Attacks/Breaches
4/14/2017
09:28 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Long Slog To Getting Encryption Right

Encryption practices have improved dramatically over the last 10 years, but most organizations still don't have enterprise-wide crypto strategies.

While enterprises are making meaningful progress on improving their encryption practices, there's still a lot of work to go. Several major studies out in the last several months have underlined the highs and lows of encryption trends out in the real world.

On the plus side, the most recent research out this week from Ponemon Institute and Thales shows that the existence of enterprise-wide encryption strategies has more than doubled in the last decade and organizations are responding to cloud risks with improved encryption deployments for data at rest and in transit. On the negative side, this study and other industry numbers suggest that we haven't yet reached the tipping point of more than half of organizations following best practices--and that a sizeable number of organizations that use encryption are making big mistakes along the way.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types," says Dr. Larry Ponemon of Ponemon Institute. "Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy."

This is the twelfth year running of the Global Encryption Trends Study and Ponemon has found that since 2006, the ratio of organizations with enterprise-wide encryption strategies has risen from under 20% to over 40%. It's a steady drumbeat of improvement, but the fact remains that the majority of organizations still don't have such a policy. Nevertheless, the steady tick upwards and additional survey data show that worries about data security regulations, protection of intellectual property, and protection of customer data are all driving gradual change for end-to-end encryption.

Certain areas are better than others when it comes to the current state of encryption deployment.

For example, with data at-rest Ponemon found that approximately 61% of organizations report that they routinely encrypt employee and HR data, 56% encrypt payment data, 49% encrypt financial records and 40% encrypt customer data. Meanwhile, a study out last week from Venafi highlighted prevalence of encryption of data-in-transit, with 57% of organizations reporting they encrypt 70% or more of their external web traffic and 41% doing the same for internal network traffic.

According to the Ponemon study, enterprises' focus on encryption and key management is being spurred on by increased cloud adoption as more data moves into third-party data centers. Approximately 67% of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37% also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.  

This most recent study doesn't offer a fine point on how much data is going to the cloud completely unencrypted--but data out in 2016 from HyTrust showed that number to be pretty alarming. According to that study, about 28% of all data within all cloud workloads remain unencrypted. Even more troubling, a different 2016 study from Ponemon and Gemalto found that 76% of organizations don't encrypt or tokenize sensitive data sent to SaaS applications.  

A recent breach at Scottrade earlier this month highlights why a lack of encryption in the cloud is such a risk for enterprises. The online brokerage exposed loan applications for 20,000 customers after a third-party IT services provider uploaded information to the cloud without any encryption mechanisms in place.

"The data breach at Scottrade exemplifies the one-strike law for security in the cloud. In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked," says Zohar Alon, CEO of Dome9. "Even with strict security controls in place, breaches such as this still occur due to very basic process failures."

Lapses like the one at Scottrade exemplify why it is important to not only encrypt sensitive data in the cloud, but also lock down policies for inventorying data whether in the cloud or on premises, for when and how it is encrypted, for how access is configured, and for how keys are managed.  

"It’s vitally important to encrypt sensitive data at-rest, but encryption alone isn’t sufficient. Even encrypted data is designed to be accessed by applications and authorized personnel," says Tim Erlin, vice president of product management and strategy for Tripwire. "Organizations have to protect the access methods, in addition to encryption, in order to protect data.”

With regard to key management, the study out this week from Ponemon shows that there's again steady improvement but lots of room to grow. Approximately 51% of organizations have a formal key management policy, but hardware security module (HSM) usage is still only at 38%. Of those, nearly half own and operate an HSM on-premises to support cloud deployments. On a positive note, nearly six in 10 of organizations that use HSMs say they have a centralized team that provides cryptography as a service across their entire organization.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.