Not surprisingly, companies are continuing to increase their use of encryption and other data protection techniques in response to data breaches and cyber attacks. But some of the other top deployment reasons – and techniques being used -- may surprise you. In this slide deck Larry Ponemon from the Ponemon Institute and John Grimm, Thales e-Security, take a look at some of the top findings in this year’s Global Encryption Trends Study, including:
• Variation in encryption and key management trends across multiple vertical industries
• Attitudes regarding protection of sensitive data in the cloud
• Types of data that are most commonly encrypted
• Common use cases for encryption, and where Hardware Security Modules are most commonly deployed for key protection and management
Or why not watch the webinar:
https://www.thales-esecurity.com/knowledge-base/webcasts/top-trends-encryption-and-data-protection
and download the report:
https://www.thales-esecurity.com/knowledge-base/analyst-reports/global-encryption-trends-study
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
2016 Top Trends in Encryption and Data Protection
1. Dr. Larry Ponemon and John Grimm
March 23, 2016
Top Trends in Encryption and
Data Protection 2016
2. Today’s Speakers
March 23, 2016 1
Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute
John Grimm
Senior Director, Thales e-Security
3. About this research
2
This presentation contains the findings of a survey completed by
5,009 IT and IT security practitioners in the following 11 countries:
United States, United Kingdom, Germany, France, Australia, Japan,
Brazil, Russian Federation, India, Mexico and Arabia. The research
examines how the use of encryption has evolved over the past 11
years.
Sponsored by
March 23, 2016
4. Agenda
• Broad encryption trends 2016
• Encryption and key management
challenges
• Addressing those challenges
• Encryption in the cloud
• Summary and conclusions
3March 23, 2016
5. Encryption Strategy
• Reversal over period
of study!
• Reflects growing
importance of
encryption
• Also reflects struggle
to apply strategy and
policy consistently
4
15%
37%38%
15%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15
Company has an encryption strategy applied consistently across the entire enterprise
Company does not have an encryption strategy
March 23, 2016
6. Encryption strategy by
country
DE = Germany
US = United States
JP = Japan
UK = United Kingdom
FR = France
RF = Russian Federation
IN = India
BZ = Brazil
AB = Arabian Cluster
AU = Australia
MX = Mexico
5
61%
45%
40%
38%
36% 36%
33%
28% 27% 26% 26%
0%
10%
20%
30%
40%
50%
60%
70%
DE US JP UK FR RF IN BZ AB AU MX
Company has an encryption strategy applied consistently across the entire enterprise Average
March 23, 2016
7. Business owners gain
influence over encryption
strategy
• Drivers include
– Compliance
– BYOD
– Consumerization
of IT
6
53%
32%
10%
27%
12%
16%
0%
10%
20%
30%
40%
50%
60%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15
IT Operations Lines of business Security
March 23, 2016
8. Encryption usage by
vertical market
• Increase across all 10
represented markets
• Compliance and privacy
concerns are strong
drivers
• Additional markets include
Services, Transportation,
Hospitality, Consumer
Products, and
Manufacturing
7
33%
35%
48%
49%
56%
25%
26%
39%
40%
48%
24%
21%
33%
31%
43%
23%
21%
31%
29%
38%
0% 10% 20% 30% 40% 50% 60%
Public sector
Retail
Technology & software
Health & pharma
Financial services
FY12 FY13 FY14 FY15
March 23, 2016
9. Drivers for using
encryption
• Compliance is a
consistent year-to-
year top finding
• Organizations
increasingly
identifying and
protecting specific
data types
8
8%
15%
34%
35%
47%
49%
50%
61%
0% 10% 20% 30% 40% 50% 60% 70%
To avoid public disclosure after a data breach occurs
To comply with internal policies
To reduce the scope of compliance audits
To limit liability from breaches or inadvertent
disclosure
To protect customer personal information
To protect information against specific, identified
threats
To protect enterprise intellectual property
To comply with external privacy or data security
regulations and requirement
March 23, 2016
10. Encryption challenges
• Discovery increasingly
difficult as data
proliferates
• Attacks will seek out the
easiest target
• Bottom of this list speaks
as loudly as the top
9
13%
15%
31%
35%
49%
57%
0% 10% 20% 30% 40% 50% 60%
Determining which encryption technologies are
most effective
Training users to use encryption appropriately
Ongoing management of encryption and keys
Classifying which data to encrypt
Initially deploying the encryption technology
Discovering where sensitive data resides in the
organization
March 23, 2016
11. Top two threats to data
exposure
1. Employee mistakes
2. System or process
malfunction
10
0
10
20
30
40
50
60
70
80
90
100
AU JP UK IN AB US BZ MX RF DE FR
Employee Mistakes
March 23, 2016
12. What types of data are
organizations encrypting?
• Encryption needs to
be addressed by
companies of all
types
• Expect health-
related information
to rise
11
20%
30%
36%
48%
49%
55%
62%
0% 10% 20% 30% 40% 50% 60% 70%
Health-related information
Non-financial business information
Customer information
Financial records
Intellectual property
Payment related data
Employee/HR data
March 23, 2016
13. With increased encryption
use comes the pain of key
management
• Key management
pain rated 7 (out of
10) or higher by over
half of respondents!
• Similar pain ratings
across mature and
less mature
countries
12
11%
13%
16%
23%
37%
46%
47%
49%
57%
0% 10% 20% 30% 40% 50% 60%
Manual processes are prone to errors and
unreliable
Technology and standards are immature
No clear understanding of requirements
Insufficient resources (time/money)
Too much change and uncertainty
Key management tools are inadequate
Systems are isolated and fragmented
Lack of skilled personnel
No clear ownership
March 23, 2016
14. Key management systems
in use
• Manual = painful =
prone to mistakes
• Evidence that
policies are
becoming more
formalized
• HSMs on the rise
13
17%
20%
28%
31%
31%
31%
32%
32%
44%
57%
0% 10% 20% 30% 40% 50% 60% 70%
Software-based key stores and wallets
Smart cards
Hardware security modules
Removable media (e.g., thumb drive, CDROM)
Formal key management practices statement
(KMPS)
Formal key management infrastructure (KMI)
Formal definition of roles and responsibilities
of the KMI including separation of duties
Central key management system/server
Formal key management policy (KMP)
Manual process (e.g., spreadsheet, paper-
based)
March 23, 2016
16. Deployment of HSMs as part
of key management activities
• Findings correlate
with stronger
security posture
and encryption
strategy maturity
15
54%
45%
37%
34%
32% 31% 30%
25% 25%
20% 20%
0%
10%
20%
30%
40%
50%
60%
DE US UK JP RF IN AB FR BZ AU MX
Does your organization deploy HSMs? Average
March 23, 2016
17. HSM use cases
16
6%
6%
7%
11%
13%
24%
26%
30%
30%
31%
36%
40%
45%
6%
7%
8%
13%
14%
26%
30%
33%
34%
33%
39%
43%
50%
0% 10% 20% 30% 40% 50% 60%
Crypto currency
Big data encryption
Code signing
Internet of Things (IoT) device authentication
Document signing (e.g. electronic invoicing)
Private cloud encryption
Payment credential issusing (e.g., mobile, EMV)
Public cloud encryption
Payment transaction processing
PKI or credential management
Application level encryption
Database encryption
SSL/TLS
12 months from now Current state
Mature
Have been
growing
steadily
Early stage
March 23, 2016
18. Importance of HSMs by
industry
17
0
10
20
30
40
50
60
70
80
Percentage
Importance today
Importance in the next 12 months
March 23, 2016
19. What about the cloud?
• Over half of
respondents are
sending sensitive
data to the cloud
today, and this will
rise to 84% over
the next two years
• Benefits of the
cloud outweighing
the risks
18
0
10
20
30
40
50
60
70
BZ DE US UK FR AU JP IN MX AB RF
March 23, 2016
20. Cloud trends
• Maturation of cloud security offerings
• Less fear in the industry about cloud providers
– Most threats and breaches/incidents originate
with subscriber-managed components
• Encryption conversation matures – “why” then “how”
– Nation-state demands for data access – subscriber control
– Digital shred of deleted data or isolation failure – provider control
– Data in use – encryption doesn’t play
– Finding data unencrypted somewhere else defeats encryption!
• Users will be looking for choice for key control
• Auditors will start to look closer
19March 23, 2016
21. Control of keys in the cloud
20
41%
21%
38%
Only use keys controlled by my
organization
Only use keys controlled by the
cloud provider
Use a combination of keys
controlled by my organization
and by the cloud provider
Results underscore importance of enterprise control of keys
March 23, 2016
22. Summary and Conclusions
• Encryption use is growing, along
with the challenges associated with
key management
• Issues addressed here affect
companies of all types
• Regulations and privacy concerns
are driving growth of encryption and
other data protection technologies
• Encryption, properly implemented
with strong key management, is a
very important part of a layered
defense
21March 23, 2016
23. Thales e-Security
22
www.thales-esecurity.com
March 23, 2016
▌Proven, focused expertise in data protection
▌Solutions built to deliver trust
High assurance security optimized for operational efficiency
Leader in Hardware Security Modules (HSMs) with form factors and
performance to suit every deployment scenario
Hundreds of use cases across traditional, virtualized, and cloud-based
environments
Security certifications to satisfy regional and industry obligations
▌Just finalized acquisition of Vormetric
Leading provider of data protection applications
▌Global support and services to help customers succeed
24. Resources
23
▌Global Encryption Trends study
▌Key Management for Dummies reference guide
▌Websites
▌www.thales-esecurity.com
▌www.vormetric.com
▌www.ponemon.org
▌Next Thales e-Security webcast: April 20
▌“Innovation and security in the digital payments world” featuring
Jose Diaz and Ian Hermon
March 23, 2016
25. Ponemon InstituteLLC
The Institute is dedicated to advancing responsible information management
practices that positively affect privacy, data protection and information security in
business and government.
The Institute conducts independent research, educates leaders from the private
and public sectors and verifies the privacy and data protection practices of
organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey
Research organizations). Dr. Ponemon serves as CASRO’s chairman of
Government & Public Affairs Committee of the Board.
The Institute has assembled more than 65+ leading multinational corporations
called the RIM Council, which focuses the development and execution of ethical
principles for the collection and use of personal data about people and
households.
The majority of active participants are privacy or information security leaders.
24March 23, 2016
26. Page 25
Questions?
Ponemon Institute
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N.
Traverse City, MI 49686 USA
research@ponemon.org
Thales e-Security
+1 954 888 6200
Americas: sales@thalesesec.com
EMEA: emea.sales@thales-esecurity.com
APAC: asia.sales@thales-esecurity.com
www.thales-esecurity.com
March 23, 2016