Sunday, January 11, 2009

How secure is open source disk-encryption?

When it comes to IT security, my recommendation is to always choose the device or software that you deem provides the most effective product for the threat that you are trying to mitigate. When appraising potential devices, the cost of buying, installing and then maintaining them will nearly always be an important consideration. In the unlikely situation of having an unlimited budget, you would obviously choose the best tool available.

In the real world, however, it's important to weigh potential benefits of different options against their costs to ensure that you get the most out of a limited budget. Obviously, an open source product seems attractive if there's a restricted amount of money available to spend. Although if it doesn't meet the evaluation criteria, then the product probably isn't the correct choice. Also, if it is likely to lead to onerous support or administration issues, then these costs need to be taken into account as well. Let's look then at whether open source disk encryption software can provide an effective alternative to shrink-wrapped vendorware.

Firstly, I would never consider any software that uses a proprietary encryption algorithm. At the core of any product with cryptographic services will be its cryptographic module. A cryptographic module using a proprietary encryption algorithm will not have had adequate testing and validation against established standards to provide the necessary security assurance. Obviously with open source software, the cryptographic module is never going to be proprietary and can and will be pored over by security experts.

Read More Article...

No comments: