2009 Enc and Key Mgmt Industry Benchmark Report 201009
Transcript of 2009 Enc and Key Mgmt Industry Benchmark Report 201009
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
1/33
2009 Encryption and Key Management
Industry Benchmark Report
Ariskmanagementbenchmarkfordataprotection
Author:KimberlyGetgen,Principal,TrustCatalyst
October20,2009
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
2/33
Page2 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Foreword:RiskManagementforDataProtectionDeardatasecurityprofessional,
Wheredoes
your
organizations
risk
management
strategy
stand
when
it
comes
to
data
protection?Despiteagrowingemphasisonencryptionandrelatedissues,feworganizations
havehadtheharddataneededtobenchmarktheirriskmanagementeffortsagainstindustry
standards.Untilnow.
Asaleaderinencryptionandkeymanagement,Thaleswantedtoprovidetheindustrywitha
muchneededbenchmark.WeengagedTrustCatalyst,aresearchfirm,toconductasurveyof
industryprofessionalsandreportthefindings.Ifoundtheresulting2009EncryptionandKeyManagementIndustryBenchmarkReportfascinating.Ithinkyouwill,too.Butmoreimportantly,itsatoolyourorganizationcanusetolearnwhereitstandsinrelationtoindustry
standards
and
emerging
trends.
Afterreadingthereport,Iwasstruckbytwothingsinparticular:Organizationshavemadegreat
stridesinprotectingsensitivedataandthereismoretodo,especiallywithregardtomanaging
encryptionkeysandprotectingbackuptapes.
Thenextgreathurdleinencryptionisprotectingallsensitivedatanotjustsomeofit.Manyof
therespondentstothesurveyareprogressinginthatdirection,whileothersareadvancing
moreslowly.Eitherway,weallhavetheopportunitytolearnfromtheircollectiveexperiences.
Iwanttothankallofyouwhoparticipatedinthesurveyforsharingyourtimeandinsights.I
alsowant
to
thank
the
Thales
customers
and
partners
who
have
helped
to
make
us
an
industry
leader.AtThales,wearepleasedtobeabletosponsorthisreport,andwehopethatallofyou
willfindittobeavaluablebenchmarkingtool.
Bestregards,
BrytaSchulz
VicePresident,ProductMarketing
ThalesInformation
Systems
Security
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
3/33
Page3 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
TableofContentsForeword:RiskManagementforDataProtection........................................................................................ 2
ExecutiveSummary....................................................................................................................................... 4
KeyFindings.............................................................................................................................................. 4
SectionI:DataEncryptionTrendsandObstacles......................................................................................... 7
EncryptionTrends..................................................................................................................................... 7
ObstaclestoEncryption............................................................................................................................ 9
Cost..................................................................................................................................................... 10
DataAvailability.................................................................................................................................. 10
KeyManagementTrends.................................................................................................................... 12
SectionII:RegulationsandComplianceDrivers......................................................................................... 15
EncryptionBudget
Allocated
for
Compliance
.........................................................................................
15
ComparingtheTopFiveRegulationsintheUSandEMEA................................................................. 16
HowSurveyRespondentsExpectRegulationstoChange...................................................................... 17
TheNewConnectionBetweenKeyManagementandCompliance....................................................... 18
Conclusion............................................................................................................................................... 19
SectionIII:CloudComputing....................................................................................................................... 21
Conclusion............................................................................................................................................... 23
AppendixA:ResearchMethodology.......................................................................................................... 28
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
4/33
Page4 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
ExecutiveSummaryDataprotectionisanexerciseinriskmanagement.Adequatelyprotectingdataandmanaging
compliancemustbebalancedwithoperatingefficiencyandprofitablegrowth.Gettingthiscombination
rightismoreimportantthanever.ThesecondannualEncryptionandKeyManagementIndustryBenchmarkReportinvestigateshowITsecuritymanagersareaddressingthesechallengesandprovidesrecommendationstohelpyoureassessyourstrategyinlightofthenewdataprotectionimperative.
Sincepublicationofthe2008EncryptionandKeyManagementIndustryBenchmarkReport,demandstoprotectdatahaveonlygrown.Newdatabreachnotificationlawsandthecodificationofindustry
specificstandardshavemadetheprotectionofdataanevenhigherpriority.
IntheUS,HITECH(HealthInformationTechnologyforEconomicandClinicalHealthAct)rulesintroduce
databreachnotificationrequirementsnationallyforhealthcaredata.USstaterulesinMassachusetts
(MA201CMR17)andCalifornia(CASB1386)aremandatingtheuseofencryptiontoprotectdata.
NevadasNVSB227wentevenfurtherbymandatingcompliancefortheindustrydevelopedPayment
CardIndustry
Data
Security
Standard
(PCI
DSS)
for
those
accepting
credit
cards.
In
Germany,
the
Federal
DataPrivacyActmandatesdatabreachnotificationforthefirsttime.AndintheUK,aggressiveactionby
theInformationCommissionerOffice(ICO)andFinancialServicesAuthority(FSA)hasmadedatabreach
notificationdefactolaw.
Overthenext12months,regulationrequiringtheprotectionofdataandmandatorybreachnotification
willonlycontinuetogrow.Atthesame,manyorganizationswillcontinuetoexperiencedamaging,
costly,andverypublicdatabreaches.Asthissurveyshows,encryptionisoneofthemosteffective
meanstoprotectdata.Usingencryptionwithautomatedkeymanagementgoesalongwaytoward
helpingorganizationsachievetheircomplianceandIToperationsobjectives.
KeyFindingsTrustCatalystconductedthesecondannualdataprotectionsurveytoevaluateevolvingtrendsin
encryptionandkeymanagement.Thisreport,sponsoredbyThales,providesnewanalysisandunique
datatohelporganizationslearnfromthedataprotectionandriskmanagementdecisionsoftheirpeers.
Thereportidentifiesthesekeyfindings:
Unnecessaryrisk.TheAchillesheelofmanyorganizationsremainsthesameaslastyear:unencrypteddatabasesandbackuptapes.Lessthan50percentoforganizationsareencrypting
backup
tapes
and
databases,
creating
a
critical
vulnerability
in
data
protection
programs.
Nearly
20
percentofparticipantswhoarenotencryptingbackuptapessaidtheirorganizationwouldwaituntil
abreachoccurredbeforebeginningtoencrypttapes.
Costofencryptionremainsatopconcern.Participantssaidcostremainsthesinglemostimportantfactorpreventingtheencryptionofdatathatshouldbeencrypted.Overhalfcitedeitherthecostof
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
5/33
Page5 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
theencryptionsolution(26percent)orthecostofmanagingtheencryptionsolution(25percent)as
theprimaryobstaclestoadoptingencryptionwhereitisneededmost.
Operationalconcernsdelayencryptionprojects.Costisnttheonlybarriertoencryptionadoption.Thedecisiontoencryptrequiresorganizationstoweighotheroperationalefficienciesagainstthe
needfor
data
protection.
When
asked
what
was
preventing
them
from
encrypting
databases,
25
percentofparticipantscitedperformanceasthekeyinhibitor.Forbackuptapes,thecomplexityof
managingkeyswastheprimaryobstacle,citedby24percentofrespondents.Here,many
participantstoldusavailabilityismoreimportantthanconfidentiality.
Lostkeysdisruptbusiness.8percentoforganizationshaveexperiencedproblemswithlostencryptionkeys,creatingsecurityconcerns(50percent),causingdatatobepermanentlydestroyed
(39percent),ordisruptingthebusiness(39percent),while19percentofrespondentssaidthey
directlylostbusiness.
Keymanagementandcompliance.Planninganorganizationskeymanagementstrategyisnoeasyfeat.Athirdofsurveyrespondents(34percent)havebeenplanningtheirkeymanagementstrategy
foroverayear.Forthefirsttime,theseparticipantsrankedprovingcompliancerequirementshave
beenmetasthemostchallengingaspectofkeymanagement.
Newencryptionmandatesconsideredhelpfultodataprotectionstrategies.Regulationsmandatingencryptionwereseenashelpfulinmovingdataprotectionstrategiesforwardforanoverwhelming
71percentofsurveyparticipants,whileonly7percentdisagreed,sayingtheseregulationsharmed
orobstructedtheirorganizationsdataprotectionefforts.Encryptionmandatesappeartobethe
ammunitionmanyorganizationsneedtohelpselltheirdataprotectionstrategiesinternally.In
addition,66
percent
of
respondents
expect
to
see
more
industry
regulations
outlining
data
protectionguidelines,and55percentexpecttoseemorenationalbreachnotificationlaws.
Patientandcreditcarddataprotectiondrivesencryptionspending.PCIDSS,HIPAA,andtheEUDataPrivacyDirectivearethetopthreedataprotectionregulationsrequiringallocationofnew
encryptionbudgetoverthenext24months.54percentofrespondentsindicatedtheywere
allocatingbudgetforPCIDSS,29percentforHIPAAand22percentfortheEUDataPrivacyDirective.
DataprotectionrulessuchasHIPAAandPCIaredrivingtheuseofencryptionacrossindustriesas
theneedtoprotectspecifictypesofdatagrows.
Cloud
not
ready
for
prime
time.
52
percent
of
participants
cite
data
security
concerns
as
being
the
numberonebarrierpreventingtheirorganizationfromadoptingcloudcomputing.43percentof
surveyparticipantssaidtheyarenotcurrentlyplanningonmovingtothecloud,whileanother47
percentsaidtheywouldwaituntildataisencryptedbeforemoving.59percentsaidtheywould
wanttomanagetheirownencryptionkeysifencrypteddatawasmovedtothecloud.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
6/33
Page6 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
AboutThisPaper
Thispaperisorganizedintothefollowingfoursections:
SectionI:DataEncryptionTrendsandObstacles
Section
II:
Regulations
and
Compliance
Drivers
SectionIII:CloudComputing SectionIV:ImportanceofKeyManagementinNewDataProtectionImperativeResearchmethodologyandinformationaboutthesurveyrespondentsareoutlinedinAppendixA.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
7/33
Page7 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
SectionI:DataEncryptionTrendsandObstaclesNewcomplianceregulationsarepushingtheneedtoencryptmoredatathaneverbefore.Inthisyears
survey,wewantedtounderstandnotonlywhatwasbeingencrypted,butalsowhatwaspreventing
organizationsfromadoptingmoreencryptionwhereitsneededthemost.Inthissection,wesummarize
thesetrendsbyexploring:
Encryptiontrends Obstaclestoencryption KeymanagementtrendsEncryptionTrendsTable1comparesthe13applicationssurveyedin2008toshowthechangeinencryptiontrendsfrom
2008to2009.Theapplicationsarerankedfrommosttoleastwidelydeployedaccordingtothisyears
surveyresults.
Table1:
Applications
encrypting
data
comparing
2008
and
2009
results
Encryptionapplication Rankin2009
survey
Rankin2008
survey
Change
WebserverSSL 1 1 0
Fileencryptionserver 2 5 +3
Fileencryptiondesktop 3 2 1
FTPencryption 4 4 0
Emailclient(e.g.S/MIMEorOpenPGP) 5 3 2
Emailgateway(e.g.TLS) 6 7 +1
Fulldiskencryption 7 6 1
Databaseencryption 8 8 0
Mobiledevice
encryption
9
11
+2
Tapebackupencryption 10 9 1
USBdeviceencryption 11 10 1
XMLencryption 12 12 0
Storagefabric/Switchencryption 13 13 0
ThemostsignificantincreasesinthisyearsresearchwereFileencryptionservermovingupfrom
fifthtosecondplaceandMobiledeviceencryptionrisingfromeleventhtoninth.Emailencryptionat
theclientsawthemostsignificantfall,fromthirdplacein2008tofifthin2009.Therewasnota
significantincreaseinencryptionadoptionfordatabasesorbackuptapesin2009.Wecontinueto
cautionorganizationsnotencryptingtheseapplicationsthattheyremainatseriousriskofdatabreach
particularlywithregardtopatientandcreditcarddata.
Thisyearsresearchsawtheadditionoffournewapplications:1)Networklinkencryption,2)Payment
processing,3)Diskarray,and4)Cloudcomputing.Figure1andTable2comparetheresultsofall
respondentstothoseofthefinancialservicesindustry,whichhasadoptedencryptionfaster.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
8/33
Page8 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Figure1:Encryptionadoptioncomparedtofinancialservicesindustry2009results
Table2:Encryptionapplicationsused2009resultsEncryptionapplication Allrespondents FinancialservicesindustryWebserverSSL 77% 86%
Fileencryptionserver 57% 65%
Fileencryption
desktop
56% 62%
FTPencryption 54% 65%
Networklinkencryption 53% 70%
Emailclient(e.g.S/MIMEorOpenPGP) 52% 60%
Emailgateway(e.g.TLS) 51% 68%
Paymentprocessing 50% 79%
Fulldiskencryption 49% 56%
Databaseencryption 43% 53%
Mobiledeviceencryption 42% 63%
Tapebackupencryption 41% 58%
USBdeviceencryption 41% 45%
Diskarray 25% 44%
XMLEncryption 31% 33%
Storagefabric/Switchencryption 20% 30%
Cloudcomputing 17% 19%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
9/33
Page9 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Herewecanseethatthefivemostwidelydeployedencryptionapplicationsoverallare:
1. Webservers(77percent)2. Fileencryptiononservers(57percent)3. Desktopfileencryption(56percent)4. FTPencryption(54percent)5. Networklinkencryption(53percent)Thefinancialservicesindustrydiffersslightly,withemailencryptionatthegatewayandpayment
processingamongthefivemostfrequentlyusedencryptionapplicationsinthisyearsresearch:
1. Webservers(87percent)2. Paymentprocessing(79percent)3. Networklinkencryption(70percent)4. Emailencryptionatthegateway(68percent)5. Tie:Fileencryptionattheserver(65percent)andFTPencryption(65percent)Thefinancialservicesindustrydoeshaveahigherpercentageofdatabaseandbackuptapeencryption
deployedthanthegeneralsurveypopulation.53percentoffinancialservicesparticipantsencrypt
databasescomparedwith43percentoverall.58percentoffinancialservicesparticipantsencrypt
backuptapescomparedwith41percentoverall.Sincethefinancialservicesindustryhasbeenthefocal
pointofmoredataprotectionregulations,thistrendmaypointtowardfutureoverallgrowthin
databaseandbackuptapeencryptionastheseregulationsbegintoimpactmoreindustries.
Wemustcontinuetocautionorganizationsnotencryptingdatabasesandbackuptapesthattheyareat
riskfortworeasons:
1. Recentresearchhasshownthatexposingasfewas10,000customerrecordscancostover$1millionindamages1andthattheaverageorganizationpays$6millionperbreach.2
2. Tapesanddatabasesaretransportable.Tapesareoftensentoutsidetheprotectedperimeteroftheorganization,makingdatavulnerable.Thisisalsotruefordatabaseswhendatabaseinformationis
transferred,backeduptodisk,orstoredontape.Thismeanseverytimeabackupofthedatabaseis
madetotapeandsentoutsideoftheorganizationunencrypted,thelikelihoodofadatabreach
increases.
ObstaclestoEncryptionInthisyearsresearch,wewantedtouncovermoreoftheobstaclestoencryption.Cost,availability,and
keymanagementconcernstoppedthelist.Inthissection,welookateachfactorseparately.
1Gartner,PayforMobileDataEncryptionUpfront,orPayMoreLater,November5,2008.2PonemonInstitute,FourthAnnualUSCostofDataBreachStudy,January2009.
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdf -
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
10/33
Page10 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Cost
Costisstilltheprimaryissueformostorganizationsthatwanttoencryptmoredatawhereitisneeded
most.Table3showsrespondentsanswerstothequestion,Ifthereisdatainyourorganizationthat
shouldbeencryptedbutisnot,whatisthebiggestobstaclepreventingencryption?Slightlymorethan
halfofrespondentsindicatedthecostofeitherdeployingormanagingthesolutionastheirbiggest
obstacle.Another
22
percent
of
participants
cited
data
recovery
costs
or
key
management
challenges
as
theirmostsignificantbarrier.
Table3:Ifthereisdatainyourorganizationthatshouldbeencryptedbutisnot,whatisthebiggest
obstaclepreventingencryption?
Response Allrespondents
Costofencryptionsolution 26%
Costofmanagingencryptionsolution 25%
Other 14%
Managementdoesntseeconnectionbetweenencryptionandprotectingcustomers
thinksitsanunnecessaryexpense
13%
Costofdatarecoveryandkeymanagement 12%
Datarecoveryconcernsresultingfromunresolvedkeymanagementchallenges 10%
DataAvailability
Thisyearsresearchfoundthatdatabaseandbackuptapeencryptionarestilllesswidelyadoptedthan
encryptionformanyotherapplications.Oneparticipantsuccinctlysummarizedthereasoningbehind
thisreluctance:Availabilityismoreimportantthanconfidentiality.Otherscitedignorance,
underestimationofrisks,budget,andneglectasreasonswhyparticipantshavenotencrypted
sensitivedata.
Databaseencryption
Whenitcomestoprotectingsensitivedataindatabases,mostthinkencryptingwillcreateperformance
issuesforbusinesscriticalapplications.Evenrespondentsfromthefinancialservicesindustry,witha
higherrateofdatabaseencryptionadoption,tendtoagree.Whenapplicationsprocessfewer
transactionsbecauseofdatabaseencryption,organizationslosebusiness.Oneparticipanttoldusthat
bothperformanceandcostblockedtheiradoptionofdatabaseencryption:Poordatabaseschema
designsusesensitivedataasdatabasekeysandthusdrasticallyimpactsperformance.Thisfixisa
schemaredesignthatmostorganizationsarenotwillingtofund.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
11/33
Page11 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table4showsparticipantsideasaboutthemainfactorsthathavepreventedorganizationsfrom
deployingdatabaseencryption.
Table4:Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingtoencryptsensitive
datainthedatabase?
Response
Allrespondents
Financialservices
industry
Createsperformanceimpactsthatmayallowfewercustomertransactions 21% 25%
Dontseethebenefitofencryptingthedatabasewhenhackersattackthefront
endoftheapplicationsandcangetaccesstodatawhetherencryptedornot
18% 19%
Keymanagementissuesaretoocomplex 17% 18%
Requiresadisruptiontotheapplicationenvironmentwhichmaycauselost
business
15% 13%
Waitingtobenativelyembeddedinthedatabasesolution 13% 14%
Requiresmigratingdatathatwillcauseadisruptiontothebusiness 9% 13%
Other
7%
6%
Thesecondmostpopularresponsecamefromparticipantswhodontseethebenefitofencrypting
databasesiftheycanstillbeattacked.Hostbasedattacks,SQLinjection,andinsiderthreatsmaynotbe
thwartedbytheuseofdataencryption.Itsalwaysimportantthatadefenseindepthapproachto
mitigatingrisksisused.
However,oneoftheselayersshouldbeencryptingdatabases.Forexample,iforganizationsbackup
theirdatabasestotapes,theycouldbeatseriousriskiftheyshipthosetapesunencrypted.Using
databaseencryptionbeforebackingupthedatacanhelpprotectsensitiveinformationandpreventa
databreach
if
atape
is
lost
or
stolen.
Finally,17percentofparticipantssaidkeymanagementwastoocomplextoapplyencryptionatthe
database.Aswewillseelaterinthissection,manyparticipantssaidtheywouldhavelessthananhour
torecoverencrypteddatafromthedatabase,creatingdataavailabilityconcerns.Thismakeseffective
keymanagementthatmuchmoreimportant.
Backuptapeencryption
Inregardtobackuptapeencryption,weaskedsurveyrespondentsasimilarquestion:Inyouropinion,
whatisthemainreasonsomanyorganizationsarewaitingtoencryptbackuptapes?AsshowninTable
5,the
most
popular
response
was
key
management
issues
too
complex
at
24
percent.
For
example,
oneparticipanttoldusthatorganizationsWanttoensureaccesstobackuptapes[]ifencryptedand
keyislostorunavailablethenthebackuptapeisworthless.Otherstoldusitwastheworryaboutdata
recoverabilityafterlongperiodsofstoragethatdiscouragedencryption.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
12/33
Page12 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Cominginsecondplacewith19percentwastheresponsemostorganizationswouldwaituntilaftera
databreach
event
before
they
would
be
willing
to
tackle
tape
backup
encryption.
This
was
concerning
becauseourassessmentofthecurrentregulatoryenvironmentconcludesthatorganizationsdonot
havetheluxuryofwaitingtoencrypttapesasthelikelihoodofbreachesandcoststothebusinessare
onlyincreasing.Inouropinion,organizationsthatshiptapesmustencrypttapes.
KeyManagementTrends
Asweveseenwithbackuptapesanddatabases,keymanagementconcernscontinuetoplague
organizationsattemptingtoencryptsensitivedata.Oncethisdataisencrypted,itmustberecoverable
atsomepointinthefuture,withlittleroomforerror.Firstandforemost,datamustbeavailable.
Concernsarounddataavailabilityhavemadeplanninganorganizationskeymanagementstrategyno
easyfeat.
A
third
of
survey
respondents
(34
percent)
have
been
planning
their
key
management
strategyforoverayear(upfrom26percentin2008).Table6belowshowshowmuchtime
organizationshavespentplanningforkeymanagementcomparedtothefinancialservicesindustry.
Unsurprisingly,morefinancialservicesparticipants(47percent)havespentoverayearplanningtheir
keymanagementstrategy.
Table6:Howmuchtimehasyourorganizationspentpreparingorplanningforkeymanagementissues?
Lengthoftime Allrespondents Financialservices
Over1year 34% 47%
612months 15% 19%
15months 23% 16%
1week
9%
6%
None 19% 12%
Dataavailabilityconcernsareoftendrivenbytheamountoftimeonehastorecoverencrypteddata.
Thelesstimetorecoverdata,thegreatertheavailabilityconcerns.Table7belowshowsacceptable
recoverytimeframesfordifferentapplications.
Table5: Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingto
encryptbackuptapes?
Choices All
Respondents
Keymanagement
issues
too
complex
24%
Mostorganizationswillwaituntilafteradatabreachnotificationevent 19%
Waitingtobenativelyembeddedinmybackuptapesolution 17%
Decisiontopostponeencryptingtapesismadebythestoragedeptwithout
involvementfromthesecuritydept
11%
Encryptingtapescostmorethandatabreachsoitsnotcosteffectivetoencrypt 10%
Toodifficulttomakekeyaccessibletothedisasterrecoverysite 10%
Other 9%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
13/33
Page13 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table7:Whatisanacceptableamountoftimetorecoverdata?
Datalocation Lessthan1
hour
Lessthan1day 2days1week 1monthormore
Laptops 22% 50% 26% 1%
Mobiledevices 29% 42% 29% 2%
Fileservers
41%
43.%
16%
1%
Databases 49% 37% 13% 1%Email 30% 42% 27% 1%
Backuptapes 17% 43% 36% 4%
Cloudcomputing 31% 33% 27% 9%
Storagefabric 30% 36% 10% 7%
Paymentprocessing 54% 29% 13% 4%
Networklinkencryption 54% 30% 12% 4%
Formostapplications,encrypteddataneedstoberecoveredinlessthanaday,butforbusinesscritical
applicationslike
databases,
network
link
encryption,
and
payment
processing
applications,
data
often
mustberecoveredinlessthananhour.
Withsuchhighdemandsondatarecoverabilitytimeframes,wewantedtoknowhowencryptionkeys
werebeingstoredtoseeiftherewasaconnectionbetweenkeymanagementanddataavailability
requirements.Table8belowshowstheresultsfromallsurveyparticipantsandallapplications.
Table8:Whereareencryptionkeysstored?
Application HSM Database Software
ordisk
USB
device
Dont
know
WebserverSSL 23% 13% 29% 9% 26%File
encryption
server
32% 14% 21% 5% 29%
Fileencryptiondesktop 23% 13% 29% 9% 26%
FTPencryption 14% 11% 26% 4% 46%
Networklinkencryption 26% 6% 20% 3% 45%
Emailclient(e.g.S/MIMEorOpenPGP) 14% 12% 31% 5% 37%Emailgateway(e.g.TLS) 13% 12% 30% 4% 42%
Paymentprocessing 36% 7% 13% 3% 41%
Fulldiskencryption 24% 12% 30% 5% 30%
Databaseencryption 24% 21% 15% 2% 37%
Mobiledeviceencryption 17% 10% 23% 5% 45%
Tape
backup
encryption
26%
9%
15%
2%
49%
USBdeviceencryption 14% 8% 16% 19% 42%
Diskarray 17% 6% 12% 2% 63%
Storagefabric/Switchencryption 19% 5% 9% 2% 64%
Asitwaslastyear,themostpopularresponseformostapplicationswasdontknowevenforthe
applicationsthatneededtoberecoveredinlessthananhour.However,forrespondentswhoknew
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
14/33
Page14 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
wherekeyswerestored,themajorityofapplicationsthatneededtoberecoveredinanhourweremost
likelytobeinahardwaresecuritymodule(HSM).Thefourapplicationsforwhichrespondentspreferred
tohavetheirkeysstoredinanHSMratherthansoftwareordiskwerePaymentprocessing,Network
linkencryption,Databaseencryption,andTapebackupencryption(allhighlightedinboldinthe
abovetable).HerewecanseetheimportanceofusingHSMstoautomatekeymanagementand
overcomedata
availability
concerns.
Without
HSMs
or
the
use
of
automated
key
management
tools,
we
believedataavailabilityconcernswillcontinuetostandinthewayofdataprotection.
Conclusion
Costisnttheonlybarriertoencryptionadoption.Thedecisiontoencryptrequiresorganizationsto
weighoperationalfactorslikeavailabilityandperformanceagainsttheneedfordataprotection.Here,
organizationsareunwillingtosacrificeoperationalefficienciesfordataencryption.Manyorganizations
arecaughtinaholdingpatternwhiletheytrytodeterminehowtobestmeetdatarecoverability
requirementsorfindbudgettomeetperformanceandavailabilitydemands.Sadly,manywillsuffera
databreach
before
they
can
encrypt
sensitive
data.
Nearly
20
percent
of
those
surveyed
believe
it
will
takeadatabreachtogettheapprovaltostartencryptingbackuptapes.Giventhenewregulatory
climate,manyorganizationswillneedtoaskthemselveswhatwillbeworsepayingforautomated
encryptionkeymanagementtoovercomedataavailabilityfears,orlosingcustomersinabreachwhen
theyexposesensitivecreditcardorpatientdata.Consideringthehighercostsandrisksofabreach,we
believepostponingtheseencryptiondecisions(particularlyforbackuptapes)isnolongerasustainable
riskmanagementstrategy.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
15/33
Page15 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
SectionII:RegulationsandComplianceDriversThisyearsresearchshowsthattheprotectionhealthcareandcreditcarddataaredrivingfuture
compliancespending.Thissectiontakesalookatregulationsimpactonorganizationssurveyedby
exploring:
Encryptionbudgetallocatedforcompliance Howsurveyrespondentsexpectregulationstochange TheconnectionbetweenkeymanagementandcomplianceEncryptionBudgetAllocatedforComplianceWeprovidedparticipantswithalistof25dataprotectionregulationsandaskedwhichoneswould
requiretheallocationofnewbudgetinthenext24months.Table9belowshowstheresponses,with
PCIDSSleadingthecharge,followedbyUSHIPAAandtheEUDataPrivacyDirective.
Table9:Regulationsrequiringallocationofnewencryptionbudgetovernext24months
Regulation
Allrespondents
PCIDSS 54%
USHIPAA 29%
EUDataPrivacyDirective 22%
USGrammLeachBliley 18%
USMultipleStateDataBreachNotificationLaws 16%
USCaliforniaDataBreachNotification(CASB1386) 15%
USMassachusettsDataProtectionAct(MA201CMR17) 14%
UKDataPrivacyAct 13%USFederalTradeCommissionRedFlagRules 12%
Canada
Personal
Information
Protection
and
Electronic
Documents
Act
10%
USNevada(SenateBillNo.227) 9%CanadaPrivacyBreachGuideline 9%
GermanyS93ActonProcessingofPersonalData 8%
UKPrivacyCommissionerBreachNotificationGuidelines 7%
SouthAfricaProtectionofPersonalInformationAct 7%
ItalyDataProtectionCode 4%SpainPersonalDataProtectionandTelecommunicationsAct 4%
JapanPersonalInformationAct 4%
HongKongPersonalDataPrivacyOrdinance 4%
AustraliaPrivacyCommissionerBreachNotificationGuidelines 3%
France
Postal
and
Electronic
Communications
Code 3%
AustraliaCommonwealthPrivacyAct 3%
SouthKoreaActontheProtectionofPersonalInformation 2%
NewZealandPrivacyCommissionerBreachNotificationGuidelines 2%
NewZealandPrivacyBreachGuidelines 2%
ItwasasurprisetoseeindustrydrivenregulationssuchasPCIDSSandHIPAAtoppingthelist,giventhat
themajorityofsurveyrespondentswerenotfromfinancialservices,healthcare,andretail.Webelieve
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
16/33
Page16 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
thisindicatesthatencryptionbudgetallocationsaredrivenlessbytheindustryyouareinthanbythe
typeofdatayouneedtoprotect.Asmoreindustriesstore,manage,andprocesscustomer,patient,
employee,andbusinesspartnerinformation,theywillberequiredtoprotecttheirdataaccordingly.
ComparingtheTopFiveRegulationsintheUSandEMEAFigure
3and
Table
10
below
track
the
top
five
regulations
in
the
US
and
EMEA
and
compare
them
to
the
worldwideresponse.HereyoucanseethatwhilePCIDSSreceivedthehighestresponseinEMEA,HIPAA
receivedthehighestresponseintheUS.
Figure2:Percentageofrespondentscitingnewencryptionspendingdrivenbymajorregulations
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
17/33
Page17 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table10:PercentageofrespondentscitingnewencryptionspendingdrivenbymajorregulationsRegulation Allrespondents US EMEAPCIDSS 53% 48% 52%USHIPAA 27% 53% 8%EUDataPrivacyDirective 21% 13% 43%
US
Gramm
Leach
Bliley
15%
32%
5%
USStateDataBreachNotificationLaws 15% 32% 5%
USMassachusettsDataProtectionAct 12% 26% 3%
UKDataPrivacyAct 11% 9% 20%
Germany S93ActonProcessingPersonalData 5% 5% 15%
UK PrivacyCommissionerBreachNotificationGuidelines 5% 9% 9%
HowSurveyRespondentsExpectRegulationstoChangeWewantedtoknowhowparticipantsexpectedregulationstochangeovertimeandiftheythought
regulationsmandatingtheuseofencryptionwerehelpfulorharmfultotheirdataprotectionstrategies.
InFigure4andTable11,weaskedparticipantshowtheyexpectregulationstochangeinthenext24
months.Twothirds(66percent)indicatedtheybelievedtherewouldbenewindustryregulations,and
55percentsaidtheyexpectnewnationallaws.Only11percentbelievedtherewouldbenonewlaws
introduced.
Figure4:Howdoyouexpectregulationstochangeinthenext24months?
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
18/33
Page18 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table11:Howdoyouexpectregulationstochangeinthenext24months?
Response Allrespondents
Therewillbenewindustryregulations 66%
Therewillbenewnationallaws 55%
Therewillbenewlocallaws(stateandregional) 43%
Therewill
be
no
new
laws
introduced
11%
Wealsowantedtoknowhowparticipantsvieweddatabreachregulationsthatrequiredtheuseof
encryption.WeaskedthemiftheseregulationswereseenasHelpfultomovingforwardyour
organizationsdataprotectioneffortsorHarmfulandgetsinthewayofyourorganizationsdata
protectionefforts.Theoverwhelmingmajorityofrespondents(70percent)foundthemhelpful.
Surprisingly,anevenhigherpercentage(79percent)ofrespondentsfromorganizationsthathave
experiencedadatabreachfoundthemhelpful,withonly2percentfindingthemharmful.
Table12belowcomparestheresponsesofparticipantswhoseorganizationshadexperiencedadata
breachto
those
who
had
not.
Table12:Databreachregulationsthatspellouttheneedforprotectingdatausingencryptingdataare
Response Breachedorganizations Nonbreached
organizations
Helpfultomovingforwardyourorganizationsdata
protectionefforts
79% 70%
Undecided 19% 23%
Harmfulandgetsinthewayofyourorganizationsdata
protectionefforts
2% 7%
TheNewConnectionBetweenKeyManagementandComplianceOverthelasttwoyearsofconductingthisresearch,weveaskedparticipantstoranktheaspectsofkey
managementtheyvefoundthemostchallenging.Theresultsofthisyearsstudyhighlightaninteresting
newfinding:Organizationsthathavespentthemosttimeplanningkeymanagementrankedtheirmost
challengingaspectdifferentlyfromtheirpeers.Thosethathavebeenusingencryptionandhavespent
themosttimepreparingforkeymanagementarenowmorefocusedondemonstratingcompliance
comparedtoorganizationsthatarejustbeginningtoadoptencryption.
Table13belowcomparesthesethreegroupsandrankstheirchoicesfrommostdifficulttoleastdifficult
for:
Allresponses2008 Allresponses2009 2009responsesbythosewhohadspentoneyearormoreplanningkeymanagementstrategy
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
19/33
Page19 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table13:Relativedifficultyofdifferentaspectsofkeymanagement(1=mostdifficult)
2008 2009 2009 2009Planning
Difference
Aspect
of
key
management All
Respondents
All
Respondents
1+Yearof
KeyMgmt.
Planning
2009 (All)to
2009(1+Yearof
Planning)
Preparingfortheunfortunatepublicityand
impactofdatabreach
1 2 3 1
Rotatingkeys,decryptingandreencryptingdata 2 1 2 1
Keepingtrackofkeys(havingtherightkeyatthe
righttime)
3 3 7 4
Meetingcompliancerequirements 4 6 4 +2
Longtermkeyarchival 5 5 5 0
Provingcompliancerequirementshavebeen
met
6 4 1 +3
Makingkeysaccessibletothedisasterrecovery
site
7 6 6 0
Backingupandrecoveringkeys 8 7 8 1
Revoking/terminatingkeys(sodatacantbe
accessed)
9 8 9 1
Respondentsfoundthefollowingamongthemorechallengingaspectsofkeymanagement:
Rotating,decryptingandreencryptingdata PreparingfortheunfortunatepublicityandimpactofdatabreachesButthereweredifferenceswhenitcametowhatwasthemostchallenging.Provingcompliance
requirementshavebeenmetwasrankedthemostdifficultbythegroupthathadbeenplanningkey
managementlonger.Bycontrast,theparticipantsin2008rankedMeetingcompliancerequirements
morechallengingthanprovingtheyhadbeenmet.Wethinkthisisasignificantfinding:Asorganizations
becomemorematureintheirencryptionandkeymanagementstrategies,theyfindprovingcompliance
moredifficultthanthemechanicsofkeymanagement.
TherewerealsointerestingdifferencesregardingthedifficultyofKeepingtrackofkeys(havingthe
rightkeyattherighttime).Thosewhohadnotbeenplanninglongerthanayearrankeditthirdin
difficulty,while
those
who
had
been
planning
the
longest
found
it
to
be
one
of
the
least
challenging
aspectsofkeymanagement.Thissuggeststhateffectivekeymanagementcanreducethetimeand
operationscostsspentonkeymanagementtasks.
ConclusionParticipantsinthesurveyarefeelingtheimpactofdatabreachregulationsintwocriticalareas:the
typesofdatatheywillneedtoprotectandtheirkeymanagementstrategies.Whilethemajorityof
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
20/33
Page20 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
participantsworldwidearebudgetingforPCIDSS,HIPAAisthemostimportantencryptionbudgetdriver
intheUS.WebelievethisisaresultoftheHITECHruleintroducingbreachnotificationforsensitive
healthcaredata.
Second,thosewhohavebeenplanningtheirkeymanagementstrategiesthelongestseeaconnection
betweenkey
management
and
their
compliance
strategies.
They
now
consider
the
most
challenging
aspectofkeymanagementtobeprovingthatcompliancerequirementshavebeenmet.These
organizationshavemorematuredataprotectionmodelsandarelivinginacomplianceworldwherethe
mostimportantaspectofdataprotectionistheirreportingcapability.Theyarespendingmoretime
makingsuretheircomplianceeffortsaredemonstrableandlesstimedecidinghowandwhattoencrypt.
Organizationsthatarelessexperiencedwithkeymanagementarelikelydealingwithnewerencryption
deploymentsandoperationalissues.Theyhaventachievedtheoperationalefficienciesenjoyedby
organizationsthathavebeenplanningtheirkeymanagementstrategiesthelongest.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
21/33
Page21 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
SectionIII:CloudComputingThesecuritydebatearoundcloudcomputinghasarisensinceour2008survey.Thisyear,wewere
interestedinunderstandingthreethings:
Barrierstocloudcomputingadoption Roleofencryptionanddataprotectioninanorganizationsdecisiontomovetothecloud ExpectationsforkeymanagementwithcloudcomputingFigure5andTable14belowshowstheresponsetothequestion,Whatisthebiggestbarrierforyour
organizationwhenadoptingcloudcomputing?52percentofsurveyparticipantsciteddatasecurity
concernsasthebiggestbarrier,while18percentsaidtherearenobarriers.
Table14:Whatisthebiggestbarrierforyourorganizationwhenadoptingcloudcomputing?Response AllrespondentsDatasecurityconcerns 52%There
are
no
barriers
18%
Other 14%
Compliance 8%
Keymanagementconcerns 8%
Figure3:Biggestbarriertocloudcomputing
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
22/33
Page22 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Organizationsarereluctanttomovetothecloud,withorwithoutdatasecurityinplace.Whenasked,
Wouldyourorganizationmovetothecloudwithoutdataencryption?,47percentsaidtheywould
waitforencryption,butalmostasmany(43percent)saidtheywerenotplanningonmovingtothe
cloudatall.
Table15
and
Figure
6show
the
findings
for
all
participants.
Table15:Wouldyourorganizationmovetothecloudwithoutdataencryption?Response AllrespondentsNo,wewouldwaituntildataisencrypted 47%No,wearenotplanningonmovingtothecloud 43%
Yes,encryptionisnotabarrierforustoadoptcloudcomputing 7%
Yes,wehavealreadymovedunencrypteddatatothecloud 5%
Figure4:Wouldyourorganizationmovetothecloudwithoutdataencryption?
Finally,wewantedtoknowifencryptionkeymanagementbasedinthecloudwouldbeacceptableto
surveyparticipants,oriftheywouldprefertomanagetheencryptionkeysthemselves.An
overwhelming58.8percentsaidtheywouldwanttomanagetheirownkeyscomparedto15.1percent
whowouldntmindiftheirserviceproviderhandledkeymanagementontheirbehalf.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
23/33
Page23 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Table16andFigure7showthesefindings.
Table16:Isencryptionkeymanagementbasedinthecloudacceptable?
Response AllRespondents
No,Iwouldwanttomanageourencryptionkeys 59%
Yes,Itrustmysolutionprovidertomanageencryptionkeysandrecovermy
datainatimethatisacceptabletoourbusiness
15%
Dontknow 26%
Figure5:Isencryptionkeymanagementbasedinthecloudacceptable?
ConclusionOurresearchshowssurveyrespondentsareveryskepticalaboutcloudcomputing.Whilethereisnt
enoughdataheretopredictanysubstantialtrendsforcloudcomputing,onethingisclear:Organizations
shouldbesuretoanalyzewhetherornotamovetothecloudmakessensewithariskmanagement
frameworkthatincorporatesdataprotectionandcompliancerequirements.Ifyourorganizationis
adoptingcloudcomputing,thendataprotection,dataavailability,andkeymanagementexpectations
shouldbewelldefinedinservicelevelagreements.Organizationsshouldalsooutlinewhentheyexpect
tobenotifiedifbreachesoccur.Fromcustomersperspective,abreachatacloudserviceproviderwill
beinterpretednodifferentlythanifyoucausedthebreach,sobesureyouandyourcustomersare
protectedbeforeusingcloudservices.
No(59%)
Yes(15%)
Don'tknow(26%)
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
24/33
Page24 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Ontheotherhand,ifyouareacloudcomputingserviceprovider,yourhandlingofthedataprotection
andcomplianceissuescoveredinthisreportcouldbetranslatedintocompetitiveadvantagesinselling
yourservices.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
25/33
Page25 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
SectionIV:ImportanceofKeyManagementinNewDataProtectionImperativeWithnewdataprotectionregulationsspecifyingencryptionforsafeharbororevenmandatingitsuse,
webelieveitsbecomemuchriskierouttherefororganizationsthatarewaitingtoencryptcritical
informationlikehealthcareandcreditcarddatainunprotectedbackuptapesanddatabases.Withless
thanhalf
of
participants
encrypting
backup
tapes
and
nearly
20
percent
of
respondents
saying
it
would
takethepainofadatabreachtogettheirorganizationtoencrypt,webelievetoomanyorganizations
areneedlesslyatrisk.
Attheheartofthenewdataprotectionimperativeliesacriticalriskmanagementdecision.
Organizationscaneither:1)Waittoencryptsensitivedataandlivewithamuchhigherriskofdata
breachthaneverbefore,or2)Encryptdatabutriskbusinesscontinuityissuessuchasdataavailability
withouteffectivekeymanagement.Thechartbelowsummarizesthisriskmanagementdecision,taking
intoaccountafewofthefactorswefindmostimportant:
Concern:Likelihoodofadatabreachversuslikelihoodoflosingakeyoncedataisencrypted Typeofnotification:Whathappensifyourconcerncomestrueandyouhavetotellothers Whoisnotified:Exactlywhoisonthedistributionlistandalertedwhenthingsgowrong Coststobusiness:3Immediateandlongertermconsequences Howtoavoid:Actiontheorganizationmusttaketoavoidtheproblem
3PleasecontactTrustCatalystfortheTrustCatalystDataBreachPrepKit acostworksheetthatcanhelpyou
determinecostsofdatabreacheventsforyourorganization.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
26/33
Page26 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Operationalefficiencieslikeavailabilityandperformancecauseorganizationstopostpone
implementationoftheirdataprotectionstrategiesforfearthatencryptionwillslowthebusinessdown
(e.g.,databases)orthatlostencryptionkeyswillcauselostbusinesswhendataisnotavailable(e.g.,
backuptapes).Butwebelieveorganizationsnolongerhavetheluxuryofpostponingencryptionof
criticaldatabecauseofkeymanagementconcerns.Asthechartaboveshows,therearemorecostsand
negativeimpacts
to
the
business
associated
with
data
breaches
that
involve
public
disclosure,
and
most
couldbeavoidedbyencryptingdata.
Injustthelastyear,wevelearnedalotmoreaboutthecostsoflossofcustomertrustafterabreach.A
recentsurveyofdatabreachvictims4showedthesignificantimpactofabreachonthebusiness:
55percenttrustedtheorganizationless,whichgreatlyimpactedfuturebusiness. 30percentvowednevertopurchasegoodsfromtheorganizationagain. 29percentterminatedfuturerelationshipswiththeorganization. 69percentofthecostsofdatabreachcamefromlostbusiness.Ourresearchshows,respondentsweremorelikelytohaveexperiencedadatabreachthantohavelost
anencryptionkey,asTable17shows.
Table17:Incidentrateforlostkeysanddatabreachesamongrespondents
Event Incidentrate%
Lostkey 8%
Databreach(inthelast24months) 12%
AsTable18belowshows,forthoseorganizationsthathavelostencryptionkeys,theeventcreated
security
concerns
(50
percent),
resulted
in
permanent
data
loss
(39
percent),
and
caused
business
disruptions(39percent)andlostbusiness(19percent).Whilewedontwanttodiminishthebusiness
impactsofbadkeymanagement,webelievetheycannolongerserveasanexcuseforpostponing
encryptionparticularlyofhealthcareandcreditcarddata.
Table18:Whatwastheimpactoflosingencryptionkeystoyourbusiness?
Response Respondentswho
havelostkey
Createdasecurityconcern 50%
Lostdatathatwasneverrecovered 39%
Createdabusinessdisruption 39%
Lostdata
but
we
were
able
to
recover
it
31%
Causedlostbusiness 19%
Other 4%
4JavelinStrategyandResearch,ConsumerSurveyonDataBreachNotification,2008.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
27/33
Page27 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Conclusion
Weareconcernedfortworeasons.First,withoutautomatedkeymanagement,theencryption
necessarytoprotectsensitivedatawhereitismostatriskwillnothappen.Webelievethelackofakey
managementstrategyisnolongeranacceptablereasonforpostponingtheprotectionofcriticaldata
likehealthcare,patient,andcreditcarddata.Theonlywayorganizationswillbeabletocomplywith
regulationsandsafelyprotectpatientandconsumerdatawillbetoautomateencryptionkey
management.TechnologieslikeHSMs(hardwaresecuritymodules)havelongbeenavailabletohelp
organizationsautomatekeymanagementandavoiddataavailabilityissues.However,many
organizationsseethesetechnologiesastoocostlytoimplement.Takingintoconsiderationthevalue
organizationsplaceonavailability,theoperationalefficienciesgoodkeymanagementbrings,andthe
abilitytoencryptmore,webelievethesetechnologiesarewellworththecost.
Second,thecostsofbreachnotificationsareworsethanweoriginallythought.Postponingyourdecision
toencryptwillcostalotmorethanmanyorganizationsinitiallyestimatedintheirassessmentoftheir
risks.Onlywithautomatedmanagementofkeyswillavailabilityandcontinuityissuesstopobstructing
encryptionprojects.Webelieveautomatingkeymanagementisnolongeranoptionespeciallywhenit
comestoprotectingcreditcardandpatientdata.
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
28/33
Page28 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
AppendixA:ResearchMethodologyInAugust2009,TrustCatalystconductedanonlinesurveytoexaminethecurrentandplanneduseof
encryptionandkeymanagementstrategieswithintodaysglobalenterprise.Prospectivesurvey
respondentswere
selected
from
adatabase
of
global
information
security
professionals
collected
by
Thales,aleaderintheprovisionofinformationandcommunicationsystemssecuritysolutionswhose
customersincludesomeofthemostsecurityconsciousorganizationsintheworld.Over30,000emails
weresenttoinformationsecurityprofessionalswhowereaskedtocompletetheonlinesurvey.Asan
incentivetocompletethesurvey,weofferedtheresultsofthesurveycontainedwithinthisresearch
report.Wereceived655completeandpartialresponses.
Respondentsweregiventhefollowinginstructionsbeforestartingthesurvey:
Thepurposeofthesurveyistogathermuchneededinformationaboutglobalmarketrequirementsinencryptionandkeymanagementtrendsatalevelofdepthandexperiencemissinginothersurveyscompletedtodate.Likelastyear,the2009researchreportwillbeaninvaluablebenchmarkshowinghowhundredsofotherorganizationscomparetoyoursintheuseofencryptionandrespondingtokeymanagementchallenges.Yourparticipationiscompletelyconfidentialandallresponseswillbecompiledatanaggregatelevelsoyourparticipationiscompletelyanonymous.Followingarethedemographicsandorganizationalcharacteristicsofthe655respondents.Table19
showsparticipantsfunctionalresponsibilities.Table20providestheirselfreportedorganizationalroles.
Table19:
Functional
responsibilities
of
respondents
Percent
of
respondents
Compliance 5%
Databaseadministration 1%
Informationsecurity 30%
Networksecurity 6%
Operations 6%
PKIdeployment 8%
Product/applicationdevelopment 14%
Riskmanagement 4%
Storageadministration/design 0.6%
Systemadministration
/design
5%
Websiteadministration 0.3%
Other 21%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
29/33
Page29 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Figure8:Functionalresponsibilitiesofrespondents
Table20:Organizationalrolesofrespondents Percentofrespondents
Administrator 6%
Architect 15%
Staff 8%
Manager 24%Director 8%
Vicepresident 3%
Chiefinformationofficer 2%
Chiefsecurityofficer 1%
Chiefinformationsecurityofficer 2%
Chiefcomplianceofficer 1%
CEO
3%
Other 27%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
30/33
Page30 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Figure9:Organizationalrolesofrespondents
Table21showsthepercentagedistributionofsurveyrespondentsbyindustryclassification.Thetwo
biggestindustrysegmentsweretechnologyandsoftware(28.5percent)andfinancialservices(25.7
percent).
Table21:Industryclassificationofrespondents Percentofrespondents
Automotive 0.3%
Defense 3%
Education 3%
Energy 1%
FinancialServices 26%Foodservices 0.3%
Government 8%
Healthcare 4%
Hospitality 0%
InternetandISP 1%
LocalGovernment 1%
Manufacturing 3%
Media 0.5%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
31/33
Page31 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Pharmaceuticals 0.2%
ProfessionalServices 6%
Research 0.8%
Retail 2%
TechnologyandSoftware 29%Telco,
Wireless
and
Cable
3%
Transportation 0.9%
Other 8%
Figure10andTable22showthegeographicalbreakdownofsurveyrespondents,withthemajorityof
respondentscomingfromeitherEMEA(Europe,theMiddleEast,andAfrica)ortheUnitedStates.
Figure10:Locationofrespondents
Table22:Locationofrespondents PercentofrespondentsAsiaPacific 5%
Canada 6%
EMEA 45%LatinAmerica 5%
UnitedStates 40%
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
32/33
Page32 2009EncryptionandKeyManagementIndustryBenchmarkReport
2009TrustCatalyst Telephone: +1.415.867.8842
www.trustcatalyst.com Contact: [email protected]
Finally,respondentscompanysizeisdepictedinthefigurebelow,with48percenthavingfewerthan
1,000employees,30percenthaving1,00125,000employeesand22percenthavingmorethan25,000
employees.
Figure11Numberofemployeesinrespondentorganization
1,000orless(48%)
1,001 25,000(30%)
25,001ormore(22%)
-
8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009
33/33
Page33 2009EncryptionandKeyManagementIndustryBenchmarkReport
AboutThales
Thalesisoneoftheworldleadersintheprovisionofinformationandcommunicationsystemssecurity
solutionsforgovernment,defense,criticalinfrastructureoperators,enterprises,andthefinance
industry.Thalessuniquepositioninthemarketisduetoitsendtoendsecurityofferingspanningthe
entirevalue
chain
in
the
security
domain.
The
comprehensive
offering
includes
architecture
design,
securityandencryptionproductdevelopment,evaluationandcertificationpreparation,andthroughlife
managementservices.
ThaleshasfortyyearsofunrivalledtrackrecordinprotectinginformationrangingfromSensitiveBut
UnclassifieduptoTopSecret,aswellasacomprehensiveportfolioofsecurityproductsandservices,
whichincludesnetworksecurityproducts,applicationsecurityproducts,andsecuredtelephony
products.
AboutTrustCatalyst
TrustCatalysthelpsglobalorganizationsmakecriticaldecisionsabouthowtoprotecttheirmost
valuableresourcetheircustomerstrust.Weunderstandthattheadoptionofasuccessfuldata
protectionorsecurityprogramisaboutsellingastrategytoalargeraudience.Wespeakthelanguage
businessexecutivesunderstandandquantifytheneedforsecuritybyhelpingestablishthecostsoflost
customertrust,includingdisruptionofbusiness.Ascybercriminalsincreasinglytargetorganizationswith
sensitivecustomerdata,wehelpbusinessesunderstandthethreats,thecostsofthosethreats,andhow
tomaintaintrustedrelationshipswithcustomers.Youcanlearnmoreanddownloadourresearchat
www.trustcatalyst.com.
http://www.trustcatalyst.com/http://www.trustcatalyst.com/