There's a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005.
The report sees this as a good thing and the upward trend is certainly encouraging. But to find that in 2016, some 63 percent of large enterprises globally are not opting for widescale encryption is both frightening and disappointing.
What is especially interesting about this report is its breakdown of usage among various verticals. Before we jump into that, let me just say that no one should read too much into these stats, given that it's far from clear that the companies they profiled in any particular were necessarily statistically representative of that vertical. For all we know, they may have looked at the least secure financial companies in the world and the most secure manufacturers. That said, we have to start somewhere.
"Industries that have the highest overall extensive (encryption) usage rates: financial services (56 percent), healthcare & pharmaceutical (49 percent) and technology & software (48 percent)," the report found. "The lowest usage rates are in manufacturing (25 percent), consumer products (27 percent) and entertainment & media (27 percent)."
Those stats are interesting, but not especially surprising. I'd argue that the data most valuable to your company is critical and needs to be protected, but if that belief was universal, encryption would be at or near 100 percent. Perceptions of data value—specifically the value of that data to customers, competitors as well as potential cyber thieves—color IT decisions far more than it should.
On the low-end, it's easy to see how entertainment/media companies would—incorrectly—think their data isn't at risk. But manufacturers and consumer products companies? Are the likes of Boeing and Procter & Gamble executives really unaware of the value of their private data on the black market?
On the high-end, financial services companies have always understood security issues—Paranoia, thy name is Wall Street—and healthcare companies also have historically gotten it. Technology/software understand it for a very different reason: they create software so they intuitively understand how weak unencrypted communications are.
The report also looked at the different kinds of communications mechanisms and how often their communications are encrypted. "Databases, Internet communications (e.g. SSL/TLS) and laptop hard drives achieve a 1st, 2nd or 3rd place for 12 of 14 industry sectors," the report said. "In contrast, public cloud services, big data repositories, private cloud infrastructure and business applications have the lowest usage rate with exceptions in transportation, consumer products and manufacturing."
The greatest concern I saw with this involves the relatively weak position of the cloud, with both public and private cloud infrastructure faring poorly. Yet again, perception is likely the cause here. There's a wonderful security cliché, which is that you can't outsource responsibility. But when outsourcing data control to the cloud, there is a tendency to assume that the cloud has dedicated security professionals—which they typically do—and that those professionals will care for your data as if it were their own—which they would never ever do.
CIOs need to view data as their own and they should insist on the same protections—and the same verification checks-and-balances. Do CIOs abandon any oversight responsibilities of their LAN administrators and other IT personnel? No, they don't. So why do these same people, when making decisions about the identical data, feel oh-so-trusting when it's an outside company? Unless you insist on better security, security that you are willing to pay for, a for-profit third-party won't volunteer it.
There is a vast difference between a cloud company that does some security and a security company. CIOs know this but laziness helps them to conveniently forget at budget time.
By the way, when Ponemon layered vertical data on top of these choices, the same trend of security-conscious vertical emerged. "Companies in financial services have the highest deployment of encryption for data at rest in the cloud (71 percent). Public sector organizations report the lowest rate at 26 percent.
Forty-four percent of respondents say data is encrypted before it is sent to the cloud," the report said. "Twenty-one percent say data at rest in the cloud is encrypted in the cloud using the organization’s own encryption tools. Finally, 35 percent say the cloud provider encrypts data at rest in the cloud."
Here's another nice slice of app encryption data that the report shared: pain points. Consider: "The most painful encryption keys to manage are: (1) SSH keys, (2) keys for external services and (3) keys for third-party systems. With respect to keys for external services, technology & software and transportation companies report the highest pain levels. For application-owned keys, technology & software organizations have the highest pain level. For payment-related keys, retail and financial service organizations have the highest pain levels."
My first take on this was the natural conclusion that more pain—i.e. effort and difficulty—is often associated with better security. Although that's not a universal truth, it's pretty close.
The payments note was also intriguing, noting that in payments, retail and financial service have the most pain. They also have by far the most breaches, the most attempted fraud and the most complicated transactions. There is a question about how they defined retail. Sometimes retail includes all restaurants and gas stations and sometimes they are broken out. If that includes all of retail, that also represents a huge percentage of global transactions. It's hard to compare the fraud risk of a Hilton Hotel compared with a Walmart or Target.
Here we have some nice global stats: "At 63 percent, German respondents report the highest deployment of encryption for data at rest in the cloud. In contrast, Mexican organizations report the lowest deployment of encryption in the cloud (at 29 percent)." Am slightly concerned that that comparison may not be apples to apples. Low cloud encryption is very different than merely data at rest.
This is perhaps my favorite part of the report, where it goes beyond encryption usage and explores how encryption is specifically handled. "With respect to strategies for controlling encryption keys, 41 percent of respondents say all keys to encryption applications are controlled on premise. Twenty-one percent say the cloud provider alone controls keys to encryption applications. The remaining 38 percent say the organization and the cloud provider share control of keys for encryption applications," the report said. "Respondents in financial service companies are most likely to control encryption keys on-premise within their organization rather than the cloud provider. In contrast, companies in the hospitality industry are more likely to allow keys to be controlled by the cloud provider."
Please allow me to be explicit: encryption security is entirely about the keys. If you lose control of the keys, you have lost control of the encryption. That means you may not be able to get timely access to your critical data and bad guys may. In what may be one of the most well-known cases of a massive retail breach, TJX companies were hit. They admitted to the SEC that one of the first things the attackers did was steal their encryption keys. Put another way: Game over.
Let's look at those report stats again. Some 41 percent said that "all keys to encryption applications are controlled on premise." That presumably means that 59 percent were controlled elsewhere. Then there's this: "Twenty-one percent say the cloud provider alone controls keys to encryption applications. The remaining 38 percent say the organization and the cloud provider share control of keys for encryption applications."
Shared control with a third-party can be a viable strategy, provided that both sides agree on a detailed list of rules and processes. It's one of my favorite security conundrums: The enterprise CISO who insists on having sole control of their encryption keys, but who also wants the third-party to get them access if they somehow lose those keys. Life doesn't work that way.