GLOBAL ENCRYPTION TRENDS STUDY - nCipher Security · respondents, are SSL/TLS, database encryption...
Transcript of GLOBAL ENCRYPTION TRENDS STUDY - nCipher Security · respondents, are SSL/TLS, database encryption...
1 PONEMON INSTITUTE© RESEARCH REPORT
GLOBAL ENCRYPTIONTRENDS STUDYApril 2018
2 PONEMON INSTITUTE© RESEARCH REPORT
PART 1. EXECUTIVE SUMMARY 3 PART 2. KEY FINDINGS 6
Strategy and adoption of encryption 6
Trends in encryption adoption 8
Threats, main drivers and priorities 9
Deployment choices 10
Encryption features considered most important 11
TABLE OF CONTENTS
Attitudes about key management 12
Importance of hardware security modules (HSMs) 15
Budget allocations 19
Cloud encryption 20
APPENDIX 1. METHODS & LIMITATIONS 22 APPENDIX 2. CONSOLIDATED FINDINGS 25
Sponsored by nCipher Security INDEPENDENTLY CONDUCTEDBY PONEMON INSTITUTE LLC
OUR SPONSORS GEOBRIDGE
3PONEMON INSTITUTE© RESEARCH REPORT
PART 1. EXECUTIVE SUMMARYPonemon Institute is pleased to present the findings of the 2018 Global Encryption Trends Study,1 sponsored by nCipher Security. We surveyed 5,252 individuals across multiple industry sectors in 12 countries: Arabia (which is a combination of respondents located in Saudi Arabia and the United Arab Emirates)2, Australia, Brazil, France, Germany, India, Japan, Mexico, the Russian Federation, the United Kingdom, the United States and, for the first time, South Korea (hereafter referred to as Korea).
The purpose of this research is to examine how the use of encryption has evolved over the past 13 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a US sample of respondents.3 Since then we have expanded the scope of the research to include respondents in all regions of the world.
As shown in Figure 1, more organizations represented in this research continue to recognize the importance of having an encryption strategy, either an enterprise-wide (43 percent of respondents) strategy or a limited plan that targets certain applications and data types (44 percent of respondents).
Presented below are the 2018 findings.
Strategy and adoption of encryption
Enterprise-wide encryption strategies increase. Since conducting this study 13 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study.
Certain countries have more mature encryption strategies. The highest prevalence of an enterprise encryption strategy is reported in Germany followed by the US and Japan. Respondents in Mexico, Russian Federation, Arabia, Brazil and Australia report the lowest adoption of an enterprise encryption strategy.
IT operations function is the most influential in framing an organization’s encryption strategy. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico. IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.
1 This year’s data collection was completed in January 2018. Throughout the report we present trend data based on the fiscal year (FY) the survey commenced rather than the year the report is finalized. Hence, our most current findings are presented as FY17. The same dating convention is used in prior years.
2 Country-level results are abbreviated as follows: Arabian cluster (AB), Australia (AU), Brazil (BZ), France (FR), Germany (DE), India (IN), Japan (JP), Korea (KO), Mexico (MX), Russia (RF), United Kingdom (UK), and United States (US).
3 The trend analysis shown in this study was performed on combined country samples spanning 13 years (since 2005).
An overall encryption plan
or strategy that is applied consistenly across the entire
enterprise
A limited encryption plan
or strategy that is applied to certain applications and
data types
No encryption plan or strategy
Figure 1. Does your company have anencryption strategy?
37%41%
43%
25%
44% 44%
15% 14%13%
FY15 FY16 FY17
4 PONEMON INSTITUTE© RESEARCH REPORT
The use of encryption increases in all industries. We looked at the extensive usage of encryption solutions for 10 industry sectors over seven years. Results suggest a steady increase in all industry sectors. The most significant increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.
Threats, main drivers and priorities
Employee mistakes are the most significant threat to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary workers and malicious insiders. It is interesting to note that the employee mistake threat is almost equal to the combined threat by both hackers and insiders.
The main driver for encryption is protection of information against identified threats. Organizations are using encryption to protect information against specific, identified threats (54 percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of customers (52 percent and 50 percent of respondents, respectively). Compliance with regulations remains a significant driver for encryption, according to 49 percent of respondents.
A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Sixty-seven percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. This challenge has come into focus as compliance activities driven by GDPR and other privacy regulations have increased. In addition, 44 percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.
Deployment choices
No single encryption technology dominates in organizations. Organizations have very diverse needs. Internet communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases. For the first time, the study tracked the deployment of encryption on IoT devices and platforms. Forty-nine percent of respondents say IoT encryption has been at least partially deployed on both IoT devices and IoT platforms.
Encryption features considered most important
Certain encryption features are considered more critical than others. According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and on-premise deployment are the three most important features. Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud computing and look for consistency across computing styles.
Which data types are most often encrypted? Payment related data and human resource data are most likely to be encrypted – which emphasizes the fact that encryption has now moved into the realm where it needs to be addressed by companies of all types. The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health information and recent high profile healthcare data breaches. Healthcare information did, however, have the largest increase on this list over last year.
Attitudes about key management
How painful is key management? Fifty-seven percent of respondents rate key management as very painful. The average percentage in all country samples is 57 percent, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 65 percent occurs in India. At 33 percent, the lowest pain level occurs in Russia.
Companies continue to use a variety of key management systems. Although the use of manual key management processes continue to decrease, manual processes continue to be the most common form of key management systems. The next most commonly deployed systems are formal key management policy and formal key management infrastructure (KMI).
Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesConsumer productsEducation & researchHospitalityTransportationCommunicationsEntertainment & mediaOther
of organizations nowhave a consistent, enterprise-wideencryption strategy
43%100101001010010101001010101001010010100101001010100101010100110110010110111001010010101001010101001100101001010010101001010101001100101001010010101001010101000101010011100000101010010101100100101001010100101010100110010101001110100100101011010101001100101001010010101001010010100101001010100101010100010101001100101001010010101001010101000101010011100000101010100110010101001110100100101011010101001100101001010010101001010010100101001010100101010100
5PONEMON INSTITUTE© RESEARCH REPORT
Importance of hardware security modules (HSMs)
Germany, US and Japan organizations are more likely to deploy HSMs. Germany, US and Japan are more likely to deploy HSMs for their organization’s key management activities than other countries. The overall average deployment rate for HSMs is 41 percent.
How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. Forty-seven percent of respondents own and operate HSMs on-premise for cloud-based applications, and 36 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12 months, both figures will increase, by 6 and 5 percent respectively. Interestingly, the use of HSMs with Cloud Access Security Brokers is expected to double in the next 12 months.
The overall average importance rating for HSMs, as part of an encryption and key management strategy, in the current year is 57 percent. The pattern of responses suggests Germany, India, US and Japan are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.
What best describes an organization’s use of HSMs? Sixty-one percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach. More respondents indicate the centralized approach in this year’s study as compared to last year’s.
What are the primary purposes or uses for HSMs? The two top uses are SSL/TLS and application-level encryption, followed by database encryption. The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of the organizations represented in this study.
Budget allocations
The proportion of IT spending dedicated to security activities, including encryption, is increasing over time. According to the findings, 10.6 percent of the IT budget goes to IT security activities and 12.3 percent of the IT security budget goes to encryption activities.
Cloud encryption
Sixty-one percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 21 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.
How do organizations protect data at rest in the cloud? Forty-seven percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 38 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.
What are the top three cloud encryption features? When asked specifically about features associated with cloud encryption, respondents list (1) support for the KMIP standard for key management (66 percent of respondents), (2) SIEM integration and visualization and analysis of logs (62 percent of respondents) and (3) granular access controls (60 percent of respondents). This indicates a growing recognition of the importance of standards-based cloud key management and specifically support for KMIP.
of respondents are using more than one public cloud provider
61%
6 PONEMON INSTITUTE© RESEARCH REPORT
PART 2. KEY FINDINGSIn this section, we provide a deeper analysis of the key findings. The complete audited findings are presented in the Appendix of the report. We have organized the report according to the following themes.
• Strategy and adoption of encryption
• Trends in adoption of encryption
• Threats, main drivers and priorities
• Deployment choices
• Encryption features considered most important
• Attitudes about key management
• Importance of hardware security modules (HSMs) 4
• Budget allocations
Strategy and adoption of encryption
Enterprise-wide encryption strategies increase. Since first conducting this study 13 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study. Figure 2 shows these changes over time.
4 HSMs are devices specifically built to create a tamper-resistant environment in which to perform cryptographic processes (e.g., encryption or digital signing) and to manage the keys associated with those processes. These devices are used to protect critical data processing activities and can be used to strongly enforce security policies and access controls. HSMs are typically validated to formal security standards such as FIPS 140-2.
0%
10%
20%
30%
40%
50%43%
38%
15%13%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Company has an encryption strategy applied consistently across the entire enterprise
Figure 2. Trends in encryption strategyCountry samples are consolidated
Company does not have an encryption strategy
7PONEMON INSTITUTE© RESEARCH REPORT
Certain countries have more mature encryption strategies. According to Figure 3, the prevalence of an enterprise encryption strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy is reported in Germany followed by the United States, the United Kingdom and Japan. Respondents in Mexico, Russian Federation, Arabia, Brazil and Australia report the lowest adoption of an enterprise encryption strategy.
Figure 4 shows that the IT operations function is the most influential in framing an organization’s encryption strategy over the past 13 years. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico. IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.
A possible reason why the lines of business are more influential than IT security is because of the growing adoption of Internet of Things (IoT) devices in the workplace, proliferation of employee-owned devices or BYOD and the general consumerization of IT. A consequence is that lines of business are required to be more accountable for the security of these technologies.
30%
US UK DE FR AU JP BZ RF IN MX AB
41%
KO
We have an overall encryption plan or strategy that is applied consistently across the entire enterprise
Average
56%
45%
67%
40%45%
35%31% 30%
34%
0
10%
20%
30%
40%
50%
60%
70%
80%
Figure 3. Differences in enterprise encryption strategies by country
38% 37%
0%
10%
20%
30%
40%
50%43%
Figure 4. In�uence of IT operations, lines of business and security Country samples are consolidated
Lines of businessIT operations Security
US UK DE FR
32%
22%
21%
22%
12%
AU JP BZ RF IN MX AB KO
8 PONEMON INSTITUTE© RESEARCH REPORT
Trends in encryption adoption
The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady increase in the encryption solutions extensively used by organizations.5
Figure 5 summarizes enterprise-wide usage consolidated for various encryption technologies over 13 years. This continuous growth in enterprise deployment suggests encryption is important to an organization’s security posture. Figure 6 also shows the percentage of the overall IT security budget dedicated to encryption-related activities.
The pattern for deployment and budget show a positive correlation through FY13 and inverse relationship through FY17. We postulate three reasons for this downward trend: (1) price pressure resulting from increased competition among vendors, (2) shifting priorities to other IT security solution areas and (3) more efficient use of presently available encryption tools.
The use of encryption increases in all industries. Figure 6 shows the current year and the six-year average in the use of encryption solutions for 10 industry sectors. Results suggest a steady increase in all industry sectors. The most significant increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.
0%
10%
20%
30%
40%
50%43%
16%
10%12%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Extensive deployment of encryption IT security budget earmarked for encryption
Figure 5. Trend on the extensive use of encryption technologiesCountry samples are consolidated
5 The combined sample used to analyze trends is explained in Appendix 1.
50%60%
42%55%
44%50%
42%49%
31%42%
39%41%
30%39%
29%35%
24%33%
26%27%
Figure 6. The extensive use of encryption by industry: current year versus 6-year averageCountry samples are consolidated. Average of 13 encryption categories
Financial services
Healthcare & pharma
Services
Tech & software
Retail
Transportation
Public sector
Hospitality
Manufacturing
Consumer products
6 year consolidation FY17
0% 10% 20% 30% 40% 50% 60%
9PONEMON INSTITUTE© RESEARCH REPORT
Threats, main drivers and priorities
Employee mistakes are the most significant threats to sensitive data. Figure 7 shows that the most significant threats to the exposure of sensitive or confidential data are employee mistakes.
In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary or contract workers and malicious insiders. It is interesting to note that the employee mistake threat is almost equal to the combined threat by both hackers and insiders.
Figure 7. The most salient threats to sensitive or confidential dataConsolidated country samples. More than one choice permitted
Employee mistakes
System or process malfunction
Hackers
Temporary or contract workers
Malicious insiders
Third party service providers
Government eavesdropping
Lawful data request (e.g., by police)
47%
31%
30%
22%
22%
19%
17%
12%
0% 10% 20% 30% 40% 50%
Figure 8. The main drivers for using encryption technology solutions Country samples are consolidated. Three responses permitted
To protect information againstspecific, identified threats
To protect enterprise intellectual property
To protect customer personal information
To comply with external privacy or data security regulations and requirement
To limit liability from breachesor inadvertent disclosure
To reduce the scope of compliance audits
To comply with internal policies
To avoid public disclosureafter a data breach occurs
54%
52%
50%
49%
32%
29%
21%
14%
0% 10% 20% 30% 40% 50% 60%
The main driver for encryption is protection of information against identified threats. Eight drivers for deploying encryption are presented in Figure 8. Organizations are using encryption to protect information against specific, identified threats (54 percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of customers, (52 percent and 50 percent of respondents, respectively).
This marks the first year that compliance with regulations has not been the top driver for encryption, indicating that encryption is less of a “checkbox” exercise and is now used to safeguard targeted critical information.
10 PONEMON INSTITUTE© RESEARCH REPORT
A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Figure 9 provides a list of six aspects that present challenges to the organization’s effective execution of its data encryption strategy in descending order of importance. Sixty-seven percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. In addition, 44 percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.
Deployment choices
No single encryption technology dominates in organizations. We asked respondents to indicate if specific encryption technologies are widely or only partially deployed within their organizations. “Extensive deployment” means that the encryption technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is confined or limited to a specific purpose (a.k.a. point solution).
As shown in Figure 10, no single technology dominates because organizations have very diverse needs. Internet communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases. Encryption extensively used with public cloud services grew significantly year-over-year (11 percent).
For the first time, the study tracked the deployment of encryption on IoT devices and platforms. As shown, 49 percent of respondents say IoT encryption has been at least partially deployed for devices and platforms.
Figure 9. Biggest challenges in planning and executing a data encryption strategyCountry samples are consolidated. More than one choice permitted
67%
44%
34%
29%
13%
13%
Discovering where sensitive data resides in the organization
Initially deploying the encryption technology
Classifying which data to encrypt
Ongoing management of encryption and keys
Training users to use encryption appropriately
Determining which encryption technologies are most effective
0% 10% 20% 30% 40% 50% 60% 70% 80%
Extensively deployed encryption applications Partially deployed encryption applications
Figure 10. Consolidated view on the use of 15 encryption technologiesCountry samples are consolidated
Internet communications (e.g., SSL)
Databases
Laptop hard drives
Backup and archives
Internal networks (e.g., VPN/LPN)
Data center storage
Cloud gateway
Public cloud services
File systems
Private cloud infrastructure
Big data repositories
Internet of Things (IoT) devices
Internet of Things (IoT) platforms
Docker containers
0% 20% 40% 60% 80% 100%
63% 25%
24%
22%
26%
33%
30%
30%
35%
31%
35%
29%
24%
23%
24%
29%
63%
58%
54%
48%
43%
43%
39%
38%
38%
34%
28%
26%
25%
20%
11PONEMON INSTITUTE© RESEARCH REPORT
“ENCRYPTION EXTENSIVELY USED WITH PUBLIC CLOUD SERVICES GREW SIGNIFICANTLY YEAR-OVER-YEAR (11%).”
11
Encryption features considered most important
Certain encryption features are considered more critical than others. Figure 11 lists encryption technology features. Each percentage defines the very important response (on a four point scale). Respondents were asked to rate encryption technology features considered most important to their organization’s security posture.
According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and on-premise deployment are the three most important features. The performance finding is not surprising given that encryption in networking is a prominent use case, as well as the often emphasized requirement for transparency of encryption solutions.
Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud computing and look for consistency across computing styles. In fact, the top findings in this area all correspond to features considered important for cloud solutions.
FY16 FY17
Figure 11. Most important features of encryption technology solutions Country samples are consolidated. Very important and Important responses combined
78%74%
71%
69%
66%
68%
64%
65%
56%
54%
55%
55%
43%
72%
71%
68%
68%
64%
59%
56%
54%
52%
50%
44%
System performance and latency
Enforcement of policy
Support for cloud and on-premise deployment
System scalability
Management of keys
Integration with other security tools(e.g., SIEM and ID management)
Support for emerging algorithims (e.g., ECC)
Formal product security certifications (e.g., FIPS 140)
Separation of duties and role-based controls
Support for multiple applications or environments
Tamper resistance by dedicated hardware (e.g., HSM)
Support for regional segregation (e.g., data residency)
0% 10% 20% 30% 40% 50% 60% 70% 80%
12 PONEMON INSTITUTE© RESEARCH REPORT
Which data types are most often encrypted? Figure 12 provides a list of seven data types that are routinely encrypted by respondents’ organizations. As can be seen, payment related data and human resource data are most likely to be encrypted – the latter of which emphasizes the fact that encryption has now moved into the realm where it needs to be addressed by companies of all types.
The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health information and the recent high profile healthcare data breaches. Healthcare information had the largest increase on this list over last year.
Attitudes about key management
How painful is key management? Using a 10-point scale, respondents were asked to rate the overall “pain” associated with managing keys within their organization, where 1 = minimal impact to 10 = severe impact. Figure 13 shows that 57 (24+33) percent of respondents in FY17 chose ratings at or above 7; thus, suggesting a fairly high pain threshold.
FY16 FY17
Figure 12. Data types routinely encrypted Country samples are consolidated. More than one choice permitted
54%56%
61%
47%
49%
40%
19%
32%
53%
52%
50%
43%
26%
26%
Payment related data
Employee/HR data
Intellectual property
Financial records
Customer information
Healthcare information
Non-financial business information
0% 10% 20% 30% 40% 50% 60% 70%
Figure 13. Rating on the overall impact, risk and cost associated with managing keys Country samples are consolidated
1 or 2 3 or 4 5 or 6
9% 8% 9%
16%13% 12%
22%19%
22%
FY15 FY16 FY17
7 or 8 9 or 10
23% 23% 24%
30%
36%33%
13PONEMON INSTITUTE© RESEARCH REPORT
Figure 14 shows the 7+ ratings on a 10-point scale for each country. As can be seen, the average percentage in all country samples is 57 percent, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 65 percent occurs in India. At 33 percent, the lowest pain level occurs in Russia.
US UK DE FR AU JP BZ RF IN MX AB KO
7 to 10 (high) rating Average
33%
0
10%
20%
30%
40%
50%
60%
70%
Figure 14. Percentage “pain threshold” by countryPercentage 7 to 10 rating on a 10-point scale
52%
60%
49%
60%
52%
59%64%
58%63% 65%
55%
Figure 15. What makes the management of keys so painful?Country samples are consolidated. More than one choice permitted
No clear ownership
Lack of skilled personnel
Systems are isolated and fragmented
Key management tools are inadequate
Insufficient resources (time/money)
No clear understanding of requirements
Technology and standards are immature
Manual processes are prone to errors and unreliable
59%
57%
46%
33%
23%
14%
11%
56%
0% 10% 20% 30% 40% 50% 60%
Why is key management painful? Figure 15 shows the reasons why the management of keys is so difficult. The top three reasons are: (1) no clear ownership of the key management function, (2) lack of skilled personnel and (3) isolated or fragmented key management systems.
14 PONEMON INSTITUTE© RESEARCH REPORT
Which keys are most difficult to manage? Moving into the top position on this list for the first time this year, keys for external cloud or hosted services rank as the most difficult keys to manage. As shown in Figure 16, they are followed by SSH keys, signing keys, and keys for SSL/TLS. The least difficult include: (1) encryption keys for archived data, (2) encryption keys for backups and storage and (3) embedded device keys.
Figure 16. Types of keys most difficult to manageCountry samples are consolidated. Very painful and painful response
Keys for external cloud or hosted servicesincluding Bring Your Own Key (BYOK) keys
SSH keys
Signing keys (e.g., code signing, digital signatures)
Keys associated with SSL/TLS
End user encryption keys (e.g., email, full disk encryption)
Payments-related keys (e.g., ATM, POS, etc.)
Encryption keys for archived data
Encryption keys for backups and storage
Keys to embed into devices (e.g. at the time of manufacture in device production environments, or for IoT devices you use)
59%
55%
51%
46%
39%
38%
33%
21%
17%
0% 10% 20% 30% 40% 50% 60%
Figure 17. What key management systems does your organization presently use?Country samples are consolidated. More than one choice permitted
Manual process (e.g., spreadsheet, paper-based)
Formal key management policy (KMP)
Formal key management infrastructure (KMI)
Central key management system/server
Removable media (e.g., thumb drive, CDROM)
Hardware security modules
Smart cards
Software-based key stores and wallets
49%
49%
36%
33%
32%
26%
24%
17%
0% 10% 20% 30% 40% 50%
As shown in Figure 17, respondents’ companies continue to use a variety of key management systems. The most commonly deployed systems include: (1) manual process, (2) formal key management policy (KMP) and (3) formal key management infrastructure (KMI).
15PONEMON INSTITUTE© RESEARCH REPORT
Importance of hardware security modules (HSMs)
Germany, United States and Japan organizations are more likely to deploy HSMs. Figure 18 summarizes the percentage of respondents that deploy HSMs. Germany, United States and Japan are more likely to deploy HSMs than other countries. The overall average deployment rate for HSMs is 41 percent.
US UK DE FR AU JP BZ RF IN MX AB
44%
KO
Does your organization use HSMs? Average
51%45%
56%
43%47%
34%
25% 23%28%
0
10%
20%
30%
40%
50%
60%
Figure 18. Deployment of HSMs
29%
43%
Figure 19. HSM deployment rate over six years Country samples are consolidated
FY12 FY13 FY14
26% 29%33% 34%
38% 41%
FY15 FY16 FY17
Deployment of HSMs increases steadily. Figure 19 shows a six-year trend for HSMs. As can be seen, the rate of global HSM deployment has steadily increased.
Overall HSM use grewto 41% – the highest level ever
41%Germany, the US and Japan report the highest HSM usage rates
16 PONEMON INSTITUTE© RESEARCH REPORT
How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. As shown in Figure 20, almost half (47 percent of respondents) own and operate HSMs on-premise for cloud-based applications, and 36 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12 months, both figures will increase, by 6 and 5 percent respectively. Interestingly, the use of HSMs with Cloud Access Security Brokers is expected to double in the next 12 months.
Figure 20. Use of HSMs in conjunction with public cloud-based applicationstoday and in the next 12 months
Own and operate HSMs on-premise at the organization, accessed real-time by cloud-hosted applications
Rent/use HSMs from public cloud provider, hosted in the cloud
Own and operate HSMs for the purpose of generatingand managing BYOK (Bring Your Own Key) keysto send to the cloud for use by the cloud provider
Own and operate HSMs that integrate with aCloud Access Security Broker to manage keys and
cryptographic operations (e.g., encrypting data on theway to the cloud, managing keys for cloud applications)
None of the above
47%53%
36%41%
17%24%
12%24%
1%1%
What models do you use today? What models do you planto use in the next 12 months?
0% 10% 20% 30% 40% 50% 60%
US UK DE FR AU JP BZ RF IN MX AB KO
How important are HSMs to your encryption or key management strategy? Average
0
10%
20%
30%
40%
50%
60%
70%
Figure 21. Perceived importance of HSMs as part of encryption or key management Very important & important responses combined
48%
64%
51%
71%
63%
44%50%
42%
56%60%
65%
53%
Figure 21 summarizes the percentage of respondents in 12 countries that rate HSMs as either very important or important to their organization’s encryption or key management program or activities. The overall average importance rating in the current year is 57 percent. The pattern of responses suggests Germany, India, the United States and Japan are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.
17PONEMON INSTITUTE© RESEARCH REPORT
Figure 22 shows a six-year trend in the importance of HSMs for encryption or key management, which has steadily increased over time.
Figure 22. Perceived importance of HSMs as part of encryption or key management over six years Country samples are consolidated
FY12 FY13 FY14
33%39%
48% 49%55% 57%
FY15 FY16 FY17
Figure 23. Which statement best describes how your organization uses HSMs?
We have a centralized team that provides cryptography as a service (including HSMs)to multiple applications/teams within our organization (i.e., private cloud model)
Each individual application owner/team is responsible for their own cryptographic services (including HSMs) (i.e., traditional siloed, application-specific data center deployment)
61%39%
What best describes an organization’s use of HSMs? As shown in Figure 23, 61 percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach.
17
“61 PERCENT OF RESPONDENTS SAY THEIR ORGANIZATION HAS A CENTRALIZED TEAM THAT PROVIDES CRYPTOGRAPHY AS A SERVICE (INCLUDING HSMs).”
18 PONEMON INSTITUTE© RESEARCH REPORT
What are the primary purposes or uses for HSMs? Figure 24 summarizes the primary purpose or use cases for deploying HSMs. As can be seen, the two top choices are SSL/TLS and application-level encryption, followed by database encryption. This chart shows a relatively small difference between today’s HSM use and that of 12 months from now.
The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of the organizations represented in this study.
SSL/TLS
Application level encryption
Database encryption
Public cloud encryption including forBring Your Own Key (BYOK)
PKI or credential management
Payment transaction processing including P2PE
Payment credential provisioning (e.g., mobile, IoT)
Private cloud encryption
Payment service provider interface(e.g., TSP, real-time payments, Open API)
Payment credential issuing (e.g., mobile, EMV)
Blockchain applications (e.g., cryptocurrency, financial transfer)
With Cloud Access Security Brokers (CASBs) for encryption key management
Document signing (e.g., electronic invoicing)
Internet of Things (IoT) root of trust
Big data encryption
Code signing
Other
None of the above
Figure 24. How HSMs are deployed or planned to be deployed in the next 12 months Country samples are consolidated. More than one choice permitted
HSMs used today HSMs to be deployed in the next 12 months
0% 10% 20% 30% 40% 50%
43%50%
41%40%
37%44%
32%32%
30%33%
29%35%
26%29%
26%22%
25%28%
25%30%
20%21%
19%21%
12%14%
12%13%
12%7%
7%8%
3%2%
10%12%
19PONEMON INSTITUTE© RESEARCH REPORT
Budget allocations
The percentages below are calculated from the responses to survey questions about resource allocations to IT security, data protection, encryption, and key management. These calculated values are estimates of the current state and we do not make any predictions about the future state of budget funding or spending.
Figure 25 reports the average percentage of IT security spending relative to total IT spending over the last 13 years. As shown, the trend appears to be upward sloping, which suggests the proportion of IT spending dedicated to security activities including encryption is increasing over time.
Figure 26 reports the percentage of the IT security budget dedicated to encryption. Spending on encryption has declined since 2014.
Figure 25. Trend in the percent of IT security spending relative to the total IT budgetCountry samples are consolidated
7.5% 7.2% 7.5%7.9%
9.1% 9.1%9.9%
9.2%10.0% 10.2% 10.6%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Percentage of IT security spending relative to the total IT budget Average
0%
2%
4%
6%
8%
10%
12%
8.6% 8.8%
Figure 26. Trend in the percentage of IT security spending dedicated to encryption activities Country samples are consolidated
FY14
15.7%14% 14.4%
12.3%
FY15 FY16 FY17
20 PONEMON INSTITUTE© RESEARCH REPORT
Cloud encryption
According to Figure 27, 61 percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 21 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.
According to Figure 28, with respect to the transfer of sensitive or confidential data to the cloud, Germany, United States, Japan, India and Korea are more frequently transferring sensitive data to the cloud.
US UK DE FR AU JP BZ RF IN MX AB KO
Yes, we are presently doing so Average
0
10%
20%
30%
40%
50%
60%
70%
80%
Figure 28. Organizations that transfer sensitive or confidential data to the cloud by country
69%
54%
70%
61%
68%
46%
67%
52%
65%
58% 58% 58%
Figure 27. Do you currently transfer sensitive or confidential data to the cloud? Country samples are consolidated
Yes, we are presently doing so
No, but we are likely to do soin the next 12 to 24 months
No
61%
21% 17%
Encryption in public cloud services grew from28% to 39% in 2017 – 11% is the highest year-over-year growth of any encryption use case
39%
21PONEMON INSTITUTE© RESEARCH REPORT
What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP standard for key management (66 percent of respondents), SIEM integration, visualization and analysis of logs (62 percent of respondents) and granular access controls (60 percent of respondents).
Figure 30. How important are the following features associated with cloud encryption to your organization?Very important and important responses combined
Support for the KMIP standard for key management
SIEM integration, visualization and analysis of logs
Granular access controls
Audit logs identifying key usage
Privileged user access control
Bring Your Own Key (BYOK) management support
Ability to encrypt and rekey datawhile in use without downtime
Audit logs identifying data access attempts
Support for FIPS 140-2 compliant key management 34%
39%
47%
49%
51%
57%
60%
62%
66%
0% 10% 20% 30% 40% 50% 60% 70%
Figure 29. How does your organization protect data at rest in the cloud? Country samples are consolidated. More than one choice permitted
Encryption performed on-premise prior to sending data to the cloud using keys my organization generates and manages
Encryption performed in the cloud using keys generated/managed by the cloud provider
Encryption performed in the cloud using keys my organization generates and manages on-premise
Tokenization performed by the cloud provider
Tokenization performed on-premise priorto sending data to the cloud
None of the above 5%
12%
13%
21%
38%
47%
0% 10% 20% 30% 40% 50%
How do organizations protect data at rest in the cloud? As shown in Figure 29, 47 percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 38 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.
22 PONEMON INSTITUTE© RESEARCH REPORT
Table 1. Survey response in 12 countries
Sampling frameSurvey response Final sample Response rate
AB
AU
BZ
DE
FR
IN
JP
KO
MX
RF
UK
US
9,466
7,290
13,200
14,505
12,650
16,873
14,013
11,257
11,300
6,319
13,001
21,460
151,334
308
315
507
543
370
582
468
317
468
196
468
710
5,252
3.3%
4.3%
3.8%
3.7%
2.9%
3.4%
3.3%
2.8%
4.1%
3.1%
3.6%
3.3%
3.5%
Arabian Cluster
Australia
Brazil
Germany
France
India
Japan
Korea
Mexico
Russian Federation
United Kingdom
United States
Consolidated
Legend
APPENDIX 1. METHODS & LIMITATIONSTable 1 reports the sample response for 12 separate country samples. The sample response for this study was conducted over a 49-day period ending in January 2018. Our consolidated sampling frame of practitioners in all countries consisted of 151,334 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 5,861 returns of which 609 were rejected for reliability issues. Our final consolidated 2017 sample was 5,252, thus resulting in an overall 3.5% response rate.
The first encryption trends study was conducted in the United States in 2005. Since then we have expanded the scope of the research to include 12 separate country samples. Trend analysis was performed on combined country samples. As noted before, we added Korea to this year’s study.
23PONEMON INSTITUTE© RESEARCH REPORT
Table 2. Sample history over 12 years
Legend FY17 FY16 FY15 FY14 FY13 FY12 FY11 FY10 FY09 FY08 FY07 FY06
AB
AU
BZ
DE
FR
IN
JP
KO
MX
RF
UK
US
Total
308
315
507
543
370
582
468
317
468
196
468
710
5,252
316
331
463
531
345
548
450
0
451
206
460
701
4,802
368
334
460
563
344
578
487
0
429
201
487
758
5,009
0
359
472
564
375
532
476
0
445
193
509
789
4,714
0
414
530
602
478
0
521
0
0
201
637
892
4,275
0
938
637
499
584
0
466
0
0
0
550
531
4,205
0
471
525
526
511
0
544
0
0
0
651
912
4,140
0
477
0
465
419
0
0
0
0
0
622
964
2,947
0
482
0
490
414
0
0
0
0
0
615
997
2,998
0
405
0
453
0
0
0
0
0
0
638
975
2,471
0
0
0
449
0
0
0
0
0
0
541
768
1,758
0
0
0
0
0
0
0
0
0
0
489
918
1,407
Table 2 summarizes our survey samples for 12 countries over a 12-year period.
Figure 31 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents are at or above the supervisory levels.
Figure 32 identifies the organizational location of respondents in our study. Over half of respondents (55 percent) are located within IT operations, followed by security at 20 percent of respondents and 12 percent of respondents are located within the lines of business.
41%
34%
3% 2% 3%
17% Senior Executive
Vice President
Director
Manager/Supervisor
Associate/Staff/Technician
Other
Figure 31. Distribution of respondentsaccording to position levelCountry samples are consolidated
20%
3%
55%
12%
7%3%
Figure 32. Distribution of respondentsaccording to organizational locationCountry samples are consolidated
IT operations
Security
Lines of business(LOB)
Compliance
Finance
Other
24 PONEMON INSTITUTE© RESEARCH REPORT
Figure 33 reports the industry classification of respondents’ organizations. Fifteen percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Twelve percent of respondents are located in manufacturing and industrial organizations and 11 percent of respondents are in service organizations. Another nine percent are located in the public sector, including central and local government.
According to Figure 34, the majority of respondents (63 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees.
15%
12%
11%
9%8%9%
8%
7%
4%
3%
3%3%
2%4%2%
Figure 33. Distribution of respondents according to primary industry classificationCountry samples are consolidated
Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesConsumer productsEducation & researchHospitalityTransportationCommunicationsEntertainment & mediaOther
24%
20%
13%8%4%
31%
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Figure 34. Distribution of respondents according to organizational headcountCountry samples are consolidated
25PONEMON INSTITUTE© RESEARCH REPORT
Part 1. Encryption Posture
Survey response
151,334
5,861
609
5,252
3.5%
Sampling frame
Total returns
Rejected or screened surveys
Final sample
Response rate
Q1. Please select one statement that best describes your organization’s approach to encryption implementation across the enterprise.
43%
44%
13%
100%
We have an overall encryption plan or strategy that is applied consistently across the entire enterprise
We have a limited encryption plan or strategy that is applied tocertain applications and data types
We don’t have an encryption plan or strategy
Total
APPENDIX 2. SURVEY DATA TABLES The following tables provide the consolidated results for 12 country samples.
Limitations
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies.
•Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 12 countries, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.
•Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within the sample of 12 countries selected.
•Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses.
26 PONEMON INSTITUTE© RESEARCH REPORT
316
331
463
531
345
548
450
0
451
206
460
701
4,802
368
334
460
563
344
578
487
0
429
201
487
758
5,009
Q2. Following are areas where encryption technologies can be deployed. Please check those areas where encryption is extensively deployed, partially deployed or not as yet deployed by your organization.
Q2a-1 Backup and archives
54%
26%
20%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2b-1. Big data repositories
28%
24%
48%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2c-1 Cloud gateway
43%
30%
27%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2d-1. Data center storage
43%
30%
27%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2e-1. Databases
63%
24%
13%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2f-1. Docker containers
20%
29%
51%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2g-1. Email
38%
35%
27%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2h-1. Public cloud services
39%
35%
27%
100%
Extensively deployed
Partially deployed
Not deployed
Total
27PONEMON INSTITUTE© RESEARCH REPORT
Q2i-1. File systems
38%
31%
31%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2j-1. Internet communications(e.g., SSL)
63%
25%
12%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2k-1. Internal networks(e.g., VPN/LPN)
48%
33%
19%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2l-1. Laptop hard drives
58%
22%
20%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2m-1 Private cloud infrastructure
34%
29%
36%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2n-1 Internet of things(IoT) devices
26%
23%
51%
100%
Extensively deployed
Partially deployed
Not deployed
Total
Q2o-1 Internet of things(IoT) platforms
25%
24%
51%
100%
Extensively deployed
Partially deployed
Not deployed
Total
28 PONEMON INSTITUTE© RESEARCH REPORT
Q3. Who is most in�uential in directing your organization’sencryption strategy? Please select one best choice.
33%
17%
2%
25%
22%
100%
IT operations
Security
Compliance
Lines of business (LOB) or general management
No single function has responsibility
Total
Q4. What are the reasons why your organization encrypts sensitive and con�dential data? Please select the top three reasons.
52%
50%
32%
14%
54%
21%
49%
29%
300%
To protect enterprise intellectual property
To protect customer personal information
To limit liability from breaches or inadvertent disclosure
To avoid public disclosure after a data breach occurs
To protect information against specific, identified threats
To comply with internal policies
To comply with external privacy or data security regulationsand requirement
To reduce the scope of compliance audits
Total
Q5. What are the biggest challenges in planning and executing a data encryption strategy? Please select the top two reasons.
67%
34%
13%
44%
29%
13%
200%
Discovering where sensitive data resides in the organization
Classifying which data to encrypt
Determining which encryption technologies are most effective
Initially deploying the encryption technology
Ongoing management of encryption and keys
Training users to use encryption appropriately
Total
29PONEMON INSTITUTE© RESEARCH REPORT
Q6. How important are the following features associated with encryption solutions that may be used by your organization? Very important and important response combined.
72%
68%
52%
54%
68%
50%
64%
44%
78%
59%
71%
56%
Enforcement of policy
Management of keys
Support for multiple applications or environments
Separation of duties and role-based controls
System scalability
Tamper resistance by dedicated hardware (e.g., HSM)
Integration with other security tools (e.g., SIEM and ID management)
Support for regional segregation (e.g., data residency)
System performance and Latency
Support for emerging algorithms (e.g., ECC)
Support for cloud and on-premise deployment
Formal product security certifications (e.g., FIPS 140)
Q7. What types of data does your organization encrypt? Please select all that apply.
43%
26%
52%
50%
53%
54%
26%
Customer information
Non-financial business information
Intellectual property
Financial records
Employee/HR data
Payment related data
Healthcare information
Q8. What are the main threats that might result in the exposure of sensitiveor con�dential data? Please select the top two choices.
30%
22%
31%
47%
22%
19%
12%
17%
200%
Hackers
Malicious insiders
System or process malfunction
Employee mistakes
Temporary or contract workers
Third party service providers
Lawful data request (e.g. by police)
Government eavesdropping
Total
30 PONEMON INSTITUTE© RESEARCH REPORT
Part 2. Key Management
Q9. Please rate the overall “pain” associated with managing keys or certi�cates within your organization, where 1 = minimal impact to10 = severe impact?
9%
12%
22%
24%
33%
100%
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Q11. Following are a wide variety of keys that may be managed by your organization. Please rate the overall “pain” associated with managing each type of key. Very painful and painful response combined.
21%
33%
46%
55%
39%
51%
38%
17%
59%
Encryption keys for backups and storage
Encryption keys for archived data
Keys associated with SSL/TLS
SSH keys
End user encryption keys (e.g., email, full disk encryption)
Signing keys (e.g., code signing, digital signatures)
Payments-related keys (e.g., ATM, POS, etc.)
Keys to embed into devices (e.g. at the time of manufacture indevice production environments, or for IoT devices you use)
Keys for external cloud or hosted services includingBring Your Own Key (BYOK) keys
Q10. What makes the management of keys so painful?Please select the top three reasons.
59%
33%
57%
23%
46%
56%
14%
11%
300%
No clear ownership
Insufficient resources (time/money)
Lack of skilled personnel
No clear understanding of requirements
Key management tools are inadequate
Systems are isolated and fragmented
Technology and standards are immature
Manual processes are prone to errors and unreliable
Total
31PONEMON INSTITUTE© RESEARCH REPORT
Q12a. What key management systems does yourorganization presently use?
49%
36%
49%
33%
26%
32%
17%
24%
267%
Formal key management policy (KMP)
Formal key management infrastructure (KMI)
Manual process (e.g., spreadsheet, paper-based)
Central key management system/server
Hardware security modules
Removable media (e.g., thumb drive, CDROM)
Software-based key stores and wallets
Smart cards
Total
Q12b. What key management systems does your organization presently not used or not aware of use?
36%
43%
34%
45%
52%
52%
61%
58%
381%
Formal key management policy (KMP)
Formal key management infrastructure (KMI)
Manual process (e.g., spreadsheet, paper-based)
Central key management system/server
Hardware security modules
Removable media (e.g., thumb drive, CDROM)
Software-based key stores and wallets
Smart cards
Total
32 PONEMON INSTITUTE© RESEARCH REPORT
Part 3. Hardware Security Modules
Q13. What best describes your level of knowledge about HSMs?
29%
30%
20%
21%
100%
Very knowledgeable
Knowledgeable
Somewhat knowledgeable
No knowledge (skip to Q17a)
Total
Q14a. Does your organization use HSMs?
41%
59%
100%
Yes
No (skip to Q17a)
Total
Q14b. For what purpose does your organization presently deploy or plan to use HSMs? Please select all that apply.
Q14b-1. HSMs used today
41%
37%
12%
32%
26%
43%
30%
12%
12%
7%
29%
25%
26%
25%
19%
20%
10%
3%
409%
Application level encryption
Database encryption
Big data encryption
Public cloud encryption including for Bring Your Own Key (BYOK)
Private cloud encryption
SSL/TLS
PKI or credential management
Internet of Things (IoT) root of trust
Document signing (e.g. electronic invoicing)
Code signing
Payment transaction processing including P2PE
Payment credential issuing (e.g., mobile, EMV)
Payment credential provisioning (e.g., mobile, IoT)
Payment service provider interface (e.g., TSP, real-time payments, Open API
With Cloud Access Security Brokers (CASBs) for encryption key management
Blockchain applications (e.g., cryptocurrency, financial transfer)
None of the above
Other
Total
33PONEMON INSTITUTE© RESEARCH REPORT
Q14b-2. HSMs planned to be deployed in the next 12 months
40%
44%
7%
32%
22%
50%
33%
13%
14%
8%
35%
30%
29%
28%
21%
21%
12%
2%
441%
Application level encryption
Database encryption
Big data encryption
Public cloud encryption including for Bring Your Own Key (BYOK)
Private cloud encryption
SSL/TLS
PKI or credential management
Internet of Things (IoT) root of trust
Document signing (e.g. electronic invoicing)
Code signing
Payment transaction processing
Payment credential issuing (e.g., mobile, EMV)
Payment credential provisioning (e.g., mobile, IoT)
Payment service provider interface (e.g., TSP, real-time payments, Open API
With Cloud Access Security Brokers (CASBs) for encryption key management
Blockchain applications (e.g., cryptocurrency, financial transfer)
None of the above
Other
Total
Q14c-1. If you use HSMs in conjunction with public cloud based applications, what models do you use today? Please select all that apply.
36%
47%
17%
12%
1%
113%
Rent/use HSMs from public cloud provider, hosted in the cloud
Own and operate HSMs on-premise at your organization, accessed real-time by cloud-hosted applications
Own and operate HSMs for the purpose of generating and managing BYOK (Bring Your Own Key) keys to send to the cloud for use bythe cloud provider
Own and operate HSMs that integrate with a Cloud Access Security Broker to manage keys and cryptographic operations (e.g., encrypting data on the way to the cloud, managing keys for cloud applications)
None of the above
Total
34 PONEMON INSTITUTE© RESEARCH REPORT
Part 4. Budget Questions
Q14c-2. If you use HSMs in conjunction with public cloud based applications, what models do you plan to use in the next 12 months.Please select all that apply.
41%
53%
24%
24%
1%
143%
Rent/use HSMs from public cloud provider, hosted in the cloud
Own and operate HSMs on-premise at your organization, accessed real-time by cloud-hosted applications
Own and operate HSMs for the purpose of generating and managing BYOK (Bring Your Own Key) keys to send to the cloud for use bythe cloud provider
Own and operate HSMs that integrate with a Cloud Access Security Broker to manage keys and cryptographic operations (e.g., encrypting data on the way to the cloud, managing keys for cloud applications)
None of the above
Total
Q15. In your opinion, how important are HSMs to your encryption or key management strategy? Very important and important response combined
57%
65%
Q15a. Importance today
Q15b. Importance in the next 12 months
Q16. Which statement best describes how your organization uses HSMs?
61%
39%
100%
We have a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within our organization (i.e. private cloud model).
Each individual application owner/team is responsible for their own cryptographic services (including HSMs) (i.e. traditional siloed, application-specific data center deployment).
Total
Q17a. Are you responsible for managing all or part of your organization’s IT budget this year?
Yes
No (skip to Q18)
Total
53%
47%
100%
35PONEMON INSTITUTE© RESEARCH REPORT
Part 6: Cloud encryption: When responding to the following questions, please assume they refer only to public cloud services
Q17b. Approximately, what percentage of the 2017 IT budget will goto IT security activities?
FY2017
10.6%
Q17c. Approximately, what percentage of the 2017 IT security budget will go to encryption activities?
FY2017
12.3%
Q35a. Does your organization currently use cloud computing services for any class of data or application – both sensitive and non-sensitive?
64%
20%
16%
100%
Yes, we are presently doing so
No, but we are likely to do so in the next 12 to 24 months
No (Go to Part 7 if you do not use cloud services for any class ofdata or application)
Total
Q35b. Do you currently transfer sensitive or con�dential data to the cloud (whether or not it is encrypted or made unreadable via some other mechanism)?
61%
21%
17%
100%
Yes, we are presently doing so
No, but we are likely to do so in the next 12 to 24 months
No (Go to Part 7 if you do not use or plan to use any cloud servicesfor sensitive or confidential data)
Total
Q35c. In your opinion, who is most responsible for protecting sensitive or con�dential data transferred to the cloud?
49%
21%
31%
100%
The cloud provider
The cloud user
Shared responsibility
Total
36 PONEMON INSTITUTE© RESEARCH REPORT
Q35d. How does your organization protect data at rest in the cloud?
38%
21%
47%
13%
12%
5%
136%
Encryption performed in the cloud using keys generated/managed by the cloud provider
Encryption performed in the cloud using keys my organization generates and manages on-premise
Encryption performed on-premise prior to sending data to the cloud using keys my organization generates and manages
Tokenization performed by the cloud provider
Tokenization performed on-premise prior to sending data to the cloud
None of the above
Total
Q35e. For encryption of data at rest in the cloud, my organization’s strategy is to…
42%
19%
19%
20%
100%
Only use keys controlled by my organization
Only use keys controlled by the cloud provider
Use a combination of keys controlled by my organization and by the cloud provider, with a preference for keys controlled by my organization
Use a combination of keys controlled by my organization and by the cloud provider, with a preference for keys controlled by the cloud provider
Total
Q35f. How important are the following features associated with cloud encryption to your organization?Very important and Important response provided.
49%
51%
60%
57%
39%
62%
34%
66%
47%
Bring Your Own Key (BYOK) management support
Privileged user access control
Granular access controls
Audit logs identifying key usage
Audit logs identifying data access attempts
SIEM integration, visualization and analysis of logs
Support for FIPS 140-2 compliant key management
Support for the KMIP standard for key management
Ability to encrypt and rekey data while in use without downtime
37PONEMON INSTITUTE© RESEARCH REPORT
Q35g-2. How many public cloud providers does your organization plan to use in the next 12 to 24 months?
29%
21%
15%
35%
100%
1
2
3
4 or more
Total
Q35g-1. How many public cloud providers does your organization in use today?
39%
21%
14%
26%
100%
1
2
3
4 or more
Total
D1. What organizational level best describes your current position?
2%
3%
17%
34%
41%
3%
100%
Senior Executive
Vice President
Director
Manager/Supervisor
Associate/Staff/Technician
Other
Total
Part 7: Role and organizational characteristics
38 PONEMON INSTITUTE© RESEARCH REPORT
D2. Select the functional area that best describes your organizational location.
55%
20%
7%
3%
12%
3%
100%
IT operations
Security
Compliance
Finance
Lines of business (LOB)
Other
Total
D3. What industry best describes your organization’s industry focus?
1%
2%
4%
0%
3%
7%
2%
15%
8%
3%
12%
9%
8%
11%
9%
3%
3%
100%
Agriculture & food services
Communications
Consumer products
Defense & aerospace
Education & research
Energy & utilities
Entertainment & media
Financial services
Health & pharmaceutical
Hospitality
Manufacturing & industrial
Public sector
Retail
Services
Technology & software
Transportation
Other
Total
D4. What is the worldwide headcount of your organization?
13%
24%
31%
20%
8%
4%
100%
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Total
39PONEMON INSTITUTE© RESEARCH REPORT
About Ponemon Institute The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
About nCipher SecurityToday’s fast-moving digital environment enables enterprises to operate more efficiently, gain competitive advantage and serve customers better than ever before. It also multiplies the security risks.
nCipher Security empowers world-leading organizations by delivering trust, integrity and control to their business critical information and applications.
Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments – and help meet new compliance mandates. Using the same proven technology that our customers depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical information and applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, and at all times.
To find out more how nCipher Security can deliver trust, integrity and control to your business critical information and applications, visit www.ncipher.com.
Platinum partner – GeobridgeEstablished in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that provides Cryptography and Key Management, Payment Security, Compliance, and HSM Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.
Platinum partner – VenafiVenafi is the cyber security market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.
With 31 patents currently in its portfolio, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 2000 organizations. Venafi is backed by top-tier investors, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, Mercato Partners and NextEquity. For more information, visit: www.venafi.com.
GEOBRIDGE
40©2018 nCipher