Share

Related Stories

  • Honey Encryption joins Honeywords and Honeypots in the Security Lexicon
    'Honey' is the traditional term used to indicate a 'decoy' in computing. Two researchers have now used the epithet to describe their process of hiding a true key within a large number of false keys, making brute forcing stolen databases considerably more tricky.
  • 2014: ‘The Year of Encryption?’
    Will 2014 see a big uptick in the use of biometric technologies, strong encryption, a rash of new key technologies and more? Some say that the era of having unencrypted data traffic flowing freely inside enterprises will likely soon come to a crashing halt, helped along by the US government, the Apple iPhone and other drivers.
  • Despite NSA Crypto-Meddling, Microsoft Plans Office 365 Encrypted Email
    In the wake of NIST-developed encryption algorithms being called into question due to alleged weakening by the National Security Agency, encrypted email services like Silent Circle's Silent Mail decided to shut down. But Microsoft is instead leaping into the breach, with a new version of Exchange Hosted Encryption (EHE), dubbed Office 365 Message Encryption.
  • Automatic IFS Encryption for IBM i with New Release from Linoma Software
    Linoma Software’s Crypto Complete data encryption solution is breaking ground on IBM i by providing automatic encryption of files stored on the operating system’s integrated file system (IFS).
  • Comment: Encryption is Critical for IaaS
    When organizations move their data to the cloud, traditional security measures may not be effective. With some basic knowledge, Bill Hackenberger of HighCloud Security says companies can take advantage of Infrastructure-as-a-Service, while keeping their data private

Top 5 Stories

News

Data Encryption Use Increases, but Key Management Remains an Issue

11 February 2014

Although there are still major challenges in executing data encryption policies, the use of encryption continues to grow in response to consumer concerns, privacy compliance regulations and ongoing data breaches in the headlines.

The 2013 Global Encryption Trends Study, written by the Ponemon Institute and sponsored by Thales, reveals that there has been a steady increase in the deployment of encryption solutions used by organizations over the past nine years, with 35% of organizations now having an encryption strategy applied consistently across the entire enterprise compared with 29% last year. The survey also indicated that only 14% of organizations surveyed do not have any encryption strategy at all, compared with 22% last year.

However, barriers to adoption are persisting. The two biggest challenges facing organizations executing a data encryption policy were discovering where sensitive data actually resides, reported by 61% of respondents, and the ability to deploy encryption technology effectively, reported by 50% of respondents.

Key management was identified as a major issue, with more than half of organizations surveyed rating the overall challenge associated with management of keys or certificates more than seven on a scale of one to 10 (10 being highest), and 30% of organizations rated the challenge at nine or 10. While three-quarters of organizations identified key management as a formal discipline within their organization, more than 70% of those organizations failed to allocate dedicated staff or tools to the task of managing keys.

“Encryption usage continues to be a clear indicator of a strong security posture, but there appears to be emerging evidence that concerns over key management are becoming a barrier to its more widespread adoption,” said Larry Ponemon, chairman and founder of The Ponemon Institute, in a statement. “For the first time in this study we drilled down into the issue of key management and found it emerging as a huge operational challenge. But questions are and should be asked about the broader topics of policy issues and choice of encryption algorithms – especially in the light of recent concerns over back doors, poorly implemented crypto systems and weak key management systems.”

The Key Management Interoperability Protocol (KMIP) standard that allows organizations to deploy centralized key management systems that span multiple use cases and equipment vendors, has already established a relatively high level of awareness among IT and IT security practitioners. KMIP is perceived to be of increasing importance and is expected to contribute to encryption and key management strategies specifically around cloud, storage and application-level encryption. More than half of those surveyed said that the KMIP standard was important in cloud encryption compared with 42% last year.

Hardware security modules (HSMs) are increasingly considered a critical component of a key management strategy. These devices are used to protect critical data processing activities and high value keys and can be used to strongly enforce security polices and access controls.

“While key management may be emerging as a barrier to encryption deployment, it is not a new issue,” said Richard Moulds, vice president strategy at Thales e-Security. “The challenges associated with key management have already been addressed in heavily regulated industries such as payments processing, where best practices are well proven and could translate easily to a variety of other verticals. With more than 40 years’ experience providing key management solutions. Thales is ideally positioned to help organizations re-assess and re-evaluate their crypto-security and key management infrastructure and deliver solutions that ensure their integrity and trustworthiness.”

Meanwhile, the study showed that the fastest growing reason as to why organizations are deploying encryption is to ensure they meet their commitments to their customers’ privacy, with 42% of organizations focusing on their customer’s interests rather than for their own benefit, which has increased by 5% compared with last year.

Meanwhile the primary driver for deploying encryption in most organizations is to lessen the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation. Of those organizations that believe they have an obligation to disclose data breaches, the report found that nearly half believe that encrypting their data provides a safe harbor that avoids the need to disclose that the actual breach occurred.

The No. 1 perceived threat to the exposure of sensitive or confidential data remains employee mistakes, according to 27% of respondents. When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than 2 to1. Furthermore, forced disclosures triggered by e-discovery requests now represent the second highest perceived threat to the loss of sensitive data.

When asked about where encryption is used, organizations ranked backup tapes and databases as most important followed by network encryption and laptop encryption. Cloud encryption had a relatively low ranking compared with other encryption use cases ranking outside the top 10.

This article is featured in:
Encryption  •  Industry News

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×