In preparation for an event next week, I’ve been engaged in some research (though quite sketchy) on the subject of cryptography. Here are some notes on the coverage that I’ve found.
As a general rule, search on “Encryption” if you’re looking for strategy and implementation; but for “Cryptography”, unless you’re looking for information on technical standards and developments.
Encryption is an element of what Forrester call “Digital Leak Prevention” or DLP, and Forrester’s coverage includes a recent (Oct 2010) Wave on DLP products. This is available for download from CA, who come out of it quite well. There’s also a document named from the aphorism Own Nothing. Control Everything, attributed to John D Rockefeller, which identifies “Five Security Patterns For Securing Data On Devices You Don’t Own”. Worth a read, if you’re a Forrester client, and worth a view of the outline if you’re not.
Gartner’s coverage, at least as thrown up by my search, doesn’t include this level of general advice; there are specifics for iPads, smartphones, and PCI (Payment Card standards) but no general or strategic guides.
But a blog search (via the InformationSpan index) identifies former Burton analyst Raymond Krikken as probably the key person in the Gartner network if you want to follow this area. As you’d expect from the Burton stable, there’s some specific and knowledgeable insight here; and research is still being published on Burton’s own website, in line with Gartner’s strategy to maintain the Burton brand. Burton too speak of DLP, and have advice for deployment of encryption (“technical position covers the choices to be made once an organization has determined to use encryption”, dating from mid 2009) and specific documents for Cloud and mobile device issues.
Looking at standards and interoperability, the best summary is probably from the US National Security Agency if you can read between the lines of the Agency’s own agenda. RSA Inc’s own information on public key standards which they co-ordinate seems to be fairly elderly.
If you need initial briefing, try Wikipedia (where I found material on the newer Elliptic curve cryptography as well as on RSA). There are FAQs on faqs.org although much of this information appears (on a quick look) to be from newsgroup archives and not very recent.
• The Forrester Wave: Data Leak Prevention Suites, Q4 2010, Forrester Research, 12 Oct 2010; non-clients can follow the link from the CA release, below
• CA Technologies Named a Leader in Data Loss Prevention by Independent Research Firm, CA Press Release, 25 Oct 2010, with link to download the document
• Own Nothing. Control Everything, Forrester Research, 22 Jan 2010 (summary; full document client-only or for-purchase)
• Using Encryption to Protect Sensitive Data in Cloud Computing Environments, Burton Group, 31 Mar 2010 (full document client-only; non-clients may need to log in with guest credentials to get this link to work, or find it by search from their website)
• What exactly makes a “secure tokenization” algorithm?, Raymond Krikken, Gartner blog network, 21 Oct 2010
• NSA Suite B Cryptography, US National Security Agency, 15 Jan 2009
• Public Key Cryptography Standards (PKCS) from RSA, Inc.
• Elliptic curve cryptography, Wikipedia (links to RSA and other sections)
• Cryptography FAQ Index from faqs.org
Find the Gartner Blog Index and search on InformationSpan by following the link in the right hand panel.