Global Encryption and Key Management Trends Study

Transcription

1 Global Encryption and Key Management Trends Study SPONSORED BY THALES E-SECURITY INDEPENDENTLY CONDUCTED BY PONEMON INSTITUTE LLC PUBLICATION DATE: APRIL

2 Background Data Rise of the Internet 2

3 Rise of the Mobile Phone 3

4 Evolution of Enterprise Apps to Mobile Devices 4

5 Evolution of Enterprise Apps to Mobile Devices 5

6 Evolution of Enterprise Apps to Mobile Devices 6

7 Evolution of Payment Apps to Mobile Phones 7

8 Trends of going Mobile 8

9 2015 Global Encryption & Key Management Trends Study Following are key takeaways from this study: More companies embrace an encryption strategy that is applied consistently across the enterprise. Business units continue to gain influence in choosing and deploying encryption technologies. Healthcare and retail companies increased encryption usage more than other industries. The biggest challenge in planning and executing a data encryption strategy is discovering where sensitive data resides in the organization. Support for cloud and on-premise deployment is one of the most important features of an encryption solution. Management of keys and certificates is painful because of no clear ownership and systems are isolated and fragmented. 9

10 10

11 11

12 12

13 13

14 14

15 List of Key Findings The biggest challenge in planning and executing a data encryption strategy is discovering where sensitive data resides in the organization. Support for cloud and on-premise deployment is the most important feature of an encryption solution. Encryption and tokenization are considered alternative approaches to safeguarding sensitive data, according to 40 percent of respondents. Managing keys or certificates is painful. Hardware security modules (HSMs) are deployed by 33 percent of the organizations and growing in importance. For the first time in 10 years, budget allocated to encryption decreased. 15

16 Part 2 Key Findings 16

17 Trends in encryption strategy 40% 38% 35% 33% 32% 33% 35% 36% 30% 28% 28% 26% 29% 25% 25% 26% 26% 20% 15% 15% 18% 20% 19% 15% 15% 10% 5% 0% FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 Company has an encryption strategy applied consistently across the entire enterprise Company does not have an encryption strategy. 17

18 Differences in enterprise encryption strategies by country 70% 60% 59% 50% 43% 40% 35% 33% 39% 35% 30% 26% 27% 29% 25% 20% 10% 0% US UK DE FR AU JP BZ RF IN MX Company has an encryption strategy applied consistently across the entire enterprise Average 18

19 Influence of IT operations, LOB and security by country JP 51% 21% 8% DE 45% 29% 10% MX 42% 2% 24% AU 42% 12% 20% IN 41% 5% 33% RF 34% 26% 15% BZ 32% 28% 13% FR 32% 33% 15% UK 32% 33% 15% US 20% 33% 20% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% IT operations Lines of business Security 19

20 Trend on the extensive use of encryption technologies 40% 35% 34% 30% 27% 30% 25% 22% 23% 23% 25% 20% 20% 19% 16% 15% 10% 5% 0% FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 Extensive deployment of encryption Percent of the IT budget earmarked for encryption 20

21 The extensive use of encryption by industry Financial services 38% 43% 48% Services 37% 39% 44% Transportation 33% 35% 39% Technology & software 31% 33% 39% Health & pharma 29% 31% 40% Hospitality 21% 26% 29% Consumer products 24% 25% 25% Public sector 23% 24% 25% Retail 21% 21% 26% Manufacturing 17% 19% 20% 0% 10% 20% 30% 40% 50% 60% FY12 FY13 FY14 21

22 The most salient threats to sensitive or confidential data Employee mistakes 53% System or process malfunction 29% Hackers 28% Temporary or contract workers 21% Government eavesdropping 19% Malicious insiders 19% Third party service providers 18% Lawful data request (e.g. by police) 11% More than one choice permitted 0% 10% 20% 30% 40% 50% 60% 22

23 The main drivers for using encryption technology solutions To comply with external privacy or data security regulations and requirements 64% To protect information against specific, identified threats 42% To reduce the scope of compliance audits 41% To generally improve our security posture 25% To comply with internal policies 19% To avoid public disclosure after a data breach occurs 9% 0% 10% 20% 30% 40% 50% 60% 70% 23

24 Would a data breach of customers personal data require notification? 45% 40% 41% 35% 34% 30% 25% 22% 20% 18% 15% 10% 5% 0% FY14 FY13 Notification required, breached data was not encrypted Notification required, breached data was encrypted 24

25 Biggest challenges in planning and executing a data encryption strategy Discovering where sensitive data resides in the organization 56% Initially deploying the encryption technology 48% Classifying which data to encrypt 34% Ongoing management of encryption and keys 33% Training users to use encryption appropriately 15% Determining which encryption technologies are most effective 13% 0% 10% 20% 30% 40% 50% 60% 25

26 Most important features of encryption technology solutions Support for cloud and on-premise deployment* Tamper resistance by dedicated hardware Support for multiple applications or environments Separation of duties and role-based controls* More than one choice permitted *Historic data is not available System performance and latency Integration with other security tools* Management of keys Enforcement of policy System scalability Formal product security certification Support for emerging algorithms Support for regional segregation* 25% 30% 33% 37% 28% 25% 32% 28% 29% 30% 29% 41% 38% 43% 44% 40% 37% 56% 51% 53% 51% 52% 47% 51% 47% 43% 49% 62% 0% 10% 20% 30% 40% 50% 60% 70% FY12 FY13 FY14 26

27 Data types routinely encrypted. Employee/HR data 61% Payment related data 56% Financial records 51% Intellectual property 49% Customer information 35% Non-financial business information 29% Health-related information 21% 0% 10% 20% 30% 40% 50% 60% 70% 27

28 Rating on the overall impact, risk and cost associated with managing keys or certificates. 8% 33% 15% 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 22% 23% 28

29 Percentage pain threshold by country 70% 65% 60% 60% 58% 56% 56% 53% 53% 52% 51% 51% 50% 40% 30% 20% 10% 0% MX UK US FR JP AU BZ IN DE RF Percentage ratings 7 to 10 on a 10-point scale 29

30 What makes the management of keys and certificates so painful? No clear ownership 58% Systems are isolated and fragmented Lack of skilled personnel Key management tools are inadequate 47% 44% 50% Too much change and uncertainty 36% Insufficient resources (time/money) No clear understanding of requirements Technology and standards are immature Manual processes are prone to errors and unreliable More than one choice permitted 22% 17% 14% 11% 0% 10% 20% 30% 40% 50% 60% 70% 30

31 What key management systems does your organization presently use? Manual process (e.g., spreadsheet, paperbased) 51% External certificate authority 43% Removable media (e.g., thumb drive, CDROM) 31% Central key management system/server 30% Internal certificate authority 29% Hardware security modules 28% Smart cards 20% Software-based key stores and wallets 18% 0% 10% 20% 30% 40% 50% 60% 31

32 50% Deployment HSMs as part of key management activities 45% 45% 42% 40% 38% 39% 35% 35% 34% 35% 34% 33% 30% 25% 20% 30% 27% 26% 23% 26% 26% 25% 24% 23% 25% 25% 24% 22% 20% 19% 19% 15% 10% 5% 0% DE JP US IN* UK FR RF* AU BZ MX* FY14 FY13 FY12 32

33 Trend in the percent of IT security spending relative to the total IT budget 12,0% 10,0% 9,1% 8,6% 8,8% 9,1% 9,9% 9,2% 8,0% 7,5% 7,2% 7,5% 7,9% 6,0% 4,0% 2,0% 0,0% FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 Percentage of IT security spending relative to the total IT budget Average 33

34 Trend in the percent of IT security budget dedicated to encryption 20,0% 18,0% 17,6% 18,2% 16,0% 14,0% 13,8% 13,1% 15,7% 14,6% 15,1% 15,7% 12,0% 10,0% 9,7% 10,3% 8,0% 6,0% 4,0% 2,0% 0,0% FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 Percentage of IT security spending dedicated to encryption Average 34

35 Questions? 35