With industry experts advocating a more data-centric approach to cybersecurity in recent months, many are revisiting the merits of staple strategies such as encryption. Companies may be wise to take a deep dive into current protocol, according to the latest analysis from Enterprise Strategy Group (ESG), as a surprising lack of encryption expertise and key management fundamentals is putting a number of organizations at risk.
According to the ESG report, the recent uptick in support for data encryption has stemmed from an increasingly complex regulatory climate and a wealth of publicly disclosed breaches in the past year. Additionally, 54 percent of companies have implemented data encryption technologies in direct response to the rise of advanced persistent threats (APTs) capable of siphoning corporate intellectual property.
Although most enterprise IT professionals are well aware of the potential advantages of data encryption, there are notable loopholes in how the technology is being applied.
"When it comes to information strategy, large organizations tend to focus on firefighting rather than long-term strategy. Unfortunately, this short-sighted approach has its limits," ESG senior principal analyst Jon Oltsik explained. "Ad hoc encryption leads to redundant processes, complex operations and high costs while placing sensitive data at risk of accidental compromise or malicious insider attack."
This fragmented approach to data protection can be primarily attributed to a lack of cohesion and standardization among functional IT groups and the absence of a "central command and control" capable of setting policy, provisioning data and managing keys. This "organizational misalignment" puts the company at a significantly higher risk of leaking or losing critical files as inconsistent access control and separation of duties leaves loopholes available for malevolent insiders to exploit.
According to the Ponemon Institute's 2011 Global Encryption Trends Study, a power struggle at the top of the organization could be contributing to the confusion. While the chief information officer was identified as the primary designer of encryption strategy within approximately 40 percent of companies, business managers outside of the IT department are seeking more control. With data security and compliance now being viewed as a company-wide, as opposed to merely a technical, responsibility, there is more fragmentation of data protection strategy than ever before. Although officers may have their hearts in the right place, their execution is bringing more harm than good.
Deeper woes in healthcare security
Outside of the business community, the implications of inadequate encryption key management could be even more significant in the healthcare sector. In 2011, the industry's shortcomings were placed under a microscope following a wave of high-profile data breaches and coverage of the ongoing conversion to electronic health records. According to Computerworld's Gregory Machler, there is a very real possibility that these tensions could be amplified in the near future with the establishment of a national healthcare database in the United States.
As stakeholders from all over the healthcare system request and require instant access to sensitive records, identity management and access control will be imperative.
"Data protection of the medical information requires use of encryption and a key or keys," Machler noted. "In the financial services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power."
The process would force organizations at all levels to debate and develop a number of incredibly influential policies. According to Machler, determining who has access to which portions of the data and then selecting the proper technology to enforce these decisions will be essential. While it's hard to even imagine how the national or global community would begin to come together and resolve such issues, companies are facing similar challenges on a smaller scale every day.
Collaboration is key
The key concept for data security managers to keep in mind, according to the ESG report, is unification.
"[Chief information security officers] have lots of choices with ad hoc encryption, but they will find a much shorter list of qualified vendors as they begin researching and evaluating options for an enterprise encryption and key management architecture," Oltsik explained.
By shoring up fundamentals from the beginning, companies stand a much better chance of not only protecting critical information, but doing so in a more efficient manner as well. According to Oltsik, qualified encryption and key management solutions should support heterogeneous operating systems, including Linux, UNIX and Windows, in addition to structured and unstructured data. This will ensure a more sustainable approach to managing internally produced data across the IT environment.
On an organizational level, centralized policy creation and management must win out over stubborn, fragmented strategies if companies hope to succeed. However, there should still be a separation of duties and tiered administration when it comes to ultimately enforcing policy.
Data Security News from SimplySecurity.com by Trend Micro