02:12 PM

So Much Data, So Little Encryption

We surveyed almost 500 business technology professionals and found little end-to-end encryption use. Instead, we're doing only what auditors demand.

If you go solely by top-level stats on encryption use, you'll come away feeling pretty secure--86% of the the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption Survey employ encryption of some type. But that finding doesn't begin to tell the real story. Only 14% of respondents say encryption is pervasive in their organizations. Database table-level encryption is in use by just 26%, while just 38% encrypt data on mobile devices. And 31%--more than any other response--characterize the extent of their use as just enough to meet regulatory requirements.

InformationWeek Reports

The reasons for this dismal state of affairs range from cost and integration challenges to entrenched organizational resistance exacerbated by a lack of leadership. The compliance focus is particularly galling. Encrypting a subset of data amounts to a "get-out-of-jail-free card" because it may relieve companies from having to notify customers of a breach. But knowingly doing the bare minimum to check a compliance box isn't security; it's a cop-out.

Admittedly, IT pros often face stiff resistance when they try to do more. "Our IT staff is working to increase the use of encryption, but frankly, users are more interested in quick and easy access to their data and don't really think about security," says one respondent. "The idea of getting data on a flash drive or laptop encrypted never enters the minds of most of the staff, from the director on down."

We say entrenched resistance because this isn't a new phenomenon--back in 2007, a Ponemon Institute survey found that just 16% of U.S. companies take an enterprise-wide approach to encryption. Network Computing examined the state of enterprise encryption at the time and found adoption to be a gradual process, often starting with backup tapes and spreading from there. A piecemeal approach was the norm then, and we're still moving in fits and starts, despite the momentum generated by compliance frameworks such as PCI, which requires encryption of credit card data in transit.

The Interoperability Factor

Part of the problem is that standards efforts have yielded exactly zero breakthroughs where we need them most--in interoperability, which would make encryption management easier and less expensive. We don't expect that situation to get better anytime soon.

When we asked IT pros what would increase their companies' use of encryption, responses ranged from built-in operating system support for creating encrypted files and folders (something Microsoft is working toward, as we'll discuss) to improved ease of use and performance, lower cost, and better key management. A few desperate souls wished for more regulation, or even a breach that would require notification of customers, to use as leverage for gaining funding and management buy-in.

"I'd like to think that it would only take the force of will to do the right thing," says a network director at an educational institution. "In reality, it would probably require a breach or exposure to shine the light on the problem."

Our favorite response: "I wish I knew so I could exploit it."

InformationWeek: November 21, 2009 Issue To read the rest of the article, download a free PDF of InformationWeek magazine
(registration required)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a firestarter.py supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.