In March 2009 Bloor Research released a Market Update on the subject of Data Encryption.
The past year has, yet again, seen significant data loss incidents that could have easily been avoided if sensible data encryption had been implemented. Gradually the flood of horror stories are forcing a rethink across both the private and public sectors as they grasp the significant impact a data loss incident can have on customers, clients or citizens.
Arguably the protection of data should be one of the top objectives of any IT function. Encryption, which is the process of taking a piece of data and obscuring it so that unauthorised people cannot view it should therefore be fundamental to the work of an IT department in any sizeable organisation. Small and medium sized businesses are also realising that data protection, in the form of encryption, is for them as well.
Encryption has always been surrounded with a mystique that seems designed to confuse anyone other than the most technically adept. Ultimately the key business decision is to protect data, the way this is done is not that relevant at a business level. What is of interest is the cost associated with managing such a security model. In particular the way in which keys, which enable data to be encrypted/decrypted, are managed can have a significant affect on the cost of owning a solution.
Encryption vendors range from very small, technically clever businesses through to much larger and significant players in the world of data encryption products. Any decision to embark on a data encryption purchase needs to be taken at a strategic level within an organisation as a customer will be closely aligned to their encryption supplier for a long time. Replacing an encryption solution with another is a complex, time consuming task so it is better to make the best decision at the beginning. An encryption supplier needs to be assessed for their stability and maturity as well as their product set as customers need to be assured that the supplier will be around in years to come.
Historically confidential data may only have been handled by a select few members of an executive team, but now it is likely to be accessed by all levels of staff throughout an organisation. Increasingly having a secure, encrypted IT infrastructure is a prerequisite for dealing electronically with many financial and institutional data suppliers such as banks and brokerages.
This prevalence of confidential information across a business posses a challenge to corporate policy makers and the IT departments who are tasked with keeping the data secure. Countless cases have been highlighted over the past year where staff at all levels have accessed vast amounts of valuable data only for it to stolen from unprotected laptops, transferred to business partner servers, or sent via email to recipients with uncertain security. The downturn in the global economy has forced many out of work. Where in the past this may have been production or manual workers, the latest downturn is affecting knowledge workers that have access to computer systems and data. Often bearing a grudge or resenting the decision to let them go ex-employees will often remove data in the form of customer lists, email accounts or other sensitive data. Clearly being fired stretches the loyalty of the most diligent of employees.
Various legislation is now in place, in some jurisdictions, to force data owners to publicly disclose if confidential data is lost. This requirement is removed if the data is encrypted.
Stresses in the global economy are putting even more data at risk of inappropriate access. Data encryption, in what ever format, is here to stay as it forms an integral component of a secure computing environment. This market update has highlighted key players and how they are striving to innovate in the encryption market. Inevitably the larger and more stable vendors will win business from large and enterprise sized customers but there is still demand for innovative solutions from the small encryption vendors.
One year on the strategic deployment of encryption solutions is still seen as difficult by many organisations and vendors must work hard to provide a product set that can be rolled out systematically over a period of time. Many customers have had a bad experience of encryption solutions and need reassurance that a new solution will be fit for purpose. Of significant concern will be key management and how this can be made more manageable than in the past - this appears to still be the number one issue with customers that have had a bad experience with encryption. The development of the OASIS open key management protocol will be followed with interest by many.
Debates about email encryption architectures will continue, but ultimately it is up to a customer organisation to deploy an email encryption solution that best fits their messaging infrastructure. Either choice of encryption is better than none, bearing in mind the quantity and quality of data that is communicated via email.
Inevitably the distinction between encryption and data leak prevention will continue to erode as vendors talk of a more comprehensive Enterprise Data Protection architecture. This will take time as acquisitions and partnerships need to settle down and technologies shared. At the lower end of the market, for example individual consumers and very small businesses, there will still be demand for basic encryption as a stand alone offering as they do not face the same management issues as larger enterprises. This will continue to provide an opportunity for the more tactical encryption vendors.
This next year will continue to see a colossal change in the worldwide financial system and the associated risks to data of all forms. The need for decent encryption should therefore be very high on any IT security professionals agenda.
The Market Update is available free of charge at BloorAnswers.com and features a number of vendors including;
- Credant Technologies
- Mobile Armor
- FrontRange Solutions
- Tumbleweed Communications
- Voltage Security