Encryption is finally being used primarily to protect personal data rather than just for compliance
As organizations accelerate digital initiatives such as cloud and the IoT, and data volumes and types continue to rise, IT professionals cite protection of customer personal information as their number one priority, according to nCipher Security and the Ponemon Institute.
Threats, drivers and priorities
For the first time, protecting consumer personal information is the top driver for deploying encryption (54% of respondents), outranking compliance, which ranked fourth (47%).
Traditionally compliance with regulations was the top driver for deploying encryption, but has dropped in priority since 2017, indicating that encryption is transitioning from a requirement to a proactive choice to safeguard critical information.
Employee mistakes continue to be the biggest threat to sensitive data (54%) and significantly outweigh concerns over attacks by hackers (29%), or malicious insiders (20%). In contrast, the least significant threats cited include government eavesdropping (11%) and lawful data requests (12%).
Data discovery the number one challenge
With the proliferation of data from digital initiatives, cloud use, mobility, IoT devices and the advent of 5G networks, data discovery continues to be the biggest challenge in planning and executing a data encryption strategy, with 67% of respondents citing this as their top concern. And that is likely to increase, with a pandemic-driven surge in employees working remotely, using data at home, creating extra copies on personal devices and cloud storage.
Blockchain, quantum and adoption of new encryption technologies
The study indicates that 48% of organizations have adopted encryption strategies across their enterprises, up from 45% in 2019. With encryption deployment steadily growing, how are organizations looking ahead? In the near term, 60% of organizations plan to use blockchain, with cryptocurrency/wallets, asset transactions, identity, supply chain and smart contracts cited at the top use cases.
Other much-hyped technologies are not on IT organizations’ near-term radar. Most IT professionals see the mainstream adoption of multi-party computation at least five years away, with mainstream adoption of homomorphic encryption more than six years away, and quantum resistant algorithms over eight years out.
Trust, integrity, control
The use of hardware security modules (HSMs) continues to grow, with 48% of respondents deploying HSMs to provide a hardened, tamper-resistant environment with higher levels of trust, integrity and control for both data and applications.
Organizations in Germany, the United States and Middle East are more likely to deploy HSMs, with Australia, Germany and the United States most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.
HSM usage is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL).
The demand for trusted encryption for new digital initiatives has driven significant HSM growth for big data encryption (up 17%) code signing (up 12%), IoT root of trust (up 10%) and document signing (up 7%). Additionally, 35% of respondents report using HSMs to secure access to public cloud applications.
The race to the cloud
Eighty-three percent of respondents report transferring sensitive data to the cloud, or planning to do so within the next 12 to 24 months, with organizations in the United States, Brazil, Germany, India and South Korea doing so most frequently.
In the next 12 months, respondents predict a significant increase in the ownership and operation of HSMs to generate and manage Bring Your Own Key (BYOK), and integration with a Cloud Access Security Broker (CASB) to manage keys and cryptographic operations. The survey found that the most important cloud encryption features are:
- support for Key Management Interoperability Protocol (KMIP) (67%)
- security information and event management (SIEM) integration (62%)
- granular access controls (60%)
- key usage audit logs (55%), and
- privileged user access controls (50%).
“Consumers expect brands to keep their data safe from breaches and have their best interests at heart. The survey found that IT leaders are taking this seriously, with protection of consumer data cited as the top driver of encryption growth for the first time,” says Dr Larry Ponemon, chairman and founder of Ponemon Institute.
“Encryption use is at an all-time high with 48% of respondents this year saying their organization has an overall encryption plan applied consistently across the entire enterprise, and a further 39% having a limited plan or strategy applied to certain application and data types.”
“As the world goes digital, the impact of the global pandemic highlights how security and identity have become critical for organizations and individuals both at work and at home,” says John Grimm vice president of strategy at nCipher Security.
“Organizations are under relentless pressure to deliver high security and seamless access – protecting their customer data, business critical information and applications while ensuring business continuity.”
Other key trends
- The highest prevalence of organizations with an enterprise encryption strategy is in Germany (66%) followed by the United States (66%), Sweden (62%), Hong Kong (60%), Netherlands (56%) and the United Kingdom (54%).
- Payment-related data (54% of respondents) and financial records (54% of respondents) are most likely to be encrypted.
- The least likely data type to be encrypted is health-related information (25% of respondents), a surprising result given the sensitivity of this information and recent high-profile healthcare data breaches.
- The industries seeing the most significant increase in extensive encryption usage are manufacturing (49%), hospitality (44%) and consumer products (43%).