Skip to main content
banner image
venafi logo

Lack of Key Management Jeopardizes Data Encryption Strength

Lack of Key Management Jeopardizes Data Encryption Strength

July 19, 2021 | Anastasios Arampatzis

Organizations are increasingly moving data to multiple cloud environments, but they fail to effectively protect it. This is the headline of two global surveys released recently–Thales 2021 Data Threat Report (DTR) and Entrust 2021 Global Encryption Trends.

Both reports highlight that although data encryption percentage is growing, there is still an alarming amount of customer and personal data that is stored or transferred without being encrypted. What is more, businesses seem to struggle to enforce best practices for managing machine identities—especially encryption keys—reducing the effectiveness of encryption algorithms.

Key findings

The key findings from both reports draw a worrying picture about the overall security posture of data in the cloud.

  • 31% of respondents said that 41-50% of their workloads and data resides in external clouds, and 24% reported more than half (Thales 2021 DTR)
  • Only 24% of respondents indicated that they have complete knowledge of where their data is stored (Thales 2021 DTR)
  • 65% of respondents say discovering where sensitive data resides in the organization is the number one challenge (Entrust 2021 Global Encryption Trends).

If you don’t know where your data is, how can you protect them? As a result

  • Only 17% indicated that they have protected more than 50% of their sensitive data in cloud with encryption (Thales 2021 DTR)
  • 60% of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted (Entrust 2021 Global Encryption Trends).

Robust data protection, whether on-premises or in the cloud, is the result of strong encryption algorithms and effective key management. Despite that, many organizations fall short of the mark.

  • 57% said that they are using key management products (Thales 2021 DTR)
  • 56% of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity (Entrust 2021 Global Encryption Trends).
  • Overall, only 50% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise (Entrust 2021 Global Encryption Trends).
Weak key management strategies

Encryption and tokenization are effective and well-established mechanisms for data protection. These controls are required by various security and privacy regulations and standards such as HIPAA, PCI DSS, GPDR and CCPA. However, their effectiveness rests on a combination of encryption strength and key management strategies.

The Thales 2021 DTR report indicates that many organizations have deployed a great variety of encryption key management techniques, ranging from Hardware Security Modules (HSMs) to homegrown systems and spreadsheets or flat files. More than a third (40%) of respondents said that their organization currently deploys five to seven key management products, while 14% said that that they employ 8-10 key management solutions.

However, this level of variety in key management platforms and techniques introduces a greater risk for error and more effort would be required to manage the combination successfully. Weak or poor key management practices result in lack of visibility and greater chances for either a key compromise or an outage caused by an expired certificate. Using encryption without managing the associated keys indicates a lack of maturity in data protection implementation and leaves the organization vulnerable to unaddressed risks.

It is important for organizations to understand that simply implementing protections like encryption without managing all the aspects needed to strengthen their security will leave them open to abuse. For encryption to be effective against various threats, it needs to be applied with a clear and concise knowledge of users, processes and applications. As the two report findings demonstrated, we have a long way until we reach this point.

Cloud neutral data encryption and key management

Another issue that came up in the Thales 2021 DTR report is the need to segregate duties, especially those regarding identity provisioning and encryption key management. Although many cloud providers are offering native encryption and key management solutions, the cloud security shared responsibility model leaves room for organizations to select the cloud-agnostic solution of their preference.

Native encryption solutions hide many dangers, such as vendor lock-in, lack of interoperability and the fear of allowing a federal agency to access consumer and personal data without their consent. On the other hand, Bring-your-own-encryption (BYOE) is an approach that can offer the controls and protections needed to mitigate these risks, allowing the organizations to take control of their data security and maintain regulatory compliance.

Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability. In addition, Venafi Zero Touch PKI includes dedicated customer HSM, key generation and storage at a DoD-spec vault facility, and storage of private keys in best-of breed Hardware Security Modules (HSMs).

To learn how we can help you, contact our experts.

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more