lock-3216823_1920

Survey: Encryption strategies to protect sensitive data, lacking

Estimated reading time: 8 minutes

A global trends survey reveals that organisations value customer ‘s personal information. However, deployment of security solutions like encryption belie this survey finding. Entrust’s VP of Strategy, John Grimm discusses the results of Entrust’s survey.

EITN: The survey you referenced has a list of data priorities – Customer personal information was ranked 5th behind financial records, employee data, intellectual property. In your opinion, why is there a gap between what is being said, (prioritise customer) and what is being done (encrypting it)?

John: One of the most interesting highlights of this year’s Global Encryption Trends Study is that customer information is once again listed as the top reason to encrypt — yet only 42% of respondents actually use encryption for customer data. This suggests a wide chasm between an organisation’s priorities and the realities of deploying encryption. There are likely several reasons for this disconnect, but a key component that was revealed by the study is that encryption use tends to follow the most mature and easy-to-use applications like databases and backups/archives, as opposed to truly following specific data to all the different locations and platforms it moves to.

Customer databases are often evolving and being added to, and organisations also face the issue of having to adequately pinpoint where sensitive data is being stored and knowing what needs to be protected.

Encryption use tends to follow the most mature and easy-to-use applications like databases and backups/archives, as opposed to truly following specific data to all the different locations and platforms it moves to.

At the end of the day, a carefully architected and well-implemented data encryption strategy can provide the foundation of an organisation’s data protection security policy. Working with the right partner can also help to strengthen and address security standards and improve security posture. When organisations do not prioritise customers’ personal information, they run the risk of lost business and reputation (as well as fines), which is even more valuable than overcoming the challenges of deploying encryption technologies in the first place.

At the end of the day, a carefully architected and well-implemented data encryption strategy can provide the foundation of an organisation’s data protection security policy.

EITN: Is encryption the only way to protect customer data?

John: We continue to be heartened by the upward trend of encryption adoption, with 50% of organisations reporting that they have an overall encryption strategy applied consistently (an increase of 5% from 2019’s survey). But encryption by itself is not enough. Encryption must work together with strong identity/authentication, role-based access control, digital signing, and other mechanisms as part of a comprehensive data protection scheme.

The use of encryption, accompanied with HSMs – a “trusted” component for performing cryptographic operations and protecting keys – helps to ensure data is being protected in a certified and trusted environment.

As we adapt to increasingly digital and remote workplaces, ensuring secure digital identity access and verification is key in protecting sensitive customer data. Cloud-based identity and access management (IAM) solutions, combined with multi-factor authentication (MFA) and credential-based passwordless access can go a long way in protecting data as they ensure the right access is granted to the right people. In fact, by replacing the password with a high-assurance passwordless solution, companies are can block up to 80% of today’s malicious attacks.

Hardware security modules (HSMs) also play a key role in data protection initiatives. An organisation’s most sensitive data requires increasingly stringent protection from loss and from outsider and insider attacks. The use of encryption, accompanied with HSMs – a “trusted” component for performing cryptographic operations and protecting keys – helps to ensure data is being protected in a certified and trusted environment.

EITN: In your opinion, why has there been a huge uptick in encryption in 2021?

John: Encryption continues to grow, as it is the mechanism of choice for protection of sensitive data, and the toolset available to implement encryption continues to grow. Since Entrust began conducting its Global Encryption Trends Study 16 years ago, there has been a steady increase in organisations with an encryption strategy applied consistently across the entire enterprise.

Organisations are increasingly adopting encryption to address the growing concerns of data safety — in combination with a rise in security breaches across the world. With new breaches and exploited loopholes seemingly discovered every other day, organisations are beginning to see the real impact of a potential breach — including loss of profit and customer trust — and are taking steps to stay ahead of the curve. Stricter compliance regulations across regions, and the increase in cloud adoption across enterprises, also play a role in encryption’s rising adoption.

EITN: Can you share what is a robust encryption strategy? What does it address, how is it applied, and what are the ideal outcomes of an encryption strategy?

John: Secure key management is an essential part of an enterprise encryption strategy.  Many organisations start using encryption without implementing proper practices around protecting encryption keys throughout their lifecycle. If the keys are not well protected, the entire encryption process is devalued. In today’s environment, attackers do not try to break crypto algorithms.  Instead, they look for poorly protected keys. With data managed across multiple platforms, endpoints, and environments, it is highly important to implement key management best practices to ensure keys are available to applications and people that are authorized to use them, but unavailable to those that are not.

Aside from the obvious protection from cybercriminals, a robust encryption strategy can also support data integrity – including recoverability and searchability of data. Encryption technology for data protection may also be mandatory, rather than optional depending on the industry and/or region. For example, in the health care sector, patient privacy laws require keeping information encrypted and not doing so can result in significant fines for non-compliance.

Encryption technology for data protection may also be mandatory, rather than optional depending on the industry and/or region.

Overall, it is encouraging that customer data protection is such a high priority for organisations, but there is clearly some work to be done in turning that priority into a reality in terms of what data is actually encrypted and at what points in the data lifecycle. With initiatives like cloud, mobility, and digital transformation, there are many more places for sensitive data to flow to, and it is critical for enterprises to shift to adopting a “follow the data” strategy to ensure that sensitive data is protected wherever it goes.

 EITN: What are the main challenges to encryption?

John: One of the key barriers to a successful encryption strategy that Entrust has identified in this study is the ability to discover where sensitive data resides in the organisation. Knowing where organisational data lives across on-premise, virtual, cloud and hybrid environments is a continuing issue for enterprises — with 65% of organisations reporting that discovering where sensitive data resides is the top challenge when building out and deploying an encryption strategy.

43% of our respondents also cite initially deploying encryption technology as a significant challenge, which may not be a surprise as large organisations often deal with multiple data lakes and warehouses – resulting in complexity over the prioritisation of data to be encrypted.

Additionally, on average, organisations use eight different products to perform encryption. This creates difficulty when attempting to implement an encryption policy consistently, since administrators need to learn how to use multiple products, all with different user interfaces and conventions.  When assessing encryption solutions, enterprises look for performance, management of keys, policy enforcement and support for both cloud and on-premise deployment as the top features that can help with the key pain points around encryption use.

On average, organisations use eight different products to perform encryption.

Entrust continues to share knowledge with our partners and customers on building a robust encryption strategy in hopes of helping resolve some of these recurring pain points. Encryption can be complicated for some, but rather than have organisations and their employees not protect their data altogether — Entrust aims to educate them on the importance of having a well-thought encryption strategy.

John: While there has been some talk about the potential of multi-party computing and homomorphic encryption within the industry, survey respondents indicated that these are at least five years away from mainstream use. Similarly, quantum algorithms are thought to be about eight years from mainstream use.

In the nearer future, the mainstream adoption of blockchain, which requires trusted cryptography for core functions, is expected. Currently, it is used primarily as the foundation for cryptocurrency, but also for asset transactions/management, identity and even smart contracts.

In the nearer future, the mainstream adoption of blockchain, which requires trusted cryptography for core functions, is expected.

With the challenges presented by managing encryption across multiple clouds and enterprise deployments, it is most important in the near term to take a “back to basics” approach: identify what data is most important, find all the places it goes, and then apply protections in all those places, remembering the fundamentals of lifecycle key protection management.