Thales survey shows unencrypted backup tapes leave large hole in enterprise data protection
Thales 2008 Encryption and Key Management Benchmark Survey reflects trend towards more encryption but suggests key management remains a major challenge
Thales, leader in information and communications systems security, announces that despite high profile cases of unencrypted backup tapes going missing, more than a third of organisations still do not know if they will encrypt their backup tapes and half do not know where they would store their tape backup encryption keys. This is one of the alarming findings in the new 2008 Encryption and Key Management Benchmark Survey conducted by research firm Trust Catalyst on behalf of Thales.
The survey indicates that the long list of data loss headlines, coupled with compliance pressures, is driving organisations to encrypt more applications than ever before. Web sever and SSL encryption come top the list with 94% being encrypted, closely followed by desktop file and email encryption along with full disk encryption. Yet tape backup encryption only featured 11th in the list, below USB and mobile device encryption, potentially leaving a major hole in enterprise data protection strategies. This is illustrated by the many recent data losses, including 15,000 patient records stolen after a thief took unencrypted computer tapes from a doctor’s surgery in the UK and 650,000 J.C. Penney customers in the US were put at risk when an unencrypted backup tape was lost.
“It is encouraging to see that more organisations are proactively securing sensitive data but the survey suggests there is still room for improvement. Most organisations appear to be securing sensitive data in an unplanned and unstructured way leaving both the organisation and data at risk,” says Bryta Schulz, vice president product marketing at Thales Information Systems Security. “In particular, it is surprising to see that the use of tape backup security is so low in the list of priorities given the risks associated with lost tape and data recovery and we believe this shows organisations are struggling with key management issues for data storage applications.”
The survey shows that the difficulty of key storage and management remains a major barrier across all encryption applications. When asked where encryption keys would be stored, more than 40% of respondents answered ‘don’t know’ for seven out of 13 encryption applications. When respondents did know where they would store their keys, the most popular answer was in software on disk.
“It is concerning to see that the high level of encryption planned does not correspond with an understanding of the risks associated with the storage and retrieval of encryption. Best practice for securing these keys is to store them in a hardware security module” continues Schulz.
As well as encryption applications and key storage the survey also addressed the ways encryption keys are managed. Good key management is essential to make encrypted data accessible to avoid disruption and business costs; while compromising a key can put data at risk and losing a key completely can mean that the information is lost forever.
The cost of data recovery and lost business were at the top of respondents’ lists when it comes to concerns over lost or compromised encryption keys, with compliance only in third place. With real concerns about issues such as backing up and revoking or terminating keys to prevent unauthorised access to data, 69.3% of respondents said that they would chose to use automated and centralised key management systems as opposed to manual processes.
“According to the Privacy Rights Clearing House, more than 234 million accounts have been compromised since 2005 and the reality is that hundreds of millions more are at risk,” continues Schulz. “So it is reassuring to see that encryption is on the agenda and that organisations are recognizing that an enterprise approach to encryption and key management is needed.”
“Without automation, time-consuming manual processes lead to higher risk, greater operational costs, a reduction in business performance, the inability to enforce policy and at worst, the possibility of not being able to recover essential data,” warns Schulz.
A full copy of the 2008 Encryption and Key Management Industry Benchmark Report that also includes a look at database encryption trends and issues can be downloaded at: http://www.ncipher.com/l/webinars/survey.