Analyst Coverage: Fran Howarth
Encryption—and its opposite, decryption—is the process of converting data into code that is unreadable by a human who does not possess the necessary key for decrypting it, or turning it back to a readable form. It has its origins in the Greek word kruptos, meaning hidden. Encryption is one of the best methods that can be used for protecting sensitive data from loss or inappropriate access, but for many it is still often an afterthought, used in a largely ad hoc manner.
Why is it important?
Whilst data breaches appear to be everyday news, the vast majority are never reported. According to the Breach Level Index, 9.7 trillion data records have been lost or stolen since 2013, yet only 4% of those records were encrypted, rendering them useless to those who discover the records. When an adversary realises that an organisation is using encryption on a widespread basis, they are likely to move on, looking for easier targets to exploit.
As the number of breaches continues to rise, regulators are demanding higher levels of data protection, with increased sanctions for non-compliance. A prime example is the general data protection regulation (GDPR) of the EU, which affects every organisation that processes and stores data related to those resident in the EU, no matter where the data is handled or kept. As with most regulations, GDPR is not particularly prescriptive regarding the technologies that organisations should implement, with the exception of encryption and pseudonymisation. Data records that have been adequately encryption exempt an organisation from having to disclose that it has been subject to a data breach.
In light of factors such as these, it is clear that taking a data-centric approach to securing an organisation’s assets is the best option, using multilayered encryption for sensitive data both at rest and in motion. Encryption should be the cornerstone of any security programme.
How does it work?
All too often, organisations have deployed encryption to meet specific needs as problems arise, which can lead to gaps in security that leave some sensitive data unprotected. To solve this, an enterprise-wide strategy should be established, led by security executives with input from IT and business units. This strategy will likely involve the implementation of a data security platform that provides for persistent encryption for all data in use in the enterprise, covering data at rest in storage, backup, on devices that include mobile equipment and in services based in the cloud. It will also provide for efficient encryption for data in transit.
Such a platform will solve some of the biggest bugbears of encryption deployments. One of these is key management which, according to the Ponemon Institute is very painful for 57% of organisations. A consolidated platform will ensure that encryption keys are centrally managed, refreshed regularly and kept separate from the data that are protecting to ensure that keys cannot fall into the wrong hands. Many vendors offering data security platforms offer key management services, which can be installed on-premise, in a private cloud or in the public cloud as a private instance.
Other beneficial services that can be offered by a centralised platform include data discovery and classification. Not all data needs to be encrypted, which would add to overheads and potentially negatively impact users. Therefore, organisations need to discover all data used and determine its sensitivity so that appropriate controls can be applied and enforced. Other services to look for include analytics and reporting, activity monitoring and real time alerting.
For encryption to be effective, all devices and data should be considered, including virtual machines, portable storage, mobile devices and data held in the cloud. In the case of the cloud, organisations cannot outsource responsibility for data protection to services providers. Rather, it remains their responsibility and they will be held responsible for fallout from data breaches. Cloud providers should never have access to keys to avoid possible breaches caused by their staff or the perils of subpoenas from law enforcement. Managing keys separately from the cloud services also avoids co-mingling of data in multitenant environment and makes it easier to use multicloud services, simplifying the complexity of moving data among clouds and ensuring that keys are centralised and persistent encryption is used across all cloud instances.
According to Forrester Consulting, 96% of organisations believe that changing from a strategy of multiple point products to a single platform is beneficial, providing higher levels of visibility, and controlling costs and integration concerns.
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
EU General data protection regulation
“Get security and ops on board with data protection, starting at the top. If you have a compliance officer, bring him or her in as well.”
A data security platform will provide incremental value to other technologies in use, including DLP controls, behavioural analytics and SIEM systems. Many data security platform vendors provide encryption dashboards for major SIEMs, enabling logging and reporting of the effectiveness of encryption controls to ensure that they are working as intended.
A data security platform with encryption at its core will help defend an organisation against the harm caused by data breaches and will be essential for more effectively meeting compliance and audit requirements, even as an organisation’s infrastructure expands to embrace new technologies.
Early encryption systems gained a reputation for being hard to implement and manage, but that is largely a thing of the past. To ensure that they are adequately budgeted for, use cases should be put forward that show the importance of encryption for data protection, defending against data breaches and achieving compliance with ever more stringent regulations. However, it is important that any encryption rollout be accompanied by comprehensive user awareness efforts and training to persuade users that encryption need not be feared and reinforcing its role in protecting sensitive information.
The Bottom Line
Encryption is hot now because of its potential to greatly reduce the fallout from data breaches and to achieve compliance with ever more stringent data protection regulations. No organisation can afford to leave sensitive information in the clear for easy pickings.