Large organisations are devoting more resources to encryption but are still often being stymied by the age-old problems of fragmentation, key management and cost, a detailed study Ponemon of global behaviour by Thales e-Security has found.
More or less every investigation into encryption anywhere in the world reports growing use of the technology hand-in-hand with rising problems associated with managing it. It’s become one of those incremental trends that always seems to be slightly behind the security problem it’s meant to solve.
Encryption is a handy stick regulators use to beat organisations with – for instance the ICO in the UK would be a prime example - but then again they’re not the ones struggling to make sense of it.
The study discovered that Germany, Denmark and Japan are the most enthusiastic users of encryption with Mexico lagging and with the UK bang in the middle of the pack.
Encryption is in every single application imaginable from storage security, web e-commerce, databases, email, private and public cloud infrastructure, indeed this is why it is so hard to do – every one of these areas will be managed separately and sometimes in a manual way and that causes immense problems.
The UK section of the study (509 respondents) uncovered fairly high levels of encryption use throughout enterprises with 72 and 71 percent of desktop and laptop drives respectively now encrypted, 88 percent of backup drives, 79 percent of databases, and 88 percent of Internet communications (i.e. SSL/TLS).
These percentages were on par with the US with UK respondents reporting the same frustrations when using the technology as everyone else.
Key types that presented particular problems were SSH (63 percent), keys for external or hosted services (around 62 percent), application keys (61 percent, and Consumer-level keys and digital certificates (57 percent).
Across the world, the industry sectors putting the most investment into encryption were healthcare and retail.
Nevertheless, with data breaches to worry about encryption was now being seen as a strategic necessity which came with some interesting practical benefits – enterprises reported lower levels of breach disclosure were required for encrypted data compared to unencrypted data.
“From a regulatory point of view encryption is very appealing. It is perceived to be very binary, it’s either encrypted or it’s not,” said Thales e-Security’s Vice President Strategy, Richard Moulds.
He agreed that at least half the survey sample were experiencing pain when implementing or managing encryption systems.
“There is a perception that it is hard to use and it can slow things down. But there are no competing technologies,” said Moulds. “It’s a problem that can be solved but it is not an easy problem.”
New developments such as Microsoft’s Azure Key Vault helped because it offered enterprises with a way of coping with encryption keys without having to get their hands as dirty. It still required that the customer manage the keys of course.
He predicted growth for this sector but also that some keys would remain stuck in silos for some time to come.
“There will be certain applications that the necessary level of security is so high that it [the cloud] won’t be an answer. Some applications might always need to be in your basement.”
What large organisations couldn’t do was rely on manual spreadsheets when managing more than a few keys, said Moulds.