It’s a dangerous world out there. We need to be ever vigilant.
In the digital world, individuals and organizations that are serious about guarding their data and privacy use encryption. This technology protects data on devices and in emails, files, phone calls, photos and videos by making it unreadable to anyone without access to the encryption key.
That last part—about access to the encryption key—is important to understand. Unless you do a really good job of protecting your keys, your encryption strategy is essentially worthless. And keep in mind that encryption keys for data protection work hand in hand with machine identities to authenticate machine-to-machine connections and communications as key components of an overall access control policy.
Encryption solutions have proliferated, data is everywhere, and employees add to the threat.
Key protection for encryption is a significant challenge for organizations. Many businesses have IT security directors, compliance officers and other technical professionals who are great at their jobs. But few operations have enough staff with the skills and experience to manage encryption and keys.
And data protection has gotten a lot harder. Ponemon Institute’s “2020 Global Encryption Trends Study,” says the average enterprise uses eight different encryption products today.
At the same time, there has been a sea change in the key drivers of encryption adoption.
Five years ago, regulatory compliance was the dominant driver of encryption. Organizations would have to prove to an auditor they had done due diligence in protecting sensitive data, and encryption was a big part of those strategies.
Regulatory compliance is still a highly rated reason for employing encryption, but it’s no longer the leading reason. Instead, it’s moved down to No. 4 on the list, according to Ponemon. Now the top reason organizations state for using encryption is to protect customer information.
Fifty-four percent of the Ponemon survey group said protecting customer personal information is among their main drivers for using encryption technology solutions. Protecting intellectual property and information against specific, identified threats came in next at 52% and 51%, respectively. But fewer than half (47%) said regulatory compliance was their main driver.
This indicates businesses are taking a much more data-centric approach to encryption rather than viewing it as a checkbox filler to show they’ve met regulatory compliance requirements.
Despite these changing forces, the way people actually deploy encryption is not keeping pace, at least not yet. Organizations are turning on encryption where it’s easiest and most mature from a technology perspective—in databases, for laptop hard drives, and for backups and archives. But other places where sensitive data flows to aren’t seeing the same level of encryption usage, including data center storage, file systems, and big data repositories. And the encryption strategy isn’t cohesive enough with a process to issue and manage trusted machine identities for secure connections.
I think we’re going to see a sea change on this front as well. Organizations are going to start following and encrypting the data rather than just turning on encryption when and where it’s easiest to do so. It’s clear that people are changing their approaches and acknowledging that they need to follow the data, and that encryption is an integral part of their overall access control strategy. An actual implementation just hasn’t gotten there quite yet.
Because data is out there on all these different systems, the concept of a secure perimeter has faded. We don’t have those clear borders anymore. So, the best thing you can do is to wrap the security around the data itself by using encryption, so data carries that protection with it wherever it goes.
But, again, for encryption to deliver on its promise, organizations require an effective way to protect and manage their encryption keys. This is the Achilles’ heel of encryption.
The Ponemon research highlights that many organizations are struggling to create and enforce a consistent policy for encryption. While 48% of respondents said their organizations have applied encryption consistently across the enterprise, this means that more than half have not.
Organizations are increasingly turning to HSMs to specifically address this issue. HSMs provide secure cryptographic processing—encryption and digital signing—as well as key generation and protection to enable organizations to enforce their encryption policy across different devices and, importantly, across multiple clouds. Using an HSM establishes a root of trust within a business, providing a central and auditable point of control for the encryption key and machine identity management policy.
If you have to do configuration across eight different encryption solutions using eight different user interfaces, training your staff and achieving consistency in encryption are both real challenges. Good encryption hygiene like regular key rotations and key backups become cumbersome and mistake-prone as the environment becomes increasingly complex. Many organizations have found that encryption and key management tools within a single cloud such as Microsoft Azure work quite well, but don’t work across their other clouds and their enterprise and hence are a partial solution.
An HSM can serve as a central point of encryption policy enforcement and secrets management. By using the HSM as a trust anchor and policy enforcer, a strong and consistent approach can be achieved—even if your organization is a multi-cloud operation.
HSMs also can help your organization comply with new regulations like the California Consumer Privacy Act (CCPA), which specifically references the importance of securing encryption keys.
Such new developments, data proliferation and distribution, and new trends and priorities help explain why HSM adoption is on the rise. As Ponemon reports, 64% of organizations now recognize that HSMs are important to encryption and key management. HSMs and a “follow the data” strategy for the protection of sensitive information are a powerful one-two punch in the quest for successful data protection.
Venafi and nCipher have joined forces to help address the machine identity challenges faced by today’s enterprise customers. By integrating machine identity management with HSMs, organizations can generate and store keys securely—without them having to ever leave the HSM. The integration powers the use of strong cryptographic keys, orchestrating HSM-based generation and storage. Learn more about the nCipher-Venafi integration on the Venafi marketplace.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.