Data encryption is ever more important; indeed, it is demanded by regulators. As Certes Networks’ Paul German explains, it is only by decoupling encryption from its current ‘add-on’ role that the needs of both CTO and CISO can, finally, be addressed
Data encryption is the gold standard for corporate security. Yet for most organizations, data in motion remains the big corporate conundrum. With the rise of mobile devices and changing working practices, more data than ever is flowing within and outside organizations, and unencrypted data is becoming a major security concern.
The problem, however, is not one of understanding; 51% of organizations want to use encryption to secure sensitive data traffic, but can’t, according to Spiceworks’ Global IT Manager Survey. The problem is that the industry continues to ask businesses to make a compromise by bundling encryption into other parts of the security or networking infrastructure.
For the CISO, under huge pressure from standards bodies such as PCI and ISO, the key requirement is to lock down the network and encrypt all data in motion. For the CTO, tasked with implementing this strategy, while the need to improve security and avoid any breach makes perfect sense, the priority is to deliver a high-performance network and application infrastructure. These two mandates are in direct opposition and lead to conflict that is thorny to resolve.
Escalating Risk
Facing the reality of a potential 75% drop in network performance as a result of turning on encryption within the firewall, router or switch, most CTOs have no option but to renege on the encryption commitment, leaving the CISO powerless and the organization at risk of serious breach.
However committed to the concept of a secure infrastructure, as soon as any user complains about slow throughput or application access problems, the IT team’s immediate response is to switch off encryption and deliver a hike in performance. Furthermore, the problem with traditional data-in-motion security is not only the impact on the performance of network devices and applications. The CTO also faces a big resource drain – it can take hours to configure a new site and device level encryption is both easy to misconfigure and hard to monitor and audit.
The issue for both CISO and CTO is being compounded by the rise in BYOD, remote access and cloud-based applications. The use of personal devices and access to externally hosted applications continues to grow – yet the CTO cannot deliver the security required in line with the CISO’s requirements. The result is shadow IT.
Flawed Model
This whole problem is due to the security industry’s persistence in expecting network devices such as firewalls and routers to double up and deliver encryption. For a firewall, encryption is a hobby, not its main purpose; this approach is simply not adequate for today’s threat landscape. For the defense-in-depth model to truly work effectively, organizations need to decouple encryption and deploy dedicated devices designed specifically for this purpose. In addition to avoiding any degradation in network performance, dedicated data-in-motion solutions offer a single point of control, removing the complex, time-consuming configuration and management overhead.
With one central point of control, responsibility for encryption no longer lies with the IT team but can be handled by the CISO. The process is not only transparent to the essential network equipment, but with user-specific encryption, control is, finally, back in the hands of the person with a mandate to protect the business.
Today, the fact CISOs have the responsibility for protecting sensitive data in motion but no control over the implementation of those controls is clearly flawed. But the need for truly effective encryption has never been greater. It is only by decoupling encryption that an organization can maintain network performance and, critically, enable the CISO to realize the gold standard security vision.
Paul German is VP EMEA of Certes Networks. He has spent more than 18 years in the industry, gaining a broad experience from roles at Sipera Systems, Cisco, Siemens Network Systems and Lehman Brothers
This feature was originally published in the Q2 2015 issue of Infosecurity – available free in print and digital formats to registered users