Good point there Rich. I would add that the health IT / medical IT space is more conscious as well. One of things I had to do as result of HIPAA regulations was to write security statements. Not just stuff about encryption but a high level description of the entire environment which would include how PHI data is handled or moved throughout the systems. In the event of a breach, the government, in this case, wants to make sure you were following your own policies and procedures. Regulations don't get bogged down on how to do something only that you do do something to satisfy a regulation. Obviously, for encryption standards, in the US its better to be FIPS compliant than to not be. I would not want to be the guy trying to explain why a single round of XOR manipulation is good.
Even for non-regulatory situations I start with the relevant base recommendations (or FIPS if nothing is recommended) and then keep up to date documentation as well as a method of how to verify the any encryption types used. Any specific security artistry is also documented. One of the nice things about using LUKS in the Linux world is that you can easily verify what is the encryption of a container is without opening it.
In the "cloud" computing context, you're probably not going to get that level of visibility or certification.
I can't say I've ever been asked to verify. Like you, I find that people trust products too much and are willing to settle for things for no other reason than there is a large company name attached to it. When something goes wrong, its lets fire the guy who implemented or built the system not the management who approved it.
I call that "the buck stop there" syndrome :)
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
From: "Rich Freeman" <email@example.com>
To: "Philadelphia Linux User's Group Discussion List" <firstname.lastname@example.org>
Sent: Saturday, October 25, 2014 8:21:40 PM
Subject: Re: [PLUG] Spark Core (corrected)
On Sat, Oct 25, 2014 at 11:24 AM, Keith C. Perry
I will say that I've had more clients in last couple of years, especially
smaller organizations, ask about encryption services. Every at this point
at least asks about the methodology we use to hand their data.
The only issue with this is that many times it is the same PHBs asking
these sorts of questions. I've been hearing vendors tell me about
things being encrypted for ages, and usually somebody just XORed
something before storing it in the database.
Even decent encryption is only as good as its implementation, and I
doubt that many companies seriously check to see that the encryption
even tries to be decent.
I think the insurance industry actually has the potential to change
things here. At work the fire insurance auditor always seems to be
the driver for making sure those breaker boxes are clear and so on.
Insurance companies are actually in the business of risk estimation
and if they get it wrong it hits their bottom line. On the other
hand, many big companies just self-insure for these sorts of things
and fire a scapegoat when things go wrong even though they never had
enough budget to do anything to prevent the problem in the first
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug