Editor’s note: This post was written by Charles Kolodgy, IDC Research VP, Security Products.
Business value resides in data – digital information which is easy to create, copy, modify, and disseminate. However, data is difficult to control. The expanding technology environment (mobile devices, cloud services, increasing connectivity, and social networking) is facilitating the use and proliferation of data everywhere.
Illicit access to valuable data puts the enterprise at risk – just look at the recent breaches at businesses like Target and Neiman Marcus. There are many sophisticated, dedicated, and malicious attackers who want your data.
For these reasons the protection and preservation of data should be the primary focus of IT security.
It is well understood that the best method to protect digital data is encryption. With encryption you make sure information is only readable by the people who can decrypt it. You don’t just protect the data from criminals who want to steal the information – but also from inadvertent release as the result of user error or loss.
Additionally, encryption can be used to control access of information that is shared. Only those who have proper access will be able to receive the encryption key. Although people know encryption is required, many do not deploy it as they should because they may be fearful of the technology; worry about performance; consider it too difficult to use; or, believe it unmanageable.
The reality with encryption technology today is most of these impediments have been addressed.
For computers there are many types of encryption – self-encrypting drives, full-disk encryption, file/folder encryption, removable media, email, and cloud storage. These solutions are designed to be reliable and easy to use, and to not significantly degrade performance.
Security mechanisms whose use is controlled by the user do not provide companies with reliable security, and encryption capabilities are much more likely to be deployed when encryption is completely transparent to the user.
The encryption system should be based on corporate policy and automatically make the decisions about what to protect.
Organizations have many choices on what data encryption they deploy, but the greatest value to the enterprise is centralized policy and key management.
Central administration of encryption capabilities, policy setting and enforcement, and encryption key control is critical for data protection.
By having administrative control, you remove the user from the equation, allow for remediation of problems quickly, enhance overall security, and can handle compliance reporting.
The key word for encryption administration is “central.” Managing all the enterprise’s encryption from a single console improves the ability to have consistent enforcement of policy, enables more granular data control through the dissemination of encryption keys, and improves overall efficiency for administrators.
IDC surveys have shown that enterprises are more inclined to deploy encryption if all devices and components could be managed, including key management, under one console.
However, for this to work the policy and key management system must:
- Be easy for the administrator
- Be policy driven
- Be capable of managing third-party and enterprise-developed applications
- Support computers, mobile devices, email, and collaborative applications, including in the cloud
- Be expandable, allowing new encryption applications to be added
- Have strong reporting capabilities
In summary, organizations need to establish and deploy a comprehensive corporate encryption strategy.
The specific mechanisms of encryption deployed should be selected based on need but functionality is improved when many of the components have a single code base.
What is mandatory is centralized policy and key management. With central policy and key management, that can manage multiple encryption engines from multiple vendors, the enterprise can meet existing and future data protection capabilities.
– by Charles Kolodgy, IDC Research VP, Security Products