Organizations are increasingly moving data to multiple cloud environments, but they fail to effectively protect it. This is the headline of two global surveys released recently–Thales 2021 Data Threat Report (DTR) and Entrust 2021 Global Encryption Trends.
Both reports highlight that although data encryption percentage is growing, there is still an alarming amount of customer and personal data that is stored or transferred without being encrypted. What is more, businesses seem to struggle to enforce best practices for managing machine identities—especially encryption keys—reducing the effectiveness of encryption algorithms.
The key findings from both reports draw a worrying picture about the overall security posture of data in the cloud.
- 31% of respondents said that 41-50% of their workloads and data resides in external clouds, and 24% reported more than half (Thales 2021 DTR)
- Only 24% of respondents indicated that they have complete knowledge of where their data is stored (Thales 2021 DTR)
- 65% of respondents say discovering where sensitive data resides in the organization is the number one challenge (Entrust 2021 Global Encryption Trends).
If you don’t know where your data is, how can you protect them? As a result
- Only 17% indicated that they have protected more than 50% of their sensitive data in cloud with encryption (Thales 2021 DTR)
- 60% of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted (Entrust 2021 Global Encryption Trends).
Robust data protection, whether on-premises or in the cloud, is the result of strong encryption algorithms and effective key management. Despite that, many organizations fall short of the mark.
- 57% said that they are using key management products (Thales 2021 DTR)
- 56% of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity (Entrust 2021 Global Encryption Trends).
- Overall, only 50% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise (Entrust 2021 Global Encryption Trends).
Weak key management strategies
Encryption and tokenization are effective and well-established mechanisms for data protection. These controls are required by various security and privacy regulations and standards such as HIPAA, PCI DSS, GPDR and CCPA. However, their effectiveness rests on a combination of encryption strength and key management strategies.
The Thales 2021 DTR report indicates that many organizations have deployed a great variety of encryption key management techniques, ranging from Hardware Security Modules (HSMs) to homegrown systems and spreadsheets or flat files. More than a third (40%) of respondents said that their organization currently deploys five to seven key management products, while 14% said that that they employ 8-10 key management solutions.
However, this level of variety in key management platforms and techniques introduces a greater risk for error and more effort would be required to manage the combination successfully. Weak or poor key management practices result in lack of visibility and greater chances for either a key compromise or an outage caused by an expired certificate. Using encryption without managing the associated keys indicates a lack of maturity in data protection implementation and leaves the organization vulnerable to unaddressed risks.
It is important for organizations to understand that simply implementing protections like encryption without managing all the aspects needed to strengthen their security will leave them open to abuse. For encryption to be effective against various threats, it needs to be applied with a clear and concise knowledge of users, processes and applications. As the two report findings demonstrated, we have a long way until we reach this point.
Cloud neutral data encryption and key management
Another issue that came up in the Thales 2021 DTR report is the need to segregate duties, especially those regarding identity provisioning and encryption key management. Although many cloud providers are offering native encryption and key management solutions, the cloud security shared responsibility model leaves room for organizations to select the cloud-agnostic solution of their preference.
Native encryption solutions hide many dangers, such as vendor lock-in, lack of interoperability and the fear of allowing a federal agency to access consumer and personal data without their consent. On the other hand, Bring-your-own-encryption (BYOE) is an approach that can offer the controls and protections needed to mitigate these risks, allowing the organizations to take control of their data security and maintain regulatory compliance.
Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability. In addition, Venafi Zero Touch PKI includes dedicated customer HSM, key generation and storage at a DoD-spec vault facility, and storage of private keys in best-of breed Hardware Security Modules (HSMs).
To learn how we can help you, contact our experts.