When I attended the Gartner Security & Risk Management summit a couple of weeks ago, I attended a session about Encryption Planning Made Simple. It was a good look at some of the issues facing organizations today and the barriers to the adoption of data encryption solutions.
One of the key points of discussion for this session was the fact that many things are changing in the market today. What was once a very stable market historically is now experiencing huge changes thanks to various regulations being evaluated by government or things like cloud storage solutions. So while data storage encryption isn’t mandatory for the majority of organizations, it’s suddenly becoming a very hot topic. A great statistic presented by Gartner in this session was:
“By 2016 only 25% of enterprise located within data breach notification jurisdictions, will encrypt centrally stored personal or health data.”
Given the number breaches in the last year alone at various healthcare and other organizations, this is a staggering number. But what’s driving this is the fact many of the regulations out there aren’t mandatory… yet. The end message was that organizations really need to evaluate the various regulations and balance them against security controls and risk mitigation issues when considering how to best deploy encryption solutions.
Tying into the concept of regulations, is the impact of cloud and how that affects an organization and the data they’re storing. Many cloud providers aren’t local to a particular country and that could mean data is stored across borders and jurisdictions. What does that mean when legal protection is required? Additionally, what about countries that required specific security requirements for the privacy of data? If it’s in the cloud in another country or jurisdiction is that requirement still valid?
What it all came down to when discussing the risks and benefits is the fact that data encryption solutions offer risk mitigation. They’re like insurance in the event data is lost or stolen. They can help minimize the requirements for reporting data loss (if encrypted) and when dealing with the cloud, offer better protection than the ‘built-in’ security cloud providers offer.
Right now, the cloud is one of the most complicated issues surrounding data encryption and security. The goal should be to encrypt data in the cloud but keep keys locally with the organization. It sounds simple but it’s a tricky subject matter. We’re working to address this solution for customers and hope to be able to show off something pretty cool in the near future.