Everyone makes mistakes; we're all human. But slip-ups can spell big trouble in the IT security arena. Indeed, human error was at least partly to blame for the exposure of CareFirst BlueCross BlueShield members' medical information and Pennsylvania teachers' data. More significantly, the blunder of a single employee played a role in the 2017 Equifax breach, an incident which is thought to have compromised at least 146 million Americans' sensitive details.
Security professionals are well-aware of these and other dangers involving human error. In Thales' 2018 Global Encryption Trends Study, almost half of respondents (47 percent) rated employee mistakes as the most significant threat to sensitive data. This viewpoint outweighed other risks including system or process malfunctions (31 percent), hackers (30 percent) and temporary or contract workers (22 percent).
For its report, Thales commissioned Ponemon Institute to survey 5,252 individuals across industry sectors in Australia, Brazil, France and nine other countries. The purpose of the publication, which Venafi helped co-sponsor, was to determine how encryption has evolved over the past 13 years and how it has affected organizations' security posture.
Considering the widespread concern over employee mistakes, it's not surprising that IT professionals are increasingly turning to encryption to protect their organizations' sensitive data. This trend is reflected in the increasing proportion of IT spending dedicated to encryption and other security measures.
In 2017, security budget allocations reached a record high of 10.6 percent of total IT spending. Encryption expenditures dipped slightly from 14.4 percent of IT security spending to 12.3 percent, but that lower amount could reflect organizations' deeper familiarity and therefore more efficient use of encryption technologies over years past.
Of course, the number of encryption solutions available on the market has dramatically increased in recent times. John Grimm, senior director of security strategy at Thales eSecurity, is well aware of this development. As quoted by a release issued by Thales:
“Companies navigating today’s threat landscape are understandably seeking out fast, scalable encryption tools that encompass enterprise and cloud use cases, and enforce policy consistently across both models. Fortunately, enterprises have more data protection choices today than when the race to the cloud began. These options include bring your own key (BYOK) and bring your own encryption (BYOE) solutions, which allow enterprises to apply the same encryption and key management solution across multiple platforms.”
The variety described by Grimm makes organizations' choice of encryption technologies a significant decision. Their investments reveal what types of features organizations look for when choosing a technology and what types of information they slate for encryption. That being said, here are some key findings from Thales and Venafi's report:
- No single encryption technology dominated organizations' security strategies, as enterprises have diverse needs for encryption assets. Even so, 49 percent of respondents said they had already partially deployed IoT encryption on devices and platforms.
- Respondents deemed some encryption features more important than others. Among all the others, survey participants said system performance and latency, enforcement of policy and support for cloud and on-premise deployment were essential services.
- Security personnel reported that HR and payment data were most likely to be encrypted and that health-related data was the least likely type of information to be encrypted.
Thales' report also provides insight into how organizations are applying encryption to parts of their IT ecosystem where such security measures are still taking shape. This is especially true for cloud environments. Overall, 61 percent of respondents said they currently transfer sensitive or confidential data to the cloud whether or not it is encrypted. Just over one-fifth (21 percent) of survey participants admitted they intend to follow that same path within the next year or so.
When it comes to looking for cloud encryption technology, more than six in 10 individuals look for support of the Key Management Interoperability Protocol (KMIP), granular access controls and SIEM integration and visualization along with analysis of logs at 66 percent, 60 percent and 62 percent, respectively. Once they choose this technology, 47 percent of respondents perform encryption on-premise prior to sending data to the cloud using keys generated and maintained by the company. That proportion is greater than those participants who use encryption keys generated by the cloud provider (38 percent) and who use a "Bring Your Own Key" (21 percent).
Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, says the survey found that organizations generally like to maintain that level of control when it comes to encrypting data hosted in the cloud. As quoted by the Thales release:
“While enterprises are rightfully encrypting cloud-based data, 42% of organizations indicate they will only use keys for cloud-based data-at-rest encryption that they control themselves. Similarly, organizations that use HSMs in conjunction with public cloud-based applications prefer to own and operate those HSMs on-premises. These findings tell us control over the cloud is highly important to companies increasingly under pressure from data security threats and compliance requirements.”
Of course, if organizations are going to generate and manage their own encryption keys, they need to make sure they do so securely. They should ideally invest in an automated solution that continuously monitors their keys and certificates. For information on how Venafi can help in this regard, click here.