nCipher Security Blog

Encryption is valuable – but without key management, it’s destined to fail

John Grimm | Vice President Strategy and Business Development More About This Author >

It’s a dangerous world out there. We need to be ever vigilant.

In the digital world, individuals and organizations that are serious about guarding their data and privacy use encryption. This technology makes data on devices and in emails, files, phone calls, photos and videos unreadable to anyone without access to the encryption key.

That last part – about access to the encryption key – is important to understand. Unless you do a really good job of protecting your keys, your encryption strategy is essentially worthless.

Encryption solutions have proliferated, data is everywhere, and employees add to the threat

Key protection for encryption is a significant challenge for organizations. Many businesses have IT security directors, compliance officers and other technical professionals who are great at their jobs. But few operations have enough staff with the skills and experience to manage encryption and keys.

And data protection has gotten a lot harder. Ponemon Institute’s “2020 Global Encryption Trends Study,” says the average enterprise uses eight different encryption products today.

That’s a lot, and it makes things difficult to manage.

Further compounding the challenge is that it’s increasingly difficult for organizations to find all their sensitive data. Sixty-seven percent of the Ponemon global survey group, which consisted of over 6,400 IT and security experts, said discovering where sensitive data resides in the organization is their biggest challenge in planning and executing a data encryption strategy.

With mobility, the cloud and now the COVID-19 work-from-home (WFM) movement, there are all these new places for data to go. It does no good to use encryption to protect data in one or more storage locations but leave others unprotected. Organizations need to encrypt their sensitive data wherever it resides because attackers aren’t out there trying to break encryption algorithms; they’re looking for the low-hanging fruit in the form of poorly protected encryption keys, or copies of data that haven’t been encrypted at all.

But attackers are not the only threat. Employee mistakes, which are increasingly common in light of the coronavirus-created WFM expansion, also can be costly. In fact, the Ponemon report says employee mistakes continue to be the most significant threats to sensitive data.

The key forces that are driving encryption have changed significantly

At the same time, there has been a sea change in the key drivers of encryption adoption.

Five years ago, regulatory compliance was the dominant driver of encryption. Organizations would have to prove to an auditor they had done due diligence in protecting sensitive data, and encryption was a big part of those strategies.

Regulatory compliance is still a highly rated reason for employing encryption, but it’s no longer the leading reason. Instead, it’s moved down to No. 4 on the list, according to Ponemon. Now the top reason organizations state for using encryption is to protect customer information.

Fifty-four percent of the Ponemon survey group said protecting customer personal information is among their main drivers for using encryption technology solutions. Protecting intellectual property and information against specific, identified threats came in next at 52% and 51%, respectively. But fewer than half (47%) said regulatory compliance was their main driver.

This indicates businesses are taking a much more data-centric approach to encryption rather than viewing it as a checkbox filler to show they’ve met regulatory compliance requirements.

Yet encryption usage patterns remain stuck in the past, while the perimeter disappears

Despite these changing forces, the way people actually deploy encryption is not keeping pace, at least not yet. Organizations are turning on encryption where it’s easiest and most mature from a technology perspective – in databases, for laptop hard drives, and for backups and archives. But other places where sensitive data flows to aren’t seeing the same level of encryption usage, including data center storage, file systems, and big data repositories. And the cloud is a mixed bag.

I think we’re going to see a sea change on this front as well. Organizations are going to start following and encrypting the data rather than just turning on encryption when and where it’s easiest to do so. It’s clear that people are changing their approaches and acknowledging that they need to follow the data, and that encryption is an integral part of their overall access control strategy. Actual implementation just hasn’t gotten there quite yet.

Because data is out there on all these different systems, the concept of a secure perimeter has faded. We don’t have those clear borders anymore. So, the best thing you can do is to wrap the security around the data itself by using encryption, so data carries that protection with it wherever it goes.

HSMs address key point of encryption – enabling security, compliance and ease-of-use

But, again, for encryption to deliver on its promise, organizations require an effective way to protect and manage their encryption keys. This is the Achilles’ heel of encryption.

The Ponemon research highlights that many organizations are struggling to create and enforce a consistent policy for encryption. While 48% of respondents said their organizations have applied encryption consistently across the enterprise, this means that more than half have not.

Organizations are increasingly turning to hardware security modules (HSMs) to specifically address this issue. HSMs provide secure cryptographic processing – encryption and digital signing – as well as key generation and protection to enable organizations to enforce their encryption policy across different devices and, importantly, across multiple clouds. Using an HSM establishes a root of trust within a business, providing a central and auditable point of control for encryption and key management policy.

If you have to do configuration across eight different encryption solutions using eight different user interfaces, training your staff and achieving consistency in encryption are both real challenges. Good encryption hygiene like regular key rotations and key backups become cumbersome and mistake prone as the environment becomes increasingly complex. Many organizations have found that encryption and key management tools within a single cloud such as Microsoft Azure work quite well, but don’t work across their other clouds and their enterprise and hence are a partial solution.

An HSM can serve as a central point of encryption policy enforcement and secrets management. By using the HSM as a trust anchor and policy enforcer, a strong and consistent approach can be achieved – even if your organization is a multicloud operation.

HSMs also can help your organization comply with new regulations like the California Consumer Privacy Act (CCPA), which specifically references the importance of securing encryption keys.

Such new developments, data proliferation and distribution, and new trends and priorities help explain why HSM adoption is on the rise. As Ponemon reports, 64% of organizations now recognize that HSMs are important to encryption and key management. HSMs and a “follow the data” strategy for protection of sensitive information are a powerful one-two punch in the quest for successful data protection.