Why Enterprises Are Struggling So Much with Encryption

Wednesday, February 19, 2014

Patrick Oliver Graf

E595c1d49bf4a26f8e14ce59812af80e

Encryption. For most organizations, the need for it is very apparent, but for some reason, its implementation often falls well short of goals and expectations. The obvious question here is: why? A recent Ponemon Institute study took a closer look at what exactly is giving enterprises such a headache when it comes to efficiently using encryption. The results were interesting, to say the least.

According to InformationAge, the research, which included more than 4,800 business and IT managers worldwide, unsurprisingly revealed encryption use is on the rise, as companies try to stay ahead of growing privacy and compliance regulations, consumer concerns and increasingly sophisticated cyber attacks. In fact, 35 percent of organizations now have enterprise-wide encryption, compared to 29 percent last year. What was surprising, however, was the apparent objective shift, “For the first time, the primary driver for deploying encryption in most organizations was to lesson the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation.”

An alarming fact found in the study is only 20 percent of organizations polled think they are obligated to disclose data breaches, and of those, nearly 50 percent believe that because the data is encrypted, that circumvents the need to publically acknowledge an infiltration occurred. While the ethics of those policies are certainly subject to debate, a bigger problem perhaps is that all organizations surveyed are challenged with simply finding their sensitive data, as more than 60 percent agree that discovering exactly where it resides is the greatest challenge to deploying an encryption policy. More than half also agreed managing keys and certificates is a major issue, but over 70 percent concede they don’t allocate enough dedicated staff or tools to adequately maintain this task.

Could outsourcing these tasks be the quick fix? Potentially, but so, too could a centrally managed solution. For example, a centrally managed remote access solution could include public key infrastructure (PKI) enrollment functionality to connect a PKI to a remote access VPN and automate the process of managing keys and certificates. With the addition of that functionality, a central management system can act as a registration authority and manage the creation and administration of electronic certificates in conjunction with certificate authorities. Central management also enables organizations to improve network access control. An initial screening process when employees first join a company allows IT administrators to ensure that an employee is not only trustworthy, but given access to only the necessary parts of the network based on their role. By ensuring proper authentication and access control, including verifying each user’s role and attributes, enterprises can safeguard their network from cyber criminals attempting to establish encrypted communication and prevent employees from exposing data.

However, today’s savvy cyber criminals are constantly looking for the path of least resistance into corporate networks and, unfortunately, they often find that weakness in basic human error. A resounding 27% of those surveyed indicated the number one threat to the exposure of sensitive data is employee mistakes. Furthermore, “When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two-to-one.”

As we’ve stressed multiple times in the past, and as this research clearly underscores, the importance of employee education cannot be emphasized enough. Of course, easy to use, one click solutions reduce the likelihood of employee error relating to VPN configurations, but parameter locks can take it a step further. Employees who are constantly on the go are usually not IT specialists, and when their VPN connection is disrupted for whatever reason, attempting to reconfigure it on their own and doing so incorrectly is a major security problem. However, parameter locks allow VPN, firewall and internet connection configurations to be centrally managed by network administrators, who can lock them and distribute them accordingly to the appropriate users.  

In conclusion, despite ensuing struggles for organizations attempting to utilize encryption, there are some very attainable solutions. For example, new and more advanced types of encryption, such as elliptic curve cryptography can be used harmoniously to make sensitive data safer, and more difficult to hack, than ever before. Properly implemented encryption is an essential part of any secure remote access strategy, and centrally managed solutions help previously strained organizations make encrypted access to corporate networks a reality.

This post originally appeared on VPN Haus

Possibly Related Articles:
12858
Encryption
Post Rating I Like this!
Default-avatar
Eric Kronthal You make an excellent point that there is a rapidly growing awareness about the importance of protecting data, but a lack of underststanding re: the execution of such a program. The increased number of high profile data breaches has certainly added to general awareness of this problem. Last year the SANS Institute ranked cyber espionage as a top 3 top cyber menace worldwide http://www.koolspan.com/blog/weekly-word-cyber-espionage/
1394193801
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.