Data encryption is the key to minimizing the risk of embarrassing and costly security breaches.
A seemingly endless list of high-profile data breaches has organizations worried about the threats posed by hackers. The ongoing adoption of cloud applications and storage brings concerns about the security of data on third-party systems. And more and more employees are transmitting and storing sensitive information on mobile devices — devices that could be lost, stolen or compromised.
Each of these security risks raises the specter of a data breach, one of the most costly and potentially devastating threats organizations face. The loss or exposure of sensitive information exacts an enormous price, including the costs of investigating and recovering from the breach, notifying affected individuals, lost productivity, legal fees, regulatory fines and brand damage.
While there is no foolproof way to prevent a data breach, one technique comes very close: encryption. Encryption effectively “scrambles” data, which cannot be read without access to the correct encryption key. As a result, encryption can dramatically reduce, if not eliminate, the security risks associated with the loss or theft of data.
According to the 2016 Encryption Applications Trends Study conducted by the Ponemon Institute, the use of encryption is on the rise. Companies that report using encryption extensively jumped 7 percent to a total of 41 percent, the largest increase in the 11-year history of this report.
“There has been a steady increase in the use of encryption technology, with the highest increase ever in this year’s results,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “Along with that increase we’ve seen the rise of new challenges in the areas of encryption key management, data discovery and cloud-based data storage. The findings of this study demonstrate the importance of both encryption and key management across a wide range of industries and core enterprise applications.”
Organizations in certain regulated industries have very real incentives to encrypt data. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to provide notice to affected individuals, the Department of Health and Human Services and in some cases the media if there is a breach of unprotected data — that is, data that is not encrypted.
The healthcare sector isn’t the only industry that promotes encryption. Under California’s Security Breach information Act and similar regulations enacted by other states, companies must disclose even suspected security breaches to the media and all individuals potentially affected. Encrypted data is exempt, however.
The Payment Card Industry Data Security Standard (PCI DSS) mandates the encryption of stored data, including data on backup tapes, as well as point-to-point encryption of data from the point of interaction until the data reaches the payment gateway, processor or acquirer. The latest versions of PCI DSS require that merchants migrate from older, insecure cryptographic technologies, a transition that must be completed by June 30, 2018.
It’s hardly surprising, then, that organizations in the financial services, healthcare and pharmaceutical, and technology and software sectors are using encryption the most, according to the Ponemon study. This indicates the influence of regulations and privacy concerns on the need to protect against data breaches.
Many organizations still operate under the assumption that encryption saps productivity, makes finding and retrieving information more difficult, and increases the complexity of storage and backup processes. Indeed, older encryption solutions required companies to make painful tradeoffs to achieve data security: performance degradation, operating system and application dependency, or changes in workflow. However, encryption systems can be configured in ways that minimize performance problems, and newer technologies are more flexible and require fewer resources.
Locking It Down
Encryption key management is another major pain point. Cumbersome manual processes are often used to generate, distribute, secure, expire and rotate the encryption keys used to scramble and unscramble data. This results in increased costs for IT, difficulty meeting audit and compliance requirements, and inaccessible data if keys are lost.
Organizations should take a policy-based approach to encryption key management, governing access to keys, sharing of keys, expiration of keys, shredding of keys, and all other aspects of key lifecycle management. Encryption key management solutions help to enforce policies while making it easier to create and control the master keys used for various types of applications and data. In addition to traditional hardware security modules — physical devices that safeguard and manage encryption keys —cloud-based offerings as well as hybrid cloud and on-premises products are becoming widely available.
Some encryption appliances perform their own key management. For example, email encryption solutions will retrieve the appropriate key so that the recipient can unlock and read an encrypted email. Similar products can be used for other types of applications as well.
Enterprise-wide encryption solutions automatically encrypt data when it’s created, ensuring the security of data when it is emailed or shared across platforms and devices. While encryption is transparent to the user, decryption requires user action, helping to prevent accidental data leakage. Decryption activities are logged and administrators are alerted if someone attempts to decrypt a large number of files.
Recent data breach incidents and growing security threats have led more organizations to encrypt data within the data center, on endpoint devices and at all points in between. Modern encryption and key management solutions can effectively eliminate the risk of a data breach without disrupting workflows or impacting productivity.