Organizations are increasingly moving data to multiple cloud environments, but they fail to effectively protect it. This is the headline of two global surveys released recently–Thales 2021 Data Threat Report (DTR) and Entrust 2021 Global Encryption Trends.
Both reports highlight that although data encryption percentage is growing, there is still an alarming amount of customer and personal data that is stored or transferred without being encrypted. What is more, businesses seem to struggle to enforce best practices for managing machine identities—especially encryption keys—reducing the effectiveness of encryption algorithms.
The key findings from both reports draw a worrying picture about the overall security posture of data in the cloud.
If you don’t know where your data is, how can you protect them? As a result
Robust data protection, whether on-premises or in the cloud, is the result of strong encryption algorithms and effective key management. Despite that, many organizations fall short of the mark.
Encryption and tokenization are effective and well-established mechanisms for data protection. These controls are required by various security and privacy regulations and standards such as HIPAA, PCI DSS, GPDR and CCPA. However, their effectiveness rests on a combination of encryption strength and key management strategies.
The Thales 2021 DTR report indicates that many organizations have deployed a great variety of encryption key management techniques, ranging from Hardware Security Modules (HSMs) to homegrown systems and spreadsheets or flat files. More than a third (40%) of respondents said that their organization currently deploys five to seven key management products, while 14% said that that they employ 8-10 key management solutions.
However, this level of variety in key management platforms and techniques introduces a greater risk for error and more effort would be required to manage the combination successfully. Weak or poor key management practices result in lack of visibility and greater chances for either a key compromise or an outage caused by an expired certificate. Using encryption without managing the associated keys indicates a lack of maturity in data protection implementation and leaves the organization vulnerable to unaddressed risks.
It is important for organizations to understand that simply implementing protections like encryption without managing all the aspects needed to strengthen their security will leave them open to abuse. For encryption to be effective against various threats, it needs to be applied with a clear and concise knowledge of users, processes and applications. As the two report findings demonstrated, we have a long way until we reach this point.
Another issue that came up in the Thales 2021 DTR report is the need to segregate duties, especially those regarding identity provisioning and encryption key management. Although many cloud providers are offering native encryption and key management solutions, the cloud security shared responsibility model leaves room for organizations to select the cloud-agnostic solution of their preference.
Native encryption solutions hide many dangers, such as vendor lock-in, lack of interoperability and the fear of allowing a federal agency to access consumer and personal data without their consent. On the other hand, Bring-your-own-encryption (BYOE) is an approach that can offer the controls and protections needed to mitigate these risks, allowing the organizations to take control of their data security and maintain regulatory compliance.
Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability. In addition, Venafi Zero Touch PKI includes dedicated customer HSM, key generation and storage at a DoD-spec vault facility, and storage of private keys in best-of breed Hardware Security Modules (HSMs).
To learn how we can help you, contact our experts.