Is There A Weak Link In Your Encryption Strategy?

by Luke Brown, VP EMEA, WinMagic    Sep 17, 2018

luke

Rather like the never-ending pool of news stories about Brexit, many of us have tuned out of reports about data breaches – whether criminally motivated or human error – simply because they’re so common. We’ve become accustomed to stories about customers’ sensitive data being lost. It’s become part of the fabric of our lives. It’s no longer news. IT security teams are doing their best to protect themselves from cyber criminals, constantly playing a cat and mouse catch up game.

A key part of their armoury is encryption. Almost as old as the Internet itself, it’s a fundamental point of defence in preventing against data leaks. It’s a time-tested tool that can severely hinder attackers in their goal to steal confidential user and customer data, trade secrets, and more. However, the rise of new technologies such as mobility, cloud and virtualisation combined with an increasingly complex regulatory environment means companies are finding the need for encryption more than ever before. To make this worse, boardrooms are not adapting to these developments. As it is, encryption is being seen by IT operations as a tick box exercise, with point solutions encrypting only segments of network infrastructure.

There is little to no push from leadership to ensure there is a universal encryption policy over the entire network. Without this overarching encryption solution with centralised key management, businesses create weak links in their armour.

Weak link # 1 – Data Sprawl

What you don’t know can hurt you. With the dissolving network perimeter, your data can be anywhere. Mobile devices and inexpensive, easy-to-use, cloud file-sharing services make it easy to work anywhere and anytime. Such access has become essential to operating in an always-connected world.

However, continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers. Native encryption technologies are useful at one level, but they can still leave your devices vulnerable, and IT admin teams are left with lots of encryption keys to juggle which is a real headache. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data and a fragmentation of governance.

Weak link # 2 – Compliance Requirements

We know that data leaks occur throughout the IT equipment spectrum – on networks when information is transferred or when devices are left unattended, lost or stolen and eventually fall into the wrong hands. There are lots of ways to lose information and every one of them is potentially damaging to an enterprise. With ever more stringent regulations, it’s easy for an organisation to fall foul of the requirements (often without knowing), leaving themselves exposed and non-compliant, and at risk of heavy fines.

Added to that, more and more regulations stipulate the need to not only protect data with encryption, but also protect the keys used to encrypt the data. In fact, GDPR, MiFID II, PCI DSS and other breach notification laws state that businesses must document and implement procedures to protect keys used to secure data against disclosure. At the end of the day, the value of encryption is only as good as the trust in your keys.

Strengthening that chink in the armour

It’s easy to see how things can quickly get very complex, and why it’s important that organisations enforce encryption automatically through their security policy to help avoid disaster. With boardroom enforced encryption platforms, businesses can rest easy knowing that data is protected across the network and can’t be turned off by employees looking to optimise device performance, which is a real problem for both point encryption solutions and anti-virus products.

Encryption not only turns information or data into an unbreakable, unreadable code should someone unauthorised try to access it, but it is also often the only technology referenced in these evolving and escalating regulations as a reasonable and appropriate security measure.

Furthermore, centralising encryption management and ensuring keys are controlled from one point helps a company further enforce these regulatory and governance requirements. Ultimately encryption is the last line of defence when a breach occurs, regardless of whatever action caused it, invader or accident.

In conclusion

If there is one absolute truth in business, it’s that data is now everywhere. Big or small, companies wrestle with keeping data secure with an ever expanding mobile and agile workforce. Effective control and management of the IT infrastructure spanning on- premises and cloud service providers for security and specifically encryption, is the only way to minimise the risks of data loss and meet growing legislative requirements.