You are who you say you are...
...or are you? At the recent Privacy and Security Forum Veracode's CTO, Chris Wysopal gave a talk entitled, "Exposing the Holes: Where Hackers are Finding and Exploiting Gaps in Your Security Infrastructure."
He spent a portion of the session talking about the uses of encryption technology and where it falls short. For instance, he mentioned that encryption is good for situations like laptop and storage security, but if you're a victim of a phishing or SQL injection attack (or really just about any scenario where access to applications is compromised), you might as well leave your wallet in a subway car because that is just about how vulnerable you will be.
The problem with most enterprise application password security is that it's pretty black and white: if you gain access, you are who you say you are as far as the applications are concerned. So that means encrypted or not, you have free run of the data within because, well, you're authorized to be there. Much like when an underage person gets into a nightclub: The door person checked their ID and it looked legit. Chances are pretty slim that someone on the inside is going to catch them quickly, if at all.
There is an easy remedy for this, of course: data masking Essentially, data masking eliminates risk in these break-in situations because if a hacker steals the data, it's useless. Period. It's only useful in the context of the applications themselves, but because the sensitive information is ficticious, a thief can't use it for anything harmful.
So, while encryption is certainly effective in many areas, a company would be best served to ensure data security by adding masking to its IT security arsenal.