids do it every day. Saying that this is all not true doesn't make it untrue.

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      I totally understand that one system is more automated than the other and it is easier to use computers than not to use computers, but we are already going to the high effort paper world here. ALL security that applies to a drive applies to paper, all, no exceptions. They are the same type of thing (bits on physical media.) You can, at any point, print disk data to paper and vice versa. They are interchangeable.

                      But it would be trivially easy to put in a little encryption on paper end to end. Super easy. But we don't bother, we just ignore security there.

                      Although it needs to be pointed out, we don't encrypt anything digitally end to end, but we take it much farther.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        I understand in the HIPAA world because security is not a related topic and laws are, it's probably worth encrypting local drives, even if we lose data, because we don't care about losing data, we care about getting sued. But it is really important to understand that the reasons we do it for HIPAA are not security related and that HIPAA discussions don't apply to non-HIPAA discussions.

                        BRRABillB 1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          I understand in the HIPAA world because security is not a related topic and laws are, it's probably worth encrypting local drives, even if we lose data, because we don't care about losing data, we care about getting sued. But it is really important to understand that the reasons we do it for HIPAA are not security related and that HIPAA discussions don't apply to non-HIPAA discussions.

                          Agreed.

                          Though I also use SED personally. Just in case.

                          I'm a "WHAT IF"-er. 😉

                          1 Reply Last reply Reply Quote 0
                          • BRRABillB
                            BRRABill
                            last edited by

                            You know, whilst at lunch today, this paper thing (and encryption in general) kind of clicked for me.

                            (This story might seem long winded, but it has a point)

                            I had my trusty little Moleskin mini notebook with me, with notes I had jotted down on Christmas gifts. I usually put this thing in my shirt pocket, but I have no shirt pocket today, so I put it in my back pants pocket. Then I thought ... what if this thing fell out of my pocket? So what? I said to myself. Ah. There it is. There is nothing of value in there. I don't write anything personal or sensitive in there. If I ever did need to, I would encode it, as we have been talking about. Like add 5 to all the PIN numbers or something. But generally I would know better than to store anything important in a notebook I carry around in my pocket and could lose.

                            Now, being the paranoid type, I would still worry that I had something in there. Because sometimes I admit I am a little careless about things. But for the most part I wouldn't worry about it.

                            Same things holds for other notebooks I have. I write some more sensitive stuff in them, but they are more for my inside the office use. Very slim chance of them getting lost. Though I always write code in those too, just to protect from prying eyes.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              Here is someone fearful of encryption ending up, by accident, acting like a threat: http://community.spiceworks.com/topic/1357724-de-encrypting-network-shares-server-question

                              DashrenderD BRRABillB 2 Replies Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                Here is someone fearful of encryption ending up, by accident, acting like a threat: http://community.spiceworks.com/topic/1357724-de-encrypting-network-shares-server-question

                                I'm not sure how he would prevent someone from putting encrypted files onto the network?

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  Yeah, he can prevent one system from doing it, but not someone encrypting files and dropping them.

                                  1 Reply Last reply Reply Quote 1
                                  • BRRABillB
                                    BRRABill @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    Here is someone fearful of encryption ending up, by accident, acting like a threat: http://community.spiceworks.com/topic/1357724-de-encrypting-network-shares-server-question

                                    I never said there weren't risks.

                                    You always have to have systems to get around the encryption for your own uses, and also good backups.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @BRRABill
                                      last edited by

                                      @BRRABill said:

                                      @scottalanmiller said:

                                      Here is someone fearful of encryption ending up, by accident, acting like a threat: http://community.spiceworks.com/topic/1357724-de-encrypting-network-shares-server-question

                                      I never said there weren't risks.

                                      You always have to have systems to get around the encryption for your own uses, and also good backups.

                                      But if there are risks, that answers the "why not" question. It's only in cases where there is no or effectively no downsides (good examples are virtualize every server and open sources is always better than closed source for end users) where you don't have to weigh the options. But with encryption, it's not a clear win. The weighting leans heavily towards encryption, I grant you, but there are downsides strong enough to warrant needing to consider if it is truly adding enough to make up for what it takes away. It remains situational.

                                      BRRABillB 1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        But if there are risks, that answers the "why not" question. It's only in cases where there is no or effectively no downsides (good examples are virtualize every server and open sources is always better than closed source for end users) where you don't have to weigh the options. But with encryption, it's not a clear win. The weighting leans heavily towards encryption, I grant you, but there are downsides strong enough to warrant needing to consider if it is truly adding enough to make up for what it takes away. It remains situational.

                                        True, though as I have said (and as the recent article posted from InfoWorld) if we can somehow move to a world where everything is encrypted, and there is little cost, that would be ideal, I think.

                                        1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender
                                          last edited by

                                          Considering the current political climate - I'm wondering how long until HIPAA is repealed because of it's leanings toward encryption. LOL

                                          I say this in complete jest, but damn.. those fools!

                                          1 Reply Last reply Reply Quote 1
                                          • BRRABillB
                                            BRRABill
                                            last edited by

                                            I'm really torn in the discussion of a governmental backdoor to all encryption, as they want.

                                            One one hand, I don't trust the government, and I do think we should be able to protect our data.

                                            On the other hand, people always say "what if your child was abducted and the info was on the person's phone but they couldn't access it", or to be able to intercept terroristic threats.

                                            So I see both sides.

                                            Typically, though, I lean towards encryption.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 14
                                            • 15
                                            • 16
                                            • 17
                                            • 18
                                            • 18 / 18
                                            • First post
                                              Last post