In the current data security environment, encryption is often touted as the grand cure-all. Simply implement an encryption solution and your data security woes will be behind you. While encryption can be a powerful tool in the data protection arsenal, assisting companies in achieving regulatory compliance as well as offering a high degree of protection to sensitive data, it must be done in a strategic manner. Encryption as it’s been adopted today is more often implemented as a point solution, rather than as a foundational component of a strong risk management and data protection strategy.
The argument above serve as the basis for a new whitepaper published by ESG. The paper, which is entitled Enterprise Encryption and Key Management Strategy: The Time is Now, addresses the common failings of encryption when used as a point solution rather than as a strategic answer to the prevailing data threats of the day. ESG analyst Jon Oltsik proposes that addressing encryption on an ad hoc basis can introduce significant risk. Oltsik identifies a number of factors that can prevent organizations from maximizing the benefits of encryption and key management.
Ad hoc implementations offer a number of challenges that can dilute the benefit of encryption and make key management quite difficult. For instance, ad hoc implementations may include encryption based on multiple standards. These heterogeneous encryption and key management implementations are difficult to manage and can increase the overhead involved in managing the varying solutions and introduce a greater likelihood of data breach. In a similar vein, having numerous encryption solutions means that the keys for each solution must each be managed within its native tool. In such an instance, the increased likelihood of breach is accompanied by the increased likelihood of an unrecoverable file.
In response to these threats, Oltsik identifies a number of steps that organizations can take to ensure that maximum utility is derived from the encryption solution to be implemented. For instance, Olstik observes that encryption is often deployed according to the needs and judgments of functional IT groups, rather than a central data security organization. The result is often that encryption keys are available to many members of the IT staff, which, of course, violate one of the central tenets of strong encryption – separation of duties. Other requirements of a successful enterprise encryption strategy include:
- Tiered Administration – This allows organizations to set policies at both an organizational and a departmental level.
- Distributed Policy Enforcement – Enforcing policies across distributed, heterogeneous systems throughout the organization is paramount to the successful implementation of enterprise encryption and key management.
- Enterprise-level key management - Key management must become a central service for all activities, including key creation, storage, rotation, and revocation.
- Central Command and Control – Consolidation of policy management, configuration management, and reporting and auditing functions helps to ensure appropriate management of the solution across the enterprise.
The message of the paper is that encryption is not effective, and should not be implemented, as a tactical response to a departmental need. Just a one wouldn’t build a house with a blueprint, organizations are advised to refrain from point solutions in an attempt to address organizational data security. Keeping the big picture in mind, and understanding how all of the parts will work together, can help to build a solid data security foundation on which to build the protections necessary the whole organization.