Survey: Encryption challenges remain
A poll has found organisations encrypting more data, but backup and key management still remain as challenges.
More than a third of organisations still do not know if they will encrypt their backup tapes and half do not know where they would store their tape backup encryption keys.
Those are the two most glaring findings of the new 2008 Encryption and Key Management Benchmark Survey conducted published today by Thales.
Among just over 300 European and US organisations that responded to the survey, conducted by research firm Trust Catalyst, web server and SSL encryption top the list of target areas with 94 per cent being encrypted, closely followed by desktop file and email encryption, and full disk encryption.
“It is encouraging to see that more organisations are proactively securing sensitive data but the survey suggests there is still room for improvement,” said Bryta Schulz, vice president product marketing at Thales Information Systems Security.
But tape backup encryption only featured eleventh in the list, below USB and mobile device encryption, potentially leaving a major hole in enterprise data protection strategies according to the survey.
Schulz said the survey suggested most organisations still appear to be securing sensitive data in an unplanned and unstructured way leaving both the organisation and data at risk.
“In particular, it is surprising to see that the use of tape backup security is so low in the list of priorities given the risks associated with lost tape and data recovery and we believe this shows organisations are struggling with key management issues for data storage applications.”
When asked where encryption keys would be stored, more than 40 per cent of respondents said they “don't know” for seven out of 13 encryption applications. And, where they did know, the most popular answer was in software on disk, when best practice for securing encryption keys is in a hardware security module.
And highlighting concerns about backing up and revoking or terminating keys to prevent unauthorised data access, 69 per cent of respondents said they would chose to use automated and centralised key management systems as opposed to manual processes.
“It is concerning to see that the high level of encryption planned does not correspond with an understanding of the risks associated with the storage and retrieval of encryption,” added Schulz.