welcome to the new era of encryption · such as encryption that prevent cybercriminals from...

Welcome To The New Era Of EncryptionS&R Pros Must Use Encryption As The Technological Keystone Of Privacy

by John kindervagSeptember 10, 2015

FOR SECURITy & RISk PROFESSIONALS

FORRESTER.COM

key TakeawaysEncryption Brings Significant Business BenefitsEncryption works. Use encryption to protect your customers’ data privacy, shield your firm from the reach of data breach laws, address data residency requirements, and achieve compliance where applicable.

Complex PKI Requirements Have Failed EncryptionEncryption has historically been synonymous with public key infrastructure (PkI). Unfortunately, the integration and management of various elements that comprise a PkI system is challenging, expensive, and unwieldy for many security teams.

Centralized Key Management And APIs, Not Standards, Will Lead The WayAs S&R pros favor standalone cryptographic solutions over deploying traditional PkI, centralized key management solutions are required to govern these disparate systems. Slow-to-materialize standards won’t help. APIs will instead enable the necessary deep interaction between cryptographic subsystems.

Why Read This ReportTalking about encryption is all the rage these days — from revelations about the National Security Agency’s (NSA’s) surveillance program to a new wave of movies and TV shows featuring hackers and cybercriminals. All of this attention means that it’s time to distinguish mythology from truth and value from risks in this critical discussion. In this report, we provide security and risk (S&R) pros with a discussion of the benefits, pros, and cons of encryption, the future direction of encryption technologies, and useful recommendations for firms embarking on more ubiquitous encryption.

2

2

5

9

15

16

17

© 2015 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table Of Contents

Encryption Misunderstandings Have Hindered Broad Deployment

Encryption Works

PKI Has Failed To Promote Encryption

To Succeed, S&R Pros Need Advanced, Centralized Key Management

Recommendations

Embrace The Encrypted Future

What It Means

Encryption Is The Technological Keystone Of Privacy

Supplemental Material

Notes & Resources

In developing this report, Forrester drew on a wealth of analyst experience, insight, and research through advisory and inquiry discussions with end users across industry sectors.

Related Research Documents

Did PRISM Cause An Exodus From US Clouds?

The Forrester Wave™: Endpoint Encryption, Q1 2015

The Future Of Data Security And Privacy: Growth And Competitive Differentiation

Lessons Learned From Global Customer Data Breaches And Privacy Incidents Of 2013-14

FOR SECURITy & RISk PROFESSIONALS

Welcome To The New Era Of EncryptionS&R Pros Must Use Encryption As The Technological Keystone Of Privacy

by John kindervagwith Stephanie Balaouras, Merritt Maxim, Heidi Shey, Alexander Spiliotes, and kara Hartig

September 10, 2015

http://www.forrester.com/go?objectid=RES121943







http://www.forrester.com/go?objectid=BIO1960




For Security & riSk ProFeSSionalS

Welcome To The New Era Of EncryptionSeptember 10, 2015

© 2015 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

S&R Pros Must Use Encryption As The Technological Keystone Of Privacy

Encryption Misunderstandings Have Hindered Broad Deployment

Industry experts have described the recent breach of the US Office of Personnel Management (OPM) as “cybersecurity’s Pearl Harbor.”1 As such, it should be a wake-up call for better security practices, with a special emphasis on enhanced, ubiquitous data encryption.2 There are some indications that this is happening. During congressional testimony, lawmakers made statements indicating that they understood the value and importance of encrypting sensitive data that government agencies like OPM store.3 However, S&R pros should understand that there are those who continue to resist encryption because of long-held misunderstandings such as:

› Encrypting legacy systems is too difficult. In response to congressional questioning, OPM leaders responded with excuses about why encryption was not already in place. The excuses included the often-heard “it’s too difficult” and “our systems are too old.” This simply isn’t true. For older systems that technology management pros cannot update to support native encryption, S&R pros can offload the crypto onto a solution adjacent to the system, such as an encryption appliance from vendors like Gemalto/SafeNet or Vormetric.

› Encrypting sensitive data would not have prevented the breach. OPM leaders also responded with the pinnacle of denial when one official said that encryption would “not have helped in this case” because attackers had compromised valid user credentials.4 This statement highlights what is wrong with the public perception of encryption technologies. The compromise of the user credentials should not render a cryptographic system useless unless the security team has improperly deployed the key management systems controlling the encryption. According to noted cryptographer Adi Shamir, one of the pioneers of cryptography, encryption is rarely, if ever, broken. In his 2004 Turing Award address, he outlined the three laws of security. The third law — “Cryptography is typically bypassed, not penetrated” — is especially prescient in today’s world.5

Encryption Works

Encryption and its related technological cousins, data masking and tokenization, show great promise in “killing data.”6 Forrester uses the term “killing data” to describe the application of technologies such as encryption that prevent cybercriminals from monetizing stolen data. When you encrypt data, you render it unreadable without the encryption, and if it’s unreadable, cybercriminals won’t bother to steal it because it has no value on the black market or to any interested third party. According to Edward Snowden: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that the NSA can frequently find ways around it.”7 So clearly, the future of encryption is finding ways so that adversaries cannot bypass the controls protecting the cryptographic systems. Forrester predicts that this will happen through enhancements in cryptographic key management, primarily fueled by leveraging advancements in API technology.




3


Encryption Protects Privacy, Streamlines Operations, And Achieves Compliance

The revelations about the NSA’s intelligence gathering program known as PRISM have disrupted the public’s trust regarding the safety of individual and corporate data stored in Internet-based service providers. This scandal has compelled many security teams to encrypt their firm’s data in public cloud services, both in motion and at rest. In fact, according to our surveys, 42% of non-US technology and business decision-makers whose firms have data that resides with an Internet-based third party will not only encrypt their data but also not allow vendors to hold or control cryptographic keys (see Figure 1).8 This demonstrates that businesses understand the value of adopting encryption technologies. Additionally, this is evidence that the future trend will be for businesses to control their own keys instead of allowing their vendors to manage the keys for them.9 We call this “bring your own encryption.”10 There are significant business benefits for security teams that adopt encryption technologies, and they include:

› Protecting the data privacy of your customers. Privacy is clearly a top-of-mind issue for governments, businesses, and consumers alike. Data breaches like OPM, Anthem, and Target have made headlines and generated concern for the millions of individuals whose personal data has been stolen. Had the firms that stored this personal data encrypted it, these customers would not have to worry because encrypted data, in the absence of its decryption keys, is not data at all but merely garbled and unintelligible binary strings. As Shamir noted, there is no evidence that modern, vetted cryptographic algorithms have been broken, unlike what is shown in TV shows. Fail to protect your customer’s privacy and it will erode their confidence and their customer loyalty.11

› Shielding the firm from the reach of data breach laws. Encryption shields most firms from data breach laws. Most laws are descended from California’s SB 1386, which states that only unencrypted personally identifiable information is subject to this breach notification law — meaning that when you encrypt personally identifiable information (PII), you are not required to notify customers if it is compromised.

› Addressing data residency requirements. The most recent data issue that using encryption can effectively tackle is data residency. Data residency is the regulatory requirement that firms store data belonging to the citizens of a specific country within that country.12 This is to protect citizens’ privacy in countries where privacy laws are weak or there is a history of government surveillance. However, because binary data is not a respecter of geographical boundaries (it’s quite easy to intentionally or unintentionally copy, replicate, or transfer it), this can be a significant technological challenge. Properly implemented encryption using good key management can help protect your customers’/citizens’ data no matter where it ultimately resides.

› Achieving regulatory compliance. Encryption makes compliance easier. The effort of implementing an encryption solution is offset by the business value it brings to compliance. Most compliance efforts revolve around the exfiltration of clear text data. Therefore, encrypting data simplifies compliance.




4


FIGURE 1 Firms’ Precautions To Protect Data From Cyberattack And Government Intelligence Gathering

Base: 756 non-US technology and business decision-makerswhose �rms have data resident with an Internet-based third party

(percentages do not total 100 because of rounding)

Source: Forrester’s Business Technographics® Global Infrastructure Survey, 2014

“What steps, if any, have you taken to protect your data from governmental observation orintelligence gathering for information that resides with an Internet-based service provider?”

We have negotiated speci�c securitySLAs with our provider(s). We entrust thevendor to effectively protect our sensitive data.

The vendor fully encrypts all sensitiveinformation in motion using SSL certi�catesfrom a certi�ed trust authority. The vendordoes not encrypt information at rest.

We provide technology to the vendor toencrypt all sensitive information both at restand in motion using highly secure encryptionalgorithms and technology. The vendorlogically and physically protects encryptionkeys, and the vendor holds the keys.

We provide technology to the vendor toencrypt all sensitive information both at restand in motion using highly secure encryptionalgorithms and technology. We logically andphysically protect encryption keys, and thevendor does not hold any keys.

The vendor provides technology to encrypt allsensitive information at rest and in motionusing highly secure encryption algorithmsand technology. The vendor logically andphysically protects encryption keys, and thevendor holds the keys.

The vendor provides technology to encrypt allsensitive information both at rest and in motionusing highly secure encryption algorithms andtechnology. We logically and physically protectencryption keys, and the vendor does not holdany keys.

Other

None of these

90%

8%2%

24%

30%

18%

7%

6%

6%




5


Encryption Works For Everyone — Even Criminals

It is evident that encryption provides benefits to the enterprise and the individual citizen that will continue to drive the adoption of cryptographic technologies to thwart the pain of data breaches. However, like many other technologies, cybercriminals can leverage encryption for their own malicious purposes. They can use it:

› To shield their activity from law enforcement officials. Understandably, governments and law enforcement worry that encryption technology will make their jobs more difficult. Jeh Johnson, US secretary of Homeland Security, said, “Our inability to access encrypted information poses public safety challenges. In fact, encryption is making it harder for your government to find criminal activity and potential terrorist activity.”13 Finding the balance between privacy, protection, and investigation will be an ongoing challenge for advocates of more ubiquitous encryption. S&R pros should expect continued public debate on this topic. Some government officials have called for encryption backdoors, but privacy groups and businesses around the globe have resisted.14

› To encrypt stolen data for exfiltration. Attackers know that most security teams do not inspect their encrypted traffic. Therefore, they have found it to be valuable to encrypt data or tunnel it out through encrypted transport over transport layer security (TLS) or secure file transfer protocol (SFTP) to make the theft of toxic data easier.

› For cryptographic ransomware. The newest cybercriminal trend is to create malware that encrypts storage media and then contacts the victims and makes them pay a ransom via Bitcoin to get the decryption key. This attack is known to bring quick profits. CryptoWall ransomware is estimated to have raked in more than $18 million through such ransom payments, based only on reported incidents; the actual figure may be higher.15

PkI Has Failed To Promote Encryption

So how should S&R pros implement modern encryption? In the past, encryption was synonymous with public key infrastructure (PkI). For many security teams that have a history of trying to implement cryptographic technologies, there are profound negative connotations to the PkI term. For a number of years, the PkI pipe was dormant, but then interest revived as mobile device usage skyrocketed and mobile security concerns increased.

There is, however, a misunderstanding about what PkI really is. When PkI is specified for mobile security purposes, what is typically meant is a recommendation that X.500 certificates should be deployed on the mobile device to enhance device authentication. Therefore, for many security teams, the term PkI equals the X.500 certificate. There is, of course, a relationship between PkI and digital certificates, but they are not the same thing. In fact, one can deploy digital certificates without building a PkI ecosystem at all.




6


PKI Requirements Are Complex

PkI is a complicated set of sophisticated technologies. It is helpful to look at it in a simplified manner to understand not only the business value that it can bring to security teams but also why it has been so difficult and frustrating to implement. While each piece of a PkI solution is fairly straightforward, the integration and management of the elements together as a system provide the greatest challenge for most organizations. The primary components of a PkI system are as follows (see Figure 2):

› A certificate authority (CA) issues digital certificates. The CA is a highly secure system that generates X.509 certificates for use in various cryptographic systems. While standing up a CA might not be difficult, managing it becomes a significant challenge over time. It is the ongoing care and feeding of the CA that most organizations underestimate. Additionally, any compromise of a CA can be devastating. The 2011 attack on the Dutch CA DigiNotar allowed malicious users to issue fraudulent certificates that forced the Dutch government to take over the company, which eventually went bankrupt.16

› Digital certificates are required for authentication and encryption. Officially called an X.509 certificate, or the “cert” as it is commonly known, a digital certificate contains important information that can be used to validate various types of transactions. A digital certificate is a text file generated by a CA that it issues to authenticate an identity or to seed or establish encryption. A common usage of a digital certificate is to establish secure socket layer/transport layer security (SSL/TLS) connections between websites and browsers. Often, S&R pros use the term SSL certificate synonymously with X.509 certificate. Most firms have allowed these certificates to proliferate unchecked. Additionally, many companies worry about certificate expiration issues. Since it can be disruptive for a certificate to expire at the wrong time, administrators have been known to create certificates with an expiration date 20 to 30 years in the future, thereby ensuring that the cert won’t expire on their watch.

› A registration authority (RA) registers identities. This is a system that registers identities and determines the types of things that the cryptographic system will enable. An RA receives requests for digital certificates and authenticates users who are part of the system. An RA will be also be involved in revoking certificates that are no longer valid or necessary or are being used incorrectly. An RA is closely tied to the key management system.

› A key manager (KM) issues or revokes keys based on business requirements. key management is the heart and soul of PkI. The kM is the interface between the RA, the CA, and the various cryptographic subsystems that will participate with the PkI system. In the ideal system, the kM would integrate with a firm’s directory, such as an active directory or lightweight directory access protocol (LDAP), to understand the identities of the firm’s users. The kM would then issue or revoke keys based on the requirements of the business at any specific time.




7


› Cryptographic subsystems are the systems that you want to encrypt. A cryptographic subsystem is any device, such as a laptop, desktop, or mobile device, that your security team wants to encrypt or authenticate using a PkI solution. Each cryptographic subsystem will need to have access to all of the PkI components. In a traditional PkI model, there is a single CA shared by all crypto systems. In more modern systems, each crypto subsystem has its own CA, RA, and kM, and each system is managed independently of each other.

FIGURE 2 Public key Infrastructure Simplified

S&R Pros Have Opted For Individual Encryption Solutions Instead Of PKI

In the early days of encryption, when PkI first emerged, it was thought that all of the individual cryptographic subsystems in an organization would be under the control of a single PkI system. This proved to be unwieldy and expensive. Over time, security teams chose to deploy standalone cryptographic solutions based on prioritized needs. In this way, a security team could choose to deploy email encryption first, followed by laptop encryption and then file server encryption. The team could do all of it in stages without deploying a traditional PkI (see Figure 3).

Standalone encryption solutions were wildly successful. By 2015, the firms of 54% of global client security decision-makers had deployed full disk encryption, 54% had deployed file-level encryption, 54% had deployed database encryption, and 58% had implemented email encryption (see Figure 4).

Mobile

CA

LDAP

RA

KM

Email DB ENC Laptop SAN File

X.509




8


FIGURE 3 S&R Pros Have Opted For Standalone Encryption Solutions

KM

Email

KM

CA

X.509

DB ENC

Laptop

SAN

File

Mobile

CA

X.509

KM

CA

X.509

CA

X.509

KM

KM

CA

X.509

KM

CA

X.509




9


To Succeed, S&R Pros Need Advanced, Centralized key Management

As various cryptographic subsystems became more widely deployed, managing these systems efficiently became increasingly difficult. Security teams began to look for centralized or enterprise key management (EkM) in an effort to consolidate management consoles and provide the ever-elusive single pane of glass. While our data shows that the firms of 53% of client security decision-makers have implemented or are expanding their EkM technologies, it appears that the majority of EkM deployments focus on managing web certificates (see Figure 5).

Currently, it is exceedingly difficult for one vendor to manage another vendor’s keys. For a number of years, there have been efforts to standardize key management protocols so that S&R pros could achieve much-needed interoperability. The most notable effort has come from Oasis through its proposed key management interoperability protocol (kMIP) standard.17 Although most cryptographic vendors at least tacitly support kMIP, they acknowledge that key management is exceedingly difficult and nearly impossible to standardize.

FIGURE 4 Encryption Adoption Is Strong

“What are your firm’s plans to adopt the following data security andinformation risk management technologies?”

Source: Forrester’s Global Business Technographics® Security Survey, 2015

Base: 1,093 global client security decision-makers in �rms with 20 or more employees(percentages may not total 100 because of rounding)

File-level encryption 11% 12% 17% 38% 16% 6%

Full disk encryption 9% 11% 20% 39% 15% 5%

Notinterested

Interested,but noimmediateplans (withinthe next 12months)

Planning toimplementin the next12 months

Expanding/upgradingimplementation

Implementing/Implemented

Don’tknow

Database encryption and data obscurity (e.g.,Oracle, Protegrity, Vormetric, RSA, Liaison)

Email encryption (e.g., Cisco, ProofPoint,McAfee, TrustWave, Voltage, WatchGuard)

10% 11% 20% 39% 15% 6%

9% 11% 18% 41% 17% 5%




10


Don’t Worry About Adopting Key Management Standards

Standards, however, may not be the future of interoperability. The kMIP standard was started during an era where standardization was the only way for disparate systems to communicate and interoperate. However, standards are problematic today. In a high-speed agile world, it takes too long for standards to be created. There are also significant compromises between various parties that are necessary to bring a standard to life. While some standards may be necessary in the future, traditional technical standards will wane because:

› Many standards will be outdated before industry bodies can even release them. Given the rate of change in technology today, standards lag. For example, prestandard Wi-Fi devices commonly come to market long before new Wi-Fi standards are finalized.

› Vendors want freedom to disrupt and innovate. Standards often inhibit innovation. If a company comes up with an idea that is profoundly innovative, it may not be able to bring that idea to the market easily because the innovations fall outside of the standards.

› Legacy vendors dominate standards bodies. The standards bodies are typically stacked with participants from older, established companies. However, new ideas are coming from smaller companies, such as Ionic Security, HP/Voltage Security, Protegrity, and Vormetric, which aren’t constrained by size or traditions. These disruptors will not wait for standardization but will bring new technologies to market increasingly quickly, thereby forcing traditional vendors to play catch-up.

FIGURE 5 Enterprise key Management Adoption

“What are your firm’s plans to adopt the following data security andinformation risk management technologies?”

Source: Forrester’s Global Business Technographics® Security Survey, 2015

Base: 1,093 global client security decision-makers in rms with 20 or more employees

Enterprise key management(e.g., Thales, RSA, Symantec, Vena )

11% 11% 19% 37% 16% 6%

Notinterested

Interested,but noimmediateplans (withinthe next 12months)

Planning toimplementin the next12 months

Implementing/Implemented

Expanding/upgradingimplementation

Don’tknow




11


Focus On The Value Of APIs

The dominance of standalone cryptographic subsystems such as database encryption, storage area network (SAN) encryption, or laptop encryption means that no individual vendor will ever provide a unified cryptographic system based on PkI. We live in a growing API economy. The rise of product APIs as a way to interface between different software tools will be a tremendous advancement for the world of encryption. Forrester defines product APIs as “APIs designed to directly control a product (whether it is a physical product, digital product, or service) or facilitate its integration into an ecosystem of related products” (see Figure 6).18 In the future, we anticipate that encryption vendors will have product APIs that will allow deep interaction between cryptographic subsystems. There are many ways that this will happen, including:

› System-to-system communication. A laptop encryption program could talk to an email encryption program and tell it that a particular data string or document should be encrypted before it is emailed to a third party.

› Manager-to-system communication. Another likely outcome of API adoption will be advancements in EkM. An EkM solution will use its API to talk to the APIs of other cryptographic subsystems, thereby reducing the number of management consoles used within each organization.

› Crypto-system-to-third-party communication. APIs will also allow crypto systems’ bidirectional communication with other software such as data classification tools so that toxic data can be more easily tagged and those tags can be analyzed and updated as needed. This will bring us ever closer to data identity — attaching persistent metadata that describes the attributes of the data to the data string — which will greatly increase our ability to track data usage and prevent the exfiltration of toxic data into the hands of malicious actors.19




12


FIGURE 6 Forrester Has Identified Four Major Categories Of APIs

4Open web APIs

Tech-savvyconsumers

B2B APIs

Internal APIs

Product APIs

Value-addinnovators

Digitaldisruptors SuppliersDistribution

partners

Digital experiences(e.g., mobile, Web)

Enterprise applications(custom, off-the-shelf, cloud, on-premises)

Products(e.g., software, services,

physical products)

Enterprisecustomers

WebsitedevelopersTech-neophyte

consumers

Your enterprise Your products

Tech-savvyconsumers

Productecosystem

Non-API users Self-selected use Enterprise-selected use Product integration use

Enterprisecustomers

21

3

PKI Will Be Inverted, And Key Management Will Be The Center Of Cryptography

An API’s ability to communicate between encryption tools will invert the old PkI model. Instead of having the certificate authority as the center of cryptographic truth, the management consoles and the APIs will become the centerpiece for this new era of encryption. Not only will encryption be easier to manage, but also inverting the PkI model will make encryption much more transparent to end users so that they will no longer push back against cryptographic controls. Inverting PkI is the idea that each standalone cryptographic subsystem will use its own CA, RA, and internal kM to function, but the internal kM will use a product API to talk to an enterprise kM. key management then becomes the center of the cryptographic universe (see Figure 7). Better key management will make encryption easier and mistakes less frequent and will reduce the ability of attackers to bypass the encryption.




13


FIGURE 7 Inverting Public key Infrastructure

KM

Email

KM

CA

X.509

DB ENC

Laptop

SAN

File

Mobile

CA

X.509

KM

CA

X.509

CA

X.509

KM

KM

CA

X.509

KM

CA

X.509

KMLDAP




14


Recent Advancements Will Further Reduce Crypto Fears And Increase Adoption

Crypto fear is the unwillingness to use encryption because of the fear that bad things will happen as a result of the cryptography. These fears include losing data because it can’t be decrypted, suffering a performance impact from encryption, and having systems that will no longer function because the data has been encrypted. Security teams that have had negative experiences with cryptographic tools in the past should recognize that many innovations have entered the space in recent years that will make encryption much more transparent and easier to use. These advancements include:

› Format-preserving encryption (FPE). This mode of encryption ensures that the encrypted value of the data remains the same character length as the original data so that technology management pros don’t have to change applications to accept an encrypted data string, and it preserves the processing of application functions.20 It’s become an important encryption capability for vendor solutions that encrypt.21 FPE data between an enterprise and its software-as-a-service applications can be decrypted to reveal the plain text if the correct key material is presented.

› Tokenization. Tokenization is the process of substituting a randomly generated value (the token) for sensitive data, such as credit card numbers, bank account numbers, social security numbers, etc. After tokenization, the mapping of the token to its original data is stored in a hardened database. Unlike encryption, there is no mathematical relationship between the token and its original data. Tokenization is used extensively in enterprises that need to process credit card payments (e.g., merchants, third-party payment processors). A one-way function creates a token that represents a plain text value. Tokens cannot be decrypted. They are often used to obfuscate credit card numbers or social security numbers.

› Homomorphic encryption. This is a proposed type of encryption that will allow searches against encrypted data without decrypting the cipher text. IBM researcher Craig Gentry created the first fully homomorphic encryption scheme in 2009 and has since continued to improve on his initial method to reduce the computing time required.22 Currently, the system runs too slowly for practical uses; we are looking at another five years or so before homomorphic encryption comes to market.23

› Hardware-encrypted drives. Newer hard drives can encrypt data in the drive hardware, thereby speeding up the performance of cryptographic functions. This addresses a common objection that encryption slows systems down. While hardware-encrypted hard drives have been available for a number of years, especially in storage systems, they’ve yet to find their way into mainstream client computing platforms such as laptops and tablets. With companies like Samsung and Intel now offering hardware-encrypting solid state drives (SSDs), workforce computing will see much-improved cryptographic performance.

› Chip-enabled encryption. Chip vendors such as Intel and Oracle Sparc are releasing a new generation of computer chips that perform encryption at the central processing unit itself. Expect major enhancements in cryptographic performance when these chips hit the market.




15


Recommendations

Embrace The Encrypted Future

Welcome to the new era of encryption. The benefits of encrypting data, from protecting customer privacy to reducing the cost and impact of a breach, far outweigh any potential operational negatives for most security teams. Encrypting sensitive data —from customers’ and employees’ PII to intellectual property and other types of regulated data — is a necessity for most digital businesses. However, encryption requires planning, and it requires some rethinking. S&R pros: We recommend that you:

› Find your sensitive data. you can’t protect the invisible. If you don’t know what you have, where it is, and why you have it, you can’t expect to apply the appropriate encryption policies and controls to protect it. Therefore, it is important that you discover, inventory, and then classify your most sensitive information as you plan your enterprise encryption strategy. Security teams at large enterprises always feel that this is a daunting task, but you don’t have to try to discover and classify data across the firm all at once. Start by region, business unit, critical system, etc., but start and continue methodically.24

› Bring your own EKM. Data protection is too important to leave to others. Control your own cryptographic keys so that you have control over how anyone, from your own employees to your third partners, uses your sensitive data. Also, by controlling your own encryption keys, you have much greater confidence that cybercriminals and malicious or unwitting employees or partner employees have not compromised or intercepted any data. It can also help your firm feel more comfortable storing data out of your region. Any foreign government would have to compel you to turn over your encryption keys to access your customers’ and employees’ PII.25

› Focus on key management capabilities. keys unlock encrypted data. Remember that cryptographic algorithms don’t get broken; they get bypassed. Focus on the key management and use cryptographically vetted algorithms to give your encryption project the best chance of success. When evaluating key management solutions, look for ones that can centralize disparate encryption key life-cycle processes such as provisioning, storage, renewal, and revocation across crypto subsystems.




16


What It Means

Encryption Is The Technological keystone Of Privacy

Encryption is the technological keystone of privacy. However, it has always been controversial. There is palpable tension between governments, businesses, privacy advocates, and individuals today. Forrester predicts that:

› Government agencies will demand more control over the use of encryption. Cryptographic pioneer Philip Zimmerman, the inventor of pretty good privacy (PGP), once printed a T-shirt with the RSA cryptographic algorithm on it to demonstrate the futility of governmental control over encryption technologies.26 Recently, Admiral Michael S. Rogers of the NSA created a firestorm among cryptographers and security watchers when he commented about wanting governmental access into cryptographic systems: “I don’t want a back door. I want a front door. And I want the front door to have multiple locks. Big locks.”27 However, according to Adi Shamir, the “S” in the RSA algorithm, “There is no difference between front [doors] and backdoors.”28

› Business leaders, privacy advocates, and customers will fight back. Apple’s CEO Tim Cook waded into the fray recently when he said: “There’s another attack on our civil liberties that we see heating up every day — it’s the battle over encryption. Some in Washington are hoping to undermine the ability of ordinary citizens to encrypt their data. We think this is incredibly dangerous. We’ve been offering encryption tools in our products for years, and we’re going to stay on that path. We think it’s a critical feature for our customers who want to keep their data secure.”29

› Security leaders will err on the side on the privacy. There is a long-term need to encrypt more and more data to protect it from cybercriminals, malicious insiders, and even the intentional and unintentional abuses of customer privacy by business owners and employees. As businesses extend to the cloud, outfit retail locations with mobile point-of-sale (mPOS) solutions, and digitize their physical environments with Internet-of-Things (IoT) components like sensors, security teams cannot provide security without a healthy dose of encryption. The tension between various stakeholders in the crypto wars will continue as technologies and policies advance. S&R pros should expect conflict and compromise throughout the foreseeable future between these stakeholders. Regardless of how it all plays out, S&R pros will stay on the side of privacy and encrypt as much as they can.




17


Supplemental Material

Survey Methodology

Forrester conducted an online survey fielded in April through June 2015 of 3,543 business and technology decision-makers located in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the Uk, and the US from companies with two or more employees.

Forrester’s Business Technographics provides demand-side insight into the priorities, investments, and customer journeys of business and technology decision-makers and the workforce across the globe. Forrester collects data insights from qualified respondents in 10 countries spanning the Americas, Europe, and Asia. Business Technographics uses only superior data sources and advanced data-cleaning techniques to ensure the highest data quality.

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

Analyst Inquiry

Ask a question related to our research; a Forrester analyst will help you put it into practice and take the next step. Schedule a 30-minute phone session with the analyst or opt for a response via email.

Learn more about inquiry, including tips for getting the most out of your discussion.

Analyst Advisory

Put research into practice with in-depth analysis of your specific business and technology challenges. Engagements include custom advisory calls, strategy days, workshops, speeches, and webinars.

Learn about interactive advisory sessions and how we can support your initiatives.

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172




18


Endnotes1 Source: Jonah Goldberg, “Why are we ignoring a cyber Pearl Harbor?” Los Angeles Times, June 16, 2015 (http://www.

latimes.com/opinion/op-ed/la-oe-0616-goldberg-china-cyber-hack-20150616-column.html).

2 Encryption covers a multitude of sins. you can make mistakes in other areas of your security program, but encrypted data is an important type of data loss prevention. Encrypted data, in the absence of its keying material, is not data at all but just an unintelligible jumble of zeros and ones that are not typically subject to data breach laws. See the “Quick Take: 12 Lessons For Security & Risk Pros From The US OPM Breach” Forrester report.

3 Source: Aaron Boyd, “OPM breach a failure on encryption, detection,” Federal Times, June 22, 2015 (http://www.federaltimes.com/story/government/omr/opm-cyber-report/2015/06/19/opm-breach-encryption/28985237/).

4 Source: Sean Gallagher, “Encryption ‘would not have helped’ at OPM, says DHS official,” Ars Technica, June 17, 2015 (http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/).

5 Source: M.E. kabay, “RSA founders give perspective on cryptography,” Network World, May 4, 2004 (http://www.networkworld.com/article/2332568/security/rsa-founders-give-perspective-on-cryptography.html).

6 As cybercriminals have become more skillful and sophisticated, they have eroded the effectiveness of our traditional perimeter-based security controls. The constantly mutating threat landscape requires new defensive measures, one of which is the pervasive use of data encryption technologies. In the future, you will encrypt data — both in motion and at rest — by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. By encrypting, and thereby devaluing, your sensitive data, you can make cybercriminals bypass your networks and look for less robustly protected targets. Encryption will become a strategic cornerstone for S&R executives responsible for their organization’s data security and privacy efforts. For more information, see the “kill your Data To Protect It From Cybercriminals” Forrester report.

7 Source: “Edward Snowden: NSA whistleblower answers reader questions,” The Guardian, October 3, 2014 (http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower).

8 Since Edward Snowden revealed the US NSA’s PRISM spying program, there has been widespread speculation that the announcement would ruin the fates of US cloud, hosting, and outsourcing businesses as international customers walked away from any firm within the agency’s reach. In this first survey of these customers about the effects of PRISM, the data suggests such concerns were overblown. And in fact, our earlier contention that enterprises would stick with their US partners but take a stronger position in managing their own security appears to have been proven out. For more information, see the “PRISM’s Impact On The US Cloud Industry” Forrester report.

9 For example, we have seen movement toward “bring your own encryption” with file sharing service providers like Box offering customer-managed encryption keys to give enterprises greater control over their own data. See the “Quick Take: Use ‘Customer-Managed keys’ To Regain Control Of your Data” Forrester report.

10 The term “bring your own encryption” was coined by former Forrester analyst James Staten in 2013 in his blog post. Source: James Staten, “The Cost of PRISM Will Be Larger Than ITIF Projects,” James Staten’s Blog, August 14, 2013 (http://blogs.forrester.com/james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects).

11 Data is the lifeblood of today’s digital businesses, and protecting it from theft, misuse, and abuse is the No. 1 responsibility of every S&R leader. Hacked customer data can erase millions in profits within weeks, stolen intellectual property can erase competitive advantage in less than a year, and unnecessary privacy abuses can bring unwanted scrutiny and fines from regulators while inflicting reputational damage that can last months and even years. Achieving a certain level of data security and protecting customer privacy is no easy feat. Almost every enterprise, from an online retailer to a hospital or a government agency, rarely works in isolation and can rarely confine data within the four walls of the organization. The walls don’t exist. They must work in a complex ecosystem of powerful customers who are increasingly concerned about their privacy, digitally native employees, and potentially hundreds of demanding partners and suppliers — all perpetually connected by new systems of engagement and cloud services. For more information, see the “The Future Of Data Security And Privacy: Growth And Competitive Differentiation” Forrester report.












19


12 As a consequence of increasing global commerce, S&R professionals face the complexity of navigating data privacy regulations from around the world. Forrester clients frequently ask about European Union (EU) privacy regulations. While data protection requirements in the US are commonly industry-centric, those in the EU focus more broadly on the individual’s right to privacy regardless of industry. This leads to a number of differences in how firms handle employees’ and customers’ data in the EU as opposed to the US, especially when transferring data between countries with varying regulatory standards. For more information, see the “Q&A: EU Privacy Regulations” Forrester report.

13 Source: “Remarks by Secretary of Homeland Security Jeh Johnson at the RSA Conference 2015,” Department of Homeland Security, April 21, 2015 (https://www.dhs.gov/news/2015/04/21/remarks-secretary-homeland-security-jeh-johnson-rsa-conference-2015).

14 Source: Rob Price, “Here’s Why Britain’s Proposed Encryption Ban Is Totally Unworkable,” January 13, 2015 (http://www.businessinsider.com/britains-proposed-encryption-ban-is-totally-unworkable-2015-1).

15 Source: Sean Gallagher, “FBI says crypto ransomware has raked in >$18 million for cybercriminals,” Ars Technica, June 25, 2015 (http://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-cybercriminals).

16 For detailed information on the DigiNotar attack, check out the following. Source: Dennis Fisher, “Final Report on DigiNotar Hack Shows Total Compromise of CA Servers,” Threat Post, October 31, 2012 (https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170).

17 Source: “OASIS key Management Interoperability Protocol (kMIP) TC,” Oasis (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip).

18 There’s a dark horse in the race to customer innovation through APIs. Through APIs, banks, healthcare firms, telcos, retailers, logistics firms, and many others are joining the likes of Facebook, Twitter, and Google in creating an API economy. Although industry discussion centers heavily on open web APIs, others like B2B APIs and internal APIs are just as important. But there’s little industry discussion about a fourth and quite valuable category: product APIs. To learn more, see the “Brief: Product APIs Create Distinct Customer Value And Opportunity” Forrester report.

19 In today’s evolving data economy, data identity is the missing link that S&R leaders must define in order to create actionable data security and control policy. We designed this report to help S&R leaders develop effective policies using our Data Security And Control Framework as a guideline. See the “know your Data To Create Actionable Policy” Forrester report.

20 Source: Mihir Bellare, Phillip Rogaway, and Terrance Spies, “The FFX Mode of Operation for Format-Preserving Encryption,” February 20, 2010 (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffx-spec.pdf).

21 Source: Mihir Bellare, Phillip Rogaway, and Terrance Spies, “The FFX Mode of Operation for Format-Preserving Encryption,” February 20, 2010 (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffx-spec.pdf).

22 Source: Andy Greenberg, “Hacker Lexicon: What Is Homomorphic Encryption,” Wired, November 3, 2014 (http://www.wired.com/2014/11/hacker-lexicon-homomorphic-encryption/).

23 Source: Erica Naone, “10 Breakthrough Technologies 2011,” MIT Technology Review, May/June 2011 (http://www2.technologyreview.com/article/423683/homomorphic-encryption/).







20


24 Defining data via data discovery and classification is an often overlooked, yet critical, component of data security and control. S&R pros can’t expect to adequately protect data if they don’t have knowledge about what data exists, where it resides, its value to the organization, and who can use it. Data classification also helps to create data identity (data ID), the missing link for creating actionable data security and control policies. But S&R pros who attempt to lead efforts to classify data are thwarted by their own efforts with overly complex classification schemes and haphazard approaches. As a result, many see data discovery and classification as a Sisyphean task. For more information, see the “Rethinking Data Discovery And Data Classification” Forrester report.

25 For more information on cloud encryption solutions that support enterprise control of key management, see the “Market Overview: Cloud Data Protection Solutions” Forrester report.

26 Source: Jean-François Blanchette, Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents, The MIT Press, 2012.

27 Source: Ellen Nakashima and Barton Gellman, “As encryption spreads, U.S. grapples with clash between privacy, security,” The Washington Post, April 10, 2015 (http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html).

28 Source: Sean Michael kerner, “Cryptographer Panel Slams Government key Escrow Idea,” eSecurity Planet, April 21, 2015 (http://www.esecurityplanet.com/network-security/cryptographer-panel-slams-government-key-escrow-idea.html).

29 Source: Matthew Panzarino, “Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy,” Tech Crunch, June 2, 2015 (http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/#.jiej3i:QkRn).



We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

Products and services

› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events

Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

client suPPort

For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalscMoB2B MarketingB2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy

Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operations

› security & risksourcing & vendor Management

Technology Industry Professionalsanalyst relations

112564