Is your enterprise encryption strategy a compromise?

11 April, 2017
Michael Jordan
IBM

Protecting your business, part 1

There are many different statistics available on the risks and impact of data breaches.  The most alarming one in my opinion is this: out of the nearly 6 billion data records breached since 2013, Breach Level Index reports that only 4 percent were encrypted.  This is staggering given that most organizations recognize the risks and understand the importance of data security and encryption.  It begs the question — Why do we see such a significant disconnect between known risks and the level of data protection?

Security today

Strong walls and perimeter defenses are no longer adequate to prevent cyber-attacks in today’s enterprises.  There are countless points of entry into an organization’s IT environment, all of which lead to what should be private data.  Not only could a team be completely consumed by trying to secure all of the potential entry points, but they could do all that and still not achieve their objective.  Threats from insiders, whether they be from rogue insiders or attackers posing as insiders, complicate the situation further.

Though many organizations recognize that encryption is vital, they struggle in their data encryption journey.  The main reason is that implementing encryption is extremely complex.  Many wrestle with questions such as: What data needs to be encrypted?  Where should encryption occur? Who is responsible for encryption?  Leaders in organizations which have already started down the path are beginning to grasp the complexity and challenges involved in reaching their destination.

Roadblocks to deploying an enterprise encryption strategy can include insufficient skills, resource constraints, overhead costs, technology limitations, and an all-too-common problem — not knowing where the sensitive data is located.  Since none of these are easily overcome, companies often veer off the original path out of necessity and end up with best-effort encryption versus the best-in-class encryption originally planned.

Industry and government regulations mandate that certain sensitive data be encrypted.  Thus, many organizations have adopted the practice of selective encryption.  They look for credit card data, social security numbers and other sensitive data and encrypt a subset of data. Adopting selective encryption makes sense in theory but falls short of protecting all of the digital assets of value to an organization.

In summary, traditional approaches alone aren’t sufficient.  If they were, we wouldn’t be hearing another report about how our personal data was breached. Organizations must operate on the premise that potential attackers are already inside and must view regulations regarding data security as a minimum threshold, not a best practice.  It is time for a paradigm shift in protecting the data at the core of the enterprise.

A new approach

Data needs to be treated as the new perimeter.  To achieve any chief information security officer’s (CISO) ideal of enterprise data protection, organizations should adopt a strategy of encrypting all data wherever it resides.

It is easy to envision how pervasive encryption can minimize the risk and impact of a data breach.  However, it can also help with encryption deployment and compliance.  By encrypting data at a broad scale, organizations can move forward on encryption quickly since the process of identifying and classifying data is decoupled from the act of implementing encryption.  Additionally, it simplifies compliance reporting by being able to show all data is encrypted.   And lastly, pervasive encryption helps protect all of an organization’s digital assets – not just those mandated by compliance.

Protect your business

Do not compromise on your enterprise encryption strategy.  in the future in this blog series, we’ll explore how new technologies that support pervasive encryption can help you with that.  Until then, watch this webcast to learn how to begin encrypting everything without changing anything.

The post Is your enterprise encryption strategy a compromise? appeared first on IBM Systems Blog: In the Making.