Encryption is often cited as a major brick in the data protection foundation. State, Federal, even industry regulation has made encryption a top of mind priority for businesses around the country. Internationally, long-established data protection laws also serve as an impetus for encryption projects around the globe. Yet, an encryption implementation is only as strong as its associated key management policies and processes.
In November of 2011, Symantec released a report on the state of encryption. The 2011 Enterprise Encryption Trends Survey highlights some of the obstacles that companies encounter in implementing encryption projects. The report estimates that companies spend more than $124,000 per year as a result of “fragmented” encryption projects and poor key management. How does this happen? Encryption should be helping companies to protect data, not costing organizations additional overhead in the realm of 6 figures. The answer is that just because encryption solutions are prevalent, that doesn’t mean that they are all created equal. Nor should encryption projects be viewed as a “plug and play” data protection solution. Though it’s unlikely that the notion of encryption as being simple is widespread, the report seems to indicate that some companies don’t implement encryption solutions with the care that should be due to such a mission critical implementation. There are two primary findings that seem to indicate that encryption implementations should be managed with more care.
The first indication that encryption implementations are not being properly managed is the reports discussion of fragmented encryption projects. According the report synopsis, “Encryption use is growing rapidly but fragmented. Forty-eight percent of enterprises increased their use of encryption over the past two years. The respondents state that almost half of their data is now encrypted at some point in its lifecycle. The typical organization reports they have five different encryption solutions deployed.” Such a finding indicates that, rather than approaching encryption as a comprehensive, organization wide initiative, companies are implementing encryption on a piecemeal basis. As indicated in the findings of the report, this approach is costly, and can even be dangerous to the availability of a company’s data.
Secondly, the report states that companies have little confidence in their ability to appropriately manage the keys that are associated with their encryption implementations. Given the finding above, particularly with an average of 5 different encryption solutions in place, this lack of confidence is not surprising. Among the findings relative to encryption key management, the report states that “Forty percent are less than somewhat confident they can retrieve keys. Thirty-nine percent are less than somewhat confident they can protect access to business information from disgruntled employees.”
The findings aren’t entirely discouraging, however. Adoption of encryption is on the rise. More and more companies are taking the responsibility of data protection to heart and are attempting to provide their customers’ data with the highest levels of protection available. However, as the old adage goes “a chain is only as strong as its weakest link.”Simply having an encryption solution in place does not mean that the data is adequately protected. This is particularly true of geographically dispersed or heterogeneous environments.
So, how can companies balance their business objectives, the needs of different environments in different locations, and the requirement to protect their business? Unfortunately, there is no one-size fits all answer, just are there are no one-size fits all technologies. There are some things that companies can do, however, to help prepare for their encryption implementation that may ease the process and allow for a growth of the encrypted environment in later projects.
Know Where Your Data Is – The report by Symantec indicates that the “typical” organization has five different encryption solutions deployed. While there may be a number of reasons for this, one might be that companies are taken by surprise by the amount and locations of the data they are storing. As a result, they have to undertake several different projects in order to encrypt all of their data. This can be mitigated by mapping the organization’s data environment to get a comprehensive picture of the data stores that may need protection. Even if the organization chooses not to encrypt all of these locations at once, having a complete picture of the environment can help to plan subsequent encryption projects and assist in ensuring that those implementations work together effectively.
Know What Your Data Is – Data is seldom of a single format or structure. Some companies may have more than one encryption solution in place in order to account for the different types of data that they may have. Back-up tapes and archives, graphic files, Oracle or SQL databases must all be encrypted. Understanding the structure and format of the data can help to develop a comprehensive plan for protection.
Know Who/What can Access Your Data - Simply encrypting data is not sufficient to protect the data. Data must be accessed by individuals, usually through applications. Ensuring that your company knows who currently has access to encrypted data (and to the applications that access the data) is the first step. The second step is to ensure that only those with a business need can access the data. Ensuring data can only be decrypted by those people and applications with a need to know is critical to protecting data.
Plan for Key Management - For those just embarking on an encryption project, it is sometimes easy to lose sight of key management – or to shift it to the back burner. However, proper key management is the core of a successful encryption implementation. In implementing a key management solution, companies are advised to work closely with their vendors to ensure that keys are 1) protected and 2) available. Ideally, a vendor will provide a key store that is interoperable to ensure that all of the keys across the enterprise are securely managed.
It is encouraging that more and more companies are undertaking encryption solutions. However, the report unveils areas in which encryption vendors have an opportunity to demonstrate their expertise on behalf of their clients. It is incumbent on encryption vendors to work closely with their clients to ensure that the solution works on every level. That means that the encryption solution should be transparent, and should ensure the availability of the data – not just render it unreadable.