What should define an enterprise encryption strategy?

Businesses across industries, big and small, will be reflecting on some of the changes and challenges heading there way, in a world marked by widespread cloud deployments, use of multiple public cloud providers and new regulations, such as the EU General Data Protection Regulation (GDPR).

This shifting environment has seen the largest year-on-year growth on encryption in the cloud, with organisations now using up to four or more public cloud providers.

Ahead of the more stringent data protection laws, this growth is not unexpected as organisations and the boards running them fear the financial and reputational damage caused by failure to comply.

>See also:‘Cloud adoption and escalating threats accelerate encryption deployments’

Indeed, this year security researchers warned users of tech giant Amazon’s cloud data storage service that their private content may have been made public. In a matter of days, hackers had also successfully infiltrated Tesla’s cloud environment, stealing computer resources to mine for cryptocurrency.

Competent enterprise encryption strategies are crucial for any organisation, especially those adopting the cloud into their operations.

Encryption priority

According to research released today by Thales eSecurity, the cyber security firm, 43% of respondents reported that their organisation has an encryption strategy applied consistently across their enterprise.

This strategy is leveraged to protect sensitive data against cyber criminals, help organisations address complex compliance requirements and guard against human error.

Encryption, which is achieved with software or hardware tools such as hardware security modules (HSMs), is often coupled with best practice-based key management.

>See also: Keeping the enterprise secure in the age of mass encryption

Encryption is also playing an increasingly large role in protecting the enormous adoption of organisations deploying to the cloud.

“Companies navigating today’s threat landscape are understandably seeking out fast, scalable encryption tools that encompass enterprise and cloud use cases, and enforce policy consistently across both models,” said John Grimm, senior director of security strategy at Thales eSecurity.

“Fortunately, enterprises have more data protection choices today than when the race to the cloud began. These options include bring your own key (BYOK) and bring your own encryption (BYOE) solutions, which allow enterprises to apply the same encryption and key management solution across multiple platforms.”

The findings

• 84% of respondents either use the cloud for sensitive/non-sensitive applications and data today, or will do so in the next 12-24 months.

• 61% of respondents are using more than one public cloud provider, and 71% plan to in the next two years.

• 39% encrypt in public cloud services (such as Amazon Web Services, Microsoft Azure and Google Cloud), a number that has risen 11% since last year’s report.

>See also: The data protection breakthrough

• Overall HSM use grew to 41% – the highest level ever. The most common use cases for HSMs are SSL/TLS and application level encryption, with 20% of respondents reporting that they use HSMs with blockchain applications.

• 49% of enterprises are either partially or extensively deploying encryption of IoT data on IoT devices and platforms.

“These findings tell us control over the cloud is highly important to companies increasingly under pressure from data security threats and compliance requirements,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.

Challenges ahead

This year’s statistics are encouraging, but the report does show areas of challenge. Data discovery rates as the top data encryption planning/execution challenge by 67% of respondents, a number that is 8% higher than 2017.

Respondents from the UK, Germany, the US and France have the most challenges, which likely points to activities associated with preparation and compliance of data privacy regulations such as GDPR which comes into effect in May this year.

>See also: The data protection breakthrough

When considering the majority of organisations polled are using more than one public cloud provider, the report also raises questions about how organisations are enforcing consistent encryption and key management policies across multiple cloud vendors.

Securing data in a multi-cloud environment can be especially problematic for organisations seeking compliance, particularly if they are attempting to instantiate a single organisational policy using different native tools from multiple cloud providers.

Not surprisingly, policy enforcement is second only to performance as a most valued feature of encryption solutions in this year’s study.

Related: A data-centric approach to security requires homomorphic encryption

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...