Download

Token Effort : Why Ubiquitous Encryption Still Eludes Enterprises

Data. It's your most important asset, yet also the easiest to lose. Encryption vendors have been saying for years that the key to keeping information safe is using their products end to end, and many regulations and compliance frameworks have codified encryption as a requirement for data in motion and at rest. Yet, in survey after survey, we find that adoption of end-to-end encryption is still slower than security experts say it should be. This isn't a new phenomenon—back in 2007, Network Computing examined the state of encryption in the enterprise. At the time, we acknowledged that CIOs don't roll out of their beds and think, "Hey, let's sink a few hundred grand into a cohesive enterprisewide encryption infrastructure." Instead, the process is gradual, often starting with backup tapes and spreading from there.

A piecemeal approach was the norm then, and it seems we're still moving in fits and starts despite the momentum generated by compliance frameworks like PCI. While 86% of the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption survey employ some encryption, 31% characterize the extent of use as just enough to meet regulatory or compliance requirements. Only 14% say encryption is pervasive. Reasons for limited encryption use range from cost and technical challenges to organizational resistance.

"Our IT staff is working to increase the use of encryption, but frankly, users are more interested in quick and easy access to their data and don't really think about the security," says one respondent. "The idea of getting data on a flash drive or laptop encrypted never enters the minds of most of the staff, from the director on down." This respondent exemplifies the plague of organizational resistance to encryption due to a lack of leadership. Security awareness and the benefits of encryption must be embraced from the top down. 

Although encryption may sound like a difficult technology to understand, most business users don't need to be concerned with how it works under the covers; IT should invest in a training initiative to sell encryption's benefits and explain how employees can use it in their daily lives to keep their data safe. Then, monitor.

When we asked what would increase respondent organizations' use of encryption, responses ranged from broad built-in operating system support for creating encrypted files/folders—something Microsoft is working toward, as we'll discuss—to better ease of use and lower cost, to less of a performance hit, to better key management (apparently, some things never change). We'll discuss performance problems later.

Oddly, a few—who shall remain anonymous—wished for more regulation, even a breach requiring notification of customers, to use as leverage for gaining funding and management buy-in.
"I'd like to think that it would only take the force of will to do the right thing," says a network director at an educational institution. "In reality, it would probably require a breach or exposure to shine the light on the problem."

Our favorite response: "I wish I knew so I could exploit it."

In this report, we'll explore the current state of encryption within the enterprise: What assets are, and are not, being encrypted to reduce the risk of exposure? Where is sensitive data going unencrypted, and what's holding IT back from adopting encryption end to end? We'll also explore advances in enabling technologies, notably tokenization, and the move toward inexpensive or free encryption capabilities, such as Microsoft's DirectAccess or the open source TrueCrypt full disk and file system encryption product.