James Cook, VP, Digital Security APAC at Entrust talks to EITN about an enterprise awakening to need for proactive data security
EITN: John Metzger said, “The large jump in respondents reporting consistently applied encryption policies across their organisations, together with high support from senior leadership points to a real enterprise awakening to the need for proactive data security.” In your opinion, what has caused this awakening?
James Cook: Today’s organisations are faced with increasingly sophisticated security threats, and cybercrimes in Malaysia are drastically rising. With losses reportedly amounting to 2.23 billion ringgit, from 2017 to June 2021, consumers and businesses alike are demanding more from the organisations they work with to protect their data.
This has driven the need for more proactive data security – and encryption has always been the mechanism of choice. Since we started conducting the Global Encryption Trends Study 17 years ago, there has been a steady rise in organisations with an encryption strategy applied consistently across the entire enterprise, from 36% to 57% over the last year in Southeast Asian respondents.
As more organisations adopt both hybrid and multi-cloud strategies, it becomes more challenging to locate sensitive and valuable data as it moves around the enterprise and across environments, be it on-premises, or in private and public clouds. There are different types of background structures and platforms that make it difficult to establish and maintain a congruous approach across the different environments, which in turn makes it difficult to protect the data.
According to this year’s study, the top driver of encryption in ASEAN is to protect information against threats. In the current post-pandemic landscape, organisations are looking to support flexible work arrangements by tapping on the cloud. We have seen more organisations move to the cloud and adopt both hybrid cloud and multi-cloud strategies. This proliferation of data across cloud use, environments, digital initiatives, and internet of things (IoT) devices calls for more security than ever. Organisations are looking for ways to protect their data, while still retaining control and privacy.
EITN: What are the top 3 challenges to implementing an enterprise-wide encryption policy? Does one of the reasons “finding the data” mean “categorising the data”?
James Cook: According to the 2022 Global Encryption Trends Study, the top 3 challenges to an organisation’s effective execution of its data encryption policy are: discovering where sensitive data resides in an organisation (60% of SEA respondents); budget constraints (34%); and initially deploying encryption technology (27%).
In this case “finding the data” refers to discovering where collections of sensitive data resides in an organisation, before categorising and classifying the information. Knowing where the data is, and classifying it helps organisations identify the security procedures and strategies they need to handle the data, allowing them to protect it effectively.
As more organisations adopt both hybrid and multi-cloud strategies, it becomes more challenging to locate sensitive and valuable data as it moves around the enterprise and across environments, be it on-premises, or in private and public clouds. There are different types of background structures and platforms that make it difficult to establish and maintain a congruous approach across the different environments, which in turn makes it difficult to protect the data.
Something else to note is that the challenge of determining which encryption technologies are most effective has grown significantly from 13% to 21% in the last five years. This is potentially due to the significant advancement of these technologies during this period. Working with trusted partners to build a robust encryption strategy for the entire organisation using the latest tools can help businesses overcome their top-most challenges.
EITN: What are some of the top reasons that data is difficult to find?
James Cook: Discovering and categorising data in a consistent way across the cloud and on-premises is a difficult and complicated process, firstly due to the vast amount of data that vary in nature and needs to be handled differently.
Secondly, there are many different IT and business systems within an organisation with varying data stored, making it difficult to locate where exactly the data resides. Furthermore, users often move data from protected office devices to their own for their convenience when working offline or from home, adding to the complexity of finding the data.
This brings us to the next point – sensitive data is not static. In most cases, it is constantly being added, changed, and transported throughout the organisation. Data is constantly moving around the enterprise across different environments, which makes it harder to detect where the data lies. Workloads go through many lifecycles, usually from staging to deployment to backup, before eventually being securely decommissioned.
Each stage poses different risks of potential data theft, accidental loss or other misuse. Managing workload encryption from each cloud’s management platform is complex and further increases the risk of inconsistent policies and mistakes. As such, it is important to ensure that an encryption strategy aligns with compliance mandates and requires robust key management. Unfortunately, key management is not universal across cloud platforms so the security team must contend with key storage, distribution, rotation, and revocation in multiple environments.
And as organisations advance their multi-cloud strategies, there is a greater call for them to apply consistent security across their workloads and applications, as well as implement data protection to address the various threats. While encrypting cloud data is essential to protecting sensitive information and workloads – it needs to be done correctly to be effective and meet compliance mandates.
When building out their encryption strategies, organisations need to build in routine tracking and assessment of sensitive data, as well as access permissions or restrictions based on the type of data instead of its location.
EITN: Based on this press release, what is the relationship between cybersecurity professionals’ skills gap and encryption policies and technologies being used wrongly to the point that there is risk of threats?
James Cook: The challenge to executing effective encryption strategies often lies not in the technology itself, but in employees’ use of it. According to the 2022 Global Encryption Trends Study, employees continue to represent a significant threat to sensitive data. Respondents identified employee mistakes as the top threat to sensitive data, while the threat from temporary or contract workers reached its highest level ever.
Furthermore, organisations’ needs for encryption technology are growing increasingly diverse as the types of data they protect grow. Employees are forced to learn the security configurations of multiple tools, making errors much more likely. This is a particular challenge with public cloud environments, as each offers its own interface, settings and functionality, which are regularly updated.
As data and intellectual property protection become more central to an organisation’s security strategy, the intricacies of different encryption technologies inevitably lead to errors in manual administration of these critical encryption keys, especially among those who are unskilled in this field.
As the workforce becomes more transitory, organisations need a comprehensive approach to the security built around identity, zero trust, and strong encryption rather than old models that rely on perimeter security and passwords.
EITN: Seeing as how employees’ mistakes bring risk of threats to the organisation, does everyone in an organisation need to learn how to use encryption technologies?
James Cook: As data continues its exponential growth, it is not feasible to keep adding headcount to keep it under control. While subject matter experts continue to lead their organisations’ encryption strategies and management, this day and age calls for every employee to have knowledge of these technologies, regardless of their role. As such, implementing a cohesive and holistic enterprise-wide encryption strategy where everyone in the organisation is familiar with using the technologies is necessary to more effectively protect an organisation’s IT systems and data.
As data and intellectual property protection become more central to an organisation’s security strategy, the intricacies of different encryption technologies inevitably lead to errors in manual administration of these critical encryption keys, especially among those who are unskilled in this field.
A CryptoCoE — which can be described as a capability centre with the aim of boosting operational crypto with proven tools and expertise — can provide meaningful insights and best practices throughout the organisation’s adoption of crypto. With a CryptoCoE in place, transitioning to the latest encryption requirements can be done seamlessly and quickly, without compromising any sensitive information throughout the chain of trust.
Doing so can help limit liability from breaches or inadvertent disclosure and ease the pressure to comply with data privacy regulations while focusing on protecting financial records and payments-related data from the risks of hackers and temporary or contract workers. Once organisations have a good handle on what and how to encrypt payment data, they can then focus on how to automate it to make it easier and future-proof encryption plans.
Challenges arise when enterprise teams do not fully establish the connection between the new technologies and their immediate strategic value to the business. In the case of encryption adoption, this is where a well-defined cryptographic centre of excellence (CryptoCoE) can play a role.
A CryptoCoE — which can be described as a capability centre with the aim of boosting operational crypto with proven tools and expertise — can provide meaningful insights and best practices throughout the organisation’s adoption of crypto. With a CryptoCoE in place, transitioning to the latest encryption requirements can be done seamlessly and quickly, without compromising any sensitive information throughout the chain of trust.
Prioritising a crypto strategy will ensure that businesses are able to mitigate threats and operate with minimal interruption. If executed well, a CryptoCoE is well worth the effort and costs to ensure business continuity, enhance data security and most importantly — strengthen consumers’ trust.
It is also important to work with trusted partners for tools to automate finding, provisioning, managing and rotating keys and certificates so that when the next big change comes, they are prepared for it.
