A Year ago I had hopes that the world was catching on to Information Security needs. I thought people were starting to think about their information security protections logically - “What am I protecting’ and ‘What protections are required for the information criticality I have’.   The US Government was going the right way, setting a standard. They were having an open and honest competition regarding data-at-rest (DAR) and had formed a team of people to study the problem. We had a Cybersecurity review, there were a lot of good points in it - and things were going to get better.   Then the Financial Crisis got bad, and we have all found that the first thing that goes overboard in a storm is Information Security. So where are we now?……. 

  The standards that the Government spent so much time and money to create are entirely ignored, and there is no one to enforce them. The wild west has returned, products do not meet even basic Information Security standards like FIPS and Common Criteria are being purchased and deployed. Plans to implement common sense policies, procedures and technologies to protect ourselves are being ignored - and money is quickly following in Cybersecurity withotu defining what Cybersecurity means or what the target of our efforts are.

     We need to get focused on providing real protections for Data-at-Rest, belive it or not this is where the majority of data leak occurs. Lost USB Keys, lost laptops, lost external hard drives - we see the stories every day.  The technologies exist already to address the problems, but we lack the resolve to deploy them.

2010 is starting out as the year of renewed Hype cycle. Lot’s of people talking about security, put not much activity in making things secure. So far this year Commercial program have been released to break both Bitlocker (yes, again!) and Truecrypt - one only needs to look as far as www.passware.com to find programs able to crack commerical ‘military strength crypto’.

Hopefully in the remainder of this year, Data-at-Rest protections , and information security more generally, will find solutions getting implemented in order to meet the growing need to secure Data-at-rest; and hopefully we can find better Data-at-rest solutions from the information security vendors to provide real protections.