Australian organisations will spend more than ever – an estimated A$4.9 billion – on enterprise information security and risk management products and services in 2021, an increase of 8% from 2020, according to the latest forecast from Gartner, Inc.
It is no surprise that cloud security is anticipated to be the highest growing segment with growth of 33.8% forecast for this year, to A$15 million.
The annual Entrust Australia Encryption Trends Study answers this question and more by examining how and why enterprises deploy encryption. Conducted by the Ponemon Institute, the 2021 study features insights that help reveal the future of encryption use and the solutions organisations are leveraging to solve the difficulties of working across multiple cloud environments.
Threats, main drivers and priorities
The adoption of encryption in Australia continues to outpace global averages, and this is not surprising considering the top driver for encrypting data in Australia is to protect information against specific, identified threats (63% of respondents, vs. the global average of 50% and up from 50% in Australia last year).
The next highest driver was compliance with external privacy or data security regulations and requirements: (52%, down from 57% last year).
Organisations in Australia encrypt several data types at higher rates than the global averages at rates much higher than the global averages, including intellectual property, employee/HR data and customer information.
Mobility, digital transformation projects, IoT projects, work from home policies – all these have created new destinations for data that need to be accounted for in the enterprise data protection strategy. The big Achilles heel for sensitive data is that if you protect it in five or six places but leave it exposed in one or two others, attackers are adept at finding the areas where data protection is weakest.
Unfortunately, one area of weakness is within the enterprise itself, as survey respondents rate employee mistakes as the greatest threat that might result in the exposure of sensitive data.
Delving deeper into the data, this is perhaps not that surprising. Increasingly, organisations have very diverse encryption technology needs in order to protect a wide range of data. Employees are thus forced to learn the security configurations of multiple tools, making errors unavoidable. This is a particular challenge with public cloud environments, as each offers its own settings and functionality, which are regularly updated.
So how can these errors be averted, or at least mitigated? The answer lies in the management of encryption, specifically encryption key management.
How painful is key management?
There are a lot of different applications where you can use encryption – indeed, large organisations might use as many as 15 different applications. The predominant use cases are the mature and easy to use ones – backup and archive database encryption, laptop, hard disk encryption. However, as data and intellectual property protection becomes more central to an organisation’s security strategy, the intricacies of different encryption technologies inevitably lead to errors in manual administration of these critical encryption keys. So it is predictable that nearly 60% of respondent’s rate encryption key management as very painful. The top reasons cited for this pain are lack of skilled personnel and inadequate key management tools.
As enterprises recognize and migrate to the increased flexibility and cost economy that cloud services provide, the need to keep tight control of the encryption keys becomes paramount.
Almost half of organisations transfer sensitive or confidential data to the cloud (whether or not it is encrypted or made unreadable via some other mechanism) and another 31 percent of respondents plan to in the next 12 to 24 months. It is not surprising then that the most difficult keys to manage are keys are for external cloud or hosted services, including BYOK keys (82% of respondents), which is the highest rate worldwide.
The importance of HSMs (hardware security modules)
By far, the increase in usage of HSMs – certified hardware to protect and control these critical encryption keys – shows the way forward to effectively manage enterprise encryption strategies.
We asked respondents who are in organisations that currently deploy HSMs how important they are to their encryption or key management strategy. Seventy-three percent of respondents say they are important today and 83 percent of respondents say will be important in the next 12 months.
The way forward
To assure the trust of the consumer, protect against threats, and to meet rigorous security mandates, there is no doubt that any organisation’s data protection policy must put their enterprise encryption strategy at the top of their priority list.
However, the effectiveness of any encryption strategy will depend not only on the deployment of these technologies, but also on the security given to the protection of these critical cryptographic keys, increasingly more important as the cloud economy – across hybrid and multi-cloud environments – becomes the norm.