2016 top trends in encryption and data protection
TRANSCRIPT
Dr. Larry Ponemon and John GrimmMarch 23, 2016
Top Trends in Encryption and Data Protection 2016
2
Today’s Speakers
March 23, 2016
Dr. Larry PonemonChairman & Founder, Ponemon Institute
John GrimmSenior Director, Thales e-Security
3
About this research
This presentation contains the findings of a survey completed by 5,009 IT and IT security practitioners in the following 11 countries:
United States, United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India, Mexico and Arabia. The research examines how the use of encryption has evolved over the past 11
years.
Sponsored by
March 23, 2016
4
Agenda
• Broad encryption trends 2016
• Encryption and key management challenges
• Addressing those challenges
• Encryption in the cloud
• Summary and conclusions
March 23, 2016
5
Encryption Strategy
• Reversal over period of study!
• Reflects growing importance of encryption
• Also reflects struggle to apply strategy and policy consistently
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY150%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
15%
37%38%
15%
Company has an encryption strategy applied consistently across the entire enterpriseCompany does not have an encryption strategy
March 23, 2016
6
Encryption strategy by country
DE = GermanyUS = United StatesJP = JapanUK = United KingdomFR = FranceRF = Russian FederationIN = IndiaBZ = BrazilAB = Arabian ClusterAU = AustraliaMX = Mexico
DE US JP UK FR RF IN BZ AB AU MX0%
10%
20%
30%
40%
50%
60%
70%
61%
45%
40%38%
36% 36%33%
28% 27% 26% 26%
Company has an encryption strategy applied consistently across the entire enterpriseAverage
March 23, 2016
7
Business owners gain influence over encryption
strategy
• Drivers include– Compliance– BYOD– Consumerization
of IT
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY150%
10%
20%
30%
40%
50%
60%
53%
32%
10%
27%
12% 16%
IT Operations Lines of business Security
March 23, 2016
8
Encryption usage by vertical market
• Increase across all 10 represented markets
• Compliance and privacy concerns are strong drivers
• Additional markets include Services, Transportation, Hospitality, Consumer Products, and Manufacturing
Public sector
Retail
Technology & software
Health & pharma
Financial services
0% 10% 20% 30% 40% 50% 60%
33%
35%
48%
49%
56%
25%
26%
39%
40%
48%
24%
21%
33%
31%
43%
23%
21%
31%
29%
38%
FY12 FY13 FY14 FY15
March 23, 2016
9
Drivers for using encryption
• Compliance is a consistent year-to-year top finding
• Organizations increasingly identifying and protecting specific data types
To avoid public disclosure after a data breach occurs
To comply with internal policies
To reduce the scope of compliance audits
To limit liability from breaches or inadvertent disclosure
To protect customer personal information
To protect information against specific, identified threats
To protect enterprise intellectual property
To comply with external privacy or data security regulations and requirement
0% 10% 20% 30% 40% 50% 60% 70%
8%
15%
34%
35%
47%
49%
50%
61%
March 23, 2016
10
Encryption challenges
• Discovery increasingly difficult as data proliferates
• Attacks will seek out the easiest target
• Bottom of this list speaks as loudly as the top
Determining which encryption technologies are most effective
Training users to use encryption appropriately
Ongoing management of encryption and keys
Classifying which data to encrypt
Initially deploying the encryption technology
Discovering where sensitive data resides in the organization
0% 10% 20% 30% 40% 50% 60%
13%
15%
31%
35%
49%
57%
March 23, 2016
11
Top two threats to data exposure
1. Employee mistakes
2. System or process malfunction
AU JP UK IN AB US BZ MX RF DE FR0
10
20
30
40
50
60
70
80
90
100
Employee Mistakes
March 23, 2016
12
What types of data are organizations encrypting?
• Encryption needs to be addressed by companies of all types
• Expect health-related information to rise
Health-related information
Non-financial business information
Customer information
Financial records
Intellectual property
Payment related data
Employee/HR data
0% 10% 20% 30% 40% 50% 60% 70%
20%
30%
36%
48%
49%
55%
62%
March 23, 2016
13
With increased encryption use comes the pain of key
management
• Key management pain rated 7 (out of 10) or higher by over half of respondents!
• Similar pain ratings across mature and less mature countries
Manual processes are prone to errors and unreliable
Technology and standards are immature
No clear understanding of requirements
Insufficient resources (time/money)
Too much change and uncertainty
Key management tools are inadequate
Systems are isolated and fragmented
Lack of skilled personnel
No clear ownership
0% 10% 20% 30% 40% 50% 60%
11%
13%
16%
23%
37%
46%
47%
49%
57%
March 23, 2016
14
Key management systems in use
• Manual = painful = prone to mistakes
• Evidence that policies are becoming more formalized
• HSMs on the rise
Software-based key stores and wallets
Smart cards
Hardware security modules
Removable media (e.g., thumb drive, CDROM)
Formal key management practices statement (KMPS)
Formal key management infrastructure (KMI)
Formal definition of roles and responsibilities of the KMI including separation of duties
Central key management system/server
Formal key management policy (KMP)
Manual process (e.g., spreadsheet, paper-based)
0% 10% 20% 30% 40% 50% 60% 70%
17%
20%
28%
31%
31%
31%
32%
32%
44%
57%
March 23, 2016
15
HSM basics
March 23, 2016
16
Deployment of HSMs as part of key management activities
• Findings correlate with stronger security posture and encryption strategy maturity
DE US UK JP RF IN AB FR BZ AU MX0%
10%
20%
30%
40%
50%
60%54%
45%
37%34%
32% 31% 30%
25% 25%
20% 20%
Does your organization deploy HSMs? Average
March 23, 2016
17
HSM use cases
Crypto currency
Big data encryption
Code signing
Internet of Things (IoT) device authentication
Document signing (e.g. electronic invoicing)
Private cloud encryption
Payment credential issusing (e.g., mobile, EMV)
Public cloud encryption
Payment transaction processing
PKI or credential management
Application level encryption
Database encryption
SSL/TLS
0% 10% 20% 30% 40% 50% 60%
6%
6%
7%
11%
13%
24%
26%
30%
30%
31%
36%
40%
45%
6%
7%
8%
13%
14%
26%
30%
33%
34%
33%
39%
43%
50%
12 months from now Current state
Mature
Have been growing steadily
Early stage
March 23, 2016
18
Importance of HSMs by industry
Manufacturin
gReta
il
Finan
cial Serv
ices
Consumer
products
Energ
y & utiliti
es
Healthcar
e & Pharmace
utical
Public Sect
or
Tech
nology & So
ftware
Hospita
lity & leisu
re
Communications
All others
Service
s0
10
20
30
40
50
60
70
80
Importance today
Importance in the next 12 months
Perc
enta
ge
March 23, 2016
19
What about the cloud?
• Over half of respondents are sending sensitive data to the cloud today, and this will rise to 84% over the next two years
• Benefits of the cloud outweighing the risks
BZ DE US UK FR AU JP IN MX AB RF0
10
20
30
40
50
60
70
March 23, 2016
20
Cloud trends
• Maturation of cloud security offerings
• Less fear in the industry about cloud providers– Most threats and breaches/incidents originate
with subscriber-managed components
• Encryption conversation matures – “why” then “how”– Nation-state demands for data access – subscriber control– Digital shred of deleted data or isolation failure – provider control– Data in use – encryption doesn’t play– Finding data unencrypted somewhere else defeats encryption!
• Users will be looking for choice for key control
• Auditors will start to look closer
March 23, 2016
21
Control of keys in the cloud
41%
21%
38%
Only use keys controlled by my organization
Only use keys controlled by the cloud provider
Use a combination of keys con-trolled by my organization and by the cloud provider
Results underscore importance of enterprise control of keys
March 23, 2016
22
Summary and Conclusions
• Encryption use is growing, along with the challenges associated with key management
• Issues addressed here affect companies of all types
• Regulations and privacy concerns are driving growth of encryption and other data protection technologies
• Encryption, properly implemented with strong key management, is a very important part of a layered defense
March 23, 2016
23
Thales e-Security
www.thales-esecurity.com
March 23, 2016
▌Proven, focused expertise in data protection
▌Solutions built to deliver trust
High assurance security optimized for operational efficiencyLeader in Hardware Security Modules (HSMs) with form factors and performance to suit every deployment scenarioHundreds of use cases across traditional, virtualized, and cloud-based environmentsSecurity certifications to satisfy regional and industry obligations
▌Just finalized acquisition of Vormetric
Leading provider of data protection applications
▌Global support and services to help customers succeed
24
Resources
▌Global Encryption Trends study
▌Key Management for Dummies reference guide
▌Websites
▌www.thales-esecurity.com
▌www.vormetric.com
▌www.ponemon.org
▌Next Thales e-Security webcast: April 20
▌“Innovation and security in the digital payments world” featuring Jose Diaz and Ian Hermon
March 23, 2016
25
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management practices that positively affect privacy, data protection and information security in business and government.
The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
The Institute has assembled more than 65+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
The majority of active participants are privacy or information security leaders.
March 23, 2016
Page 26
Questions?
Ponemon InstituteToll Free: 800.887.3118
Michigan HQ: 2308 US 31 N.Traverse City, MI 49686 USA
Thales e-Security+1 954 888 6200
Americas: [email protected] EMEA: [email protected]
APAC: [email protected]
March 23, 2016