According to research from B2B International on behalf of Kaspersky Lab, this shows a sharp rise in the use of encryption technology from a similar survey last year, “where it barely crept into the top ten.”
This increasing use of encryption has most likely been spurred by the rise in major data breaches over the last few years, coupled with strengthening data protection laws and regulations. “In effect,” says Kaspersky, “encryption is the final defensive barrier: even after a criminal has successfully forced his way into the company’s IT infrastructure – this last hurdle makes it extremely difficult to get access to important information.”
But the report also makes clear that there is still a long way to go. “Only one-third of specialists (36%) use full disk encryption (also known as encryption of information arrays) and less than half of those specialists (44%) actually protect critical information. Data encryption on external devices, e.g. USB drives, is used by 32%.”
Sadly, the report makes no mention of two of today’s hottest issues: protection of user passwords by encryption-related hashing technology; and whether and how to encrypt data in the cloud. The first is particularly difficult, with hacktivists and hackers still dumping passwords that have been stored in plaintext, or protected only with weak hash algorithms.
The cloud and encryption is a separate conundrum. The European Commission, for example, is urging business and governments to make greater use of cloud computing. But data protection officials are urging caution – effectively suggesting that encryption would be an important part of using the cloud while remaining compliant. The difficulty is how can you store data in the cloud, encrypt it, and ensure that the encrypted data remains usable?
One problem is the keys. Porticor highlighted the issue in a blog posting yesterday on cloud encryption and PCI. “For example,” it wrote, “an enterprise can easily encrypt a virtual cloud disk, but who’s managing the encryption keys? If the encryption keys are managed by the cloud provider or the security vendor, the enterprise will not achieve compliance (and more importantly – true security).”
Two approaches are typified by SealPath and CipherCloud, both of which will encrypt data in the cloud. The former’s approach is to encrypt the data and manage the keys on its own servers. This makes key management painless to the user, but according to Porticor, is non-compliant with PCI. CipherCloud’s approach is to both encrypt and manage keys locally with the user. This would be compliant and more secure for cloud storage, but throws greater responsibility on the customer – who must both protect those keys and yet still make them available to authorized users.
What the Kaspersky Lab survey shows, both in what it says and what it leaves unsaid, is that interest in encryption is growing; but still has a long way to go.