The Long Slog To Getting Encryption RightEncryption practices have improved dramatically over the last 10 years, but most organizations still don't have enterprise-wide crypto strategies.
While enterprises are making meaningful progress on improving their encryption practices, there's still a lot of work to go. Several major studies out in the last several months have underlined the highs and lows of encryption trends out in the real world.
On the plus side, the most recent research out this week from Ponemon Institute and Thales shows that the existence of enterprise-wide encryption strategies has more than doubled in the last decade and organizations are responding to cloud risks with improved encryption deployments for data at rest and in transit. On the negative side, this study and other industry numbers suggest that we haven't yet reached the tipping point of more than half of organizations following best practices--and that a sizeable number of organizations that use encryption are making big mistakes along the way.
“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types," says Dr. Larry Ponemon of Ponemon Institute. "Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy."
This is the twelfth year running of the Global Encryption Trends Study and Ponemon has found that since 2006, the ratio of organizations with enterprise-wide encryption strategies has risen from under 20% to over 40%. It's a steady drumbeat of improvement, but the fact remains that the majority of organizations still don't have such a policy. Nevertheless, the steady tick upwards and additional survey data show that worries about data security regulations, protection of intellectual property, and protection of customer data are all driving gradual change for end-to-end encryption.
Certain areas are better than others when it comes to the current state of encryption deployment.
For example, with data at-rest Ponemon found that approximately 61% of organizations report that they routinely encrypt employee and HR data, 56% encrypt payment data, 49% encrypt financial records and 40% encrypt customer data. Meanwhile, a study out last week from Venafi highlighted prevalence of encryption of data-in-transit, with 57% of organizations reporting they encrypt 70% or more of their external web traffic and 41% doing the same for internal network traffic.
According to the Ponemon study, enterprises' focus on encryption and key management is being spurred on by increased cloud adoption as more data moves into third-party data centers. Approximately 67% of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37% also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.
This most recent study doesn't offer a fine point on how much data is going to the cloud completely unencrypted--but data out in 2016 from HyTrust showed that number to be pretty alarming. According to that study, about 28% of all data within all cloud workloads remain unencrypted. Even more troubling, a different 2016 study from Ponemon and Gemalto found that 76% of organizations don't encrypt or tokenize sensitive data sent to SaaS applications.
A recent breach at Scottrade earlier this month highlights why a lack of encryption in the cloud is such a risk for enterprises. The online brokerage exposed loan applications for 20,000 customers after a third-party IT services provider uploaded information to the cloud without any encryption mechanisms in place.
"The data breach at Scottrade exemplifies the one-strike law for security in the cloud. In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked," says Zohar Alon, CEO of Dome9. "Even with strict security controls in place, breaches such as this still occur due to very basic process failures."
Lapses like the one at Scottrade exemplify why it is important to not only encrypt sensitive data in the cloud, but also lock down policies for inventorying data whether in the cloud or on premises, for when and how it is encrypted, for how access is configured, and for how keys are managed.
"It’s vitally important to encrypt sensitive data at-rest, but encryption alone isn’t sufficient. Even encrypted data is designed to be accessed by applications and authorized personnel," says Tim Erlin, vice president of product management and strategy for Tripwire. "Organizations have to protect the access methods, in addition to encryption, in order to protect data.”
With regard to key management, the study out this week from Ponemon shows that there's again steady improvement but lots of room to grow. Approximately 51% of organizations have a formal key management policy, but hardware security module (HSM) usage is still only at 38%. Of those, nearly half own and operate an HSM on-premises to support cloud deployments. On a positive note, nearly six in 10 of organizations that use HSMs say they have a centralized team that provides cryptography as a service across their entire organization.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio