If you had to choose between an insdustry Standard encryption product and a new soon to be a standard which product will you choose?
i.e PKI/PGP/SMIME vs IBE
George Antoniou
Director Information Security at Sodexo
I can’t address the specifics of IBE, but as a general principle I’d go with the standard. Unless you have a vested business interest in the new product or there is some overwhelming technical consideration, the risks should steer you towards the standard.
1) A standard has had more review and scrutiny and has usually been well proven and revised as needed to address any gaps
1b) Risks of unknown gaps or exploits. Time and widespread acceptance are usually the only ways that these gaps are exposed.
2) Adoption of a standard is much more likely than that of a new technology. Dealing with business partners or units within your own organization would likely require negotiations and training to get them onboard with a “non-standard”
3) Classification and approval for export. This is a big consideration for encryption technologies. Chances are that getting approval for the export/import of a “standard” will be much easier that for a new technology. You may find yourself out of luck when/if you have a need to deploy internationally, simply because the various governments haven’t decided how to handle the new technology.
4) Availability of compatible tools sets. Key distributions, monitoring, audit tools, etc. will be much more readily available for a standard than for a new technology.
5) Integration with existing products. (see #4)
So..while I’m a big fan of the “bleeding edge” in my personal life, when dealing with a business application, I would tend to err on the side of caution and stick with the standards.
Sandbox your new technology and develop some experience with it so that you’ll be ready to run with it when there’s a bit more of a track record. Roll it out onto some lower risk platforms when you’re ready. But always be cautious with your critical production systems.
Leave a comment