A new study demonstrates the increasing importance businesses around the world attach to using encryption to protect information and data.
The Ponemon Institute has recently published its fifteenth Global Encryption Trends Study. The report explores how leading organisations around the world are developing encryption strategies and highlights some of the different use cases for encryption.
Protecting information and data through encryption is increasingly recognised as critical for organisations. Over the last 15 years, the number of businesses with encryption plans that are consistently applied across the whole organisational has risen steadily, from just 15% in 2006 to 48% today. Only 13% of businesses have no encryption strategy at all.
There are several reasons for businesses to encrypt data. Common reasons cited in the research include protecting intellectual property and complying with data security regulations. But for the first time, the most common reason given is to protect personal customer data.
The protection of personal data for its own sake, rather than simply to meet compliance mandates shows that organisations are starting to understand that protecting customer (and employee) data is an integral part of protecting corporate reputations.
Protecting data not networks
The concept of a secure organisational IT network is increasingly redundant as more and more data is stored on personally owned devices and taken outside company premises. And if you can no longer rely on a secure network to protect your data, then you need to secure the data itself. And you can do that with encryption.
Protecting data through encryption is critical because data breaches still happen. The most likely cause is employee mistakes, according to the report. Unfortunately protecting data can be problematic: two thirds of businesses claim that discovering where sensitive data resides in the organisation is the most difficult challenge.
Encryption that works
Not all encryption services are created equally. According to the research, the features most valued are:
- system performance and latency,
- the ability of the system to enforce security policies, and
- support for encryption in the cloud as well as on company premises
System performance is closely bound up with system usability. And an essential part of any encryption system is managing where the encryption keys are kept. Improvements are needed here. Sixty percent of respondents consider key management to be “very painful”. Why is this? Two reasons come to the fore: a lack of clear ownership and lack of skilled personnel. Neither of these seem to be insurmountable problems.
The reason that these problems exist is probably because encryption is often seen as a technical rather than a strategic issue. Companies use a variety of key management systems. Sophisticated organisations will employ formal key management infrastructure or formal key management policies. But all too often, and in the absence of strong strategic direction, manual processes are used and these can easily be subverted or carelessly applied.
Hardware security modules
One solution to the problem of key management is the use of hardware security modules (HSM). These are special “trusted” platforms performing various cryptographic operations including encryption key management.
It’s fairly obvious that encryption should be performed in a trusted environment where no malware is present and there can be no unauthorised access. An HSM is trusted because:
- It’s built with specialised hardware that has been tested and certified in specialist laboratories.
- It runs on an operating system that has a special focus on security
- It has limited access to the wider network, and that access is strictly controlled by internal rules
- It’s designed to actively protect cryptographic material
It is for these reasons that HSMs are increasing in popularity. In fact, the overall average deployment rate for HSMs is now 48 percent with organisations in Germany and the United States most likely to deploy them.
If it is accepted that encryption is a critical imperative, it should also be recognised that encryption should be easy to operate. Otherwise people will find ways to avoid using it. And a big part of that is key management. It seems likely, then, that more and more organisations will employ hardware security modules as an essential part of their security strategies.
The Ponemon encryption study surveyed 6,457 individuals across multiple industry sectors in 17 countries including the USA, Japan, Brazil, Australia, South Korea, Germany, France and the UK. It was sponsored by nCipher Security, an Entrust Datacard company, and the leading provider of cryptographic solutions designed to deliver trust, integrity and control to business critical information and applications. The full study is available here.