Aberdeen Encryption Key Management
Content
Encryption and Key Management
August 2007
Encryption & Key Management Page 2
Executive Summary
To support the broader deployment of encryption for the protection of sensitive data and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
“You have to plan. We spend a lot of time planning. If you don’t, you’re likely to get yourself in a hole you can’t get out of. The number of keys under management never goes down … and we may need to go back and recover encrypted data at any time.”
Best-in-Class Performance
Based on feedback from more than 150 organizations, Aberdeen used the following performance criteria to distinguish Best-in-Class companies from Industry Average and Laggard organizations in the protection of sensitive data using encryption and key management: • • Increase in the total percentage of sensitive data identified, compared to a year ago; Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.
~ Trusted Computing Development Manager, $5.7B US-based Industrial Equipment Manufacturer (managing encryption keys since 1996, with >3M keys currently under management)
•
Competitive Maturity Assessment
Survey results show that the firms enjoying Best-in-Class performance shared several common characteristics. Compared to one year ago: • • • 81% increased the number of application types / use cases using encryption 71% increased the number of encryption keys under management 50% increased the number of locations (including multiple sites, branches, outsourcing partners, partner extranets) implementing encryption 46% increased the consistency of encryption and key management policies across multiple applications / use cases
•
Required Actions
In addition to the specific recommendations in Chapter 3 of this report, to achieve Best-in-Class performance organizations should build the strategic capability to support the flow of information across organizational and network boundaries, by using encryption solutions to secure the data coupled with an infrastructure to manage, protect and control access to the encryption keys that provide the foundation for this higher level of protection.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 3
Table of Contents
Executive Summary....................................................................................................... 2
Best-in-Class Performance......................................................................... 2 Competitive Maturity Assessment........................................................... 2 Required Actions ......................................................................................... 2 Expanding Use of Encryption .................................................................... 4 Maturity Class Framework ........................................................................ 5 Best-in-Class PACE Model......................................................................... 6 Competitive Assessment..........................................................................10 Organizational Capabilities and Technology Enablers .......................13 Laggard Steps to Success..........................................................................15 Industry Average Steps to Success.........................................................15 Best-in-Class Steps to Success ................................................................15
Chapter One: Benchmarking the Best-in-Class ..................................................... 4
Chapter Two: Benchmarking Requirements for Success ..................................10
Chapter Three: Required Actions .........................................................................15
Appendix A: Research Methodology.....................................................................17 Appendix B: Related Aberdeen Research............................................................20
Figures
Figure 1: Leading Drivers for Use of Encryption (all respondents) .................. 4 Figure 2: Strategic Approach to Securing Sensitive Data .................................... 7 Figure 3: Strategic Approach to Encryption............................................................ 8 Figure 4: Key Management – Level of Automation.............................................13
Tables
Table 1: Companies with Top Performance Earn “Best-in-Class” Status ....... 5 Table 2: Best-in-Class PACE Framework ................................................................ 6 Table 3: Competitive Framework ...........................................................................11 Table 4: PACE Framework Key...............................................................................18 Table 5: Competitive Framework Key...................................................................18 Table 6: Relationship Between PACE and Competitive Framework..............19
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 4
Chapter One: Benchmarking the Best-in-Class
Expanding Use of Encryption
Encryption is the process of transforming information into a form that cannot be read without the possession of special knowledge, referred to as a key. The purpose of encryption is to ensure that the information remains private from anyone not authorized to read it, even from those who may have access to the encrypted data. Although the use of encryption to protect sensitive data – whether the data is at rest, in transit, or in use – is anything but new, its application is growing ever more widespread. High-profile data breaches, identity theft, industry and government regulations, insider attacks, softening consumer confidence, and the increasing mobility of sensitive information are among the many motivations for the expanding use of encryption. Figure 1: Leading Drivers for Use of Encryption (all respondents)
70% 60% 50% 40% 30% 20% 10% 0% 19% 13% 11% 66%
Fast Facts Compared to one year ago: √ 81% of the Best-in-Class increased the total number of application types / use cases for encryption √ 71% of the Best-in-Class increased the total number of encryption keys under management √ 50% of the Best-in-Class increased the number of locations (including multiple sites, branches, outsourcing partners, and partner extranets) using encryption
Protect sensitive Protect against Protect against Support the data the threat of the threat of mobility external attacks internal attacks requirements of employees
Source: Aberdeen Group, August 2007
The increasing adoption of encryption-enabled solutions, however, also translates to a proliferation of encryption keys, and creates a new security management problem: all keys have a lifecycle, which includes generation, distribution, storage, use, archiving, backup and retrieval, replacement, revocation, and eventual expiration and termination. To support the broader deployment of encryption and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 5
Objectives for this Report
This research report was designed to give new insights into how organizations are leveraging encryption and key management solutions to: • • • • Support the use of encryption across an increasing volume of applications, servers, end-users, and networked devices; Manage encryption keys across their complete lifecycle, from generation to eventual termination; Manage risk in a consistent way across multiple use cases and geographically dispersed locations; and Achieve and sustain compliance with internal security policies and external regulations. details on Aberdeen’s research methodology,
For additional see Appendix A.
Maturity Class Framework
Aberdeen used the following performance criteria to distinguish “Best-inClass” organizations from “Industry Average” and “Laggard” organizations in their use of encryption and key management to protect sensitive data: • • Increase in the total percentage of sensitive data identified, compared to a year ago; Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.
•
Companies with top performance based on these criteria earn “Best-inClass” status, as described in Table l. (For additional details, see Table 5 in Appendix A.) Table 1: Companies with Top Performance Earn Best-in-Class Status Definition of Maturity Class
Best-in-Class: Top 20% of aggregate performance scorers
Mean Class Performance
• 64% increased the total percentage of sensitive data identified, compared to a year ago • 82% decreased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 72% decreased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 6
Definition of Maturity Class
Industry Average: Middle 50% of aggregate performance scorers
Mean Class Performance
• 47% increased the total percentage of sensitive data identified, compared to a year ago • 6% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 4% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago • 14% increased the total percentage of sensitive data identified, compared to a year ago • 33% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 31% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago
Laggard: Bottom 30% of aggregate performance scorers
Note: the percentages reflected in Table 1 represent the net of all responses of “increased”, “remained the same”, and “decreased” compared to one year ago. Source: Aberdeen Group, 2007
Best-in-Class PACE Model
Achieving superior performance in protecting sensitive data using encryption and key management requires a combination of strategic actions, organizational capabilities, and enabling technologies, as summarized in Table 2. (For a description of Aberdeen’s PACE Framework, see Table 4.) Table 2: Best-in-Class PACE Framework Pressures
• Protect sensitive data
Actions
• Support the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, endusers, and networked devices • Protect and control access to the network and to the data itself
Capabilities
• Flexible distribution and integration of keys to a wide variety of encryptionenabled endpoints
Enablers
• File Encryption • Full-Disk Encryption • Mobile Device Encryption • USB Device Encryption
• Management of • Database encryption Encryption keys across their complete • Storage / Backup lifecycle, from Encryption generation to • Application eventual Encryption termination Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 7
Pressures
Actions
• Secure the data, and protect and control access to the encryption keys that secure the data
Capabilities
Enablers
• Enforcement of • Key Management consistent • Hardware security Security Modules policies to (HSM) manage business risk • Trusted Platform Modules (TPM) • Audit, analysis and reporting • Public-Key capabilities to Infrastructure address (PKI) compliance • Smart Cards; requirements Card Issuance Systems
Source: Aberdeen Group, August 2007
In response to the pressure to protect sensitive data, 40% of the Best-inClass indicate that they are supporting the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, end-users, and networked devices. Best-in-Class companies have begun to shift their strategic approach to securing sensitive data: • • from the traditional, perimeter-based approach of protecting the network and controlling access to the data itself (39%), to an information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data (25%).
Compared to the Industry Average, the Best-in-Class companies in the survey were 1.9X more likely to have adopted an information-centric, deperimeterized approach than a traditional, perimeter-based approach to securing sensitive data. See Figure 2. Figure 2: Strategic Approach to Securing Sensitive Data
50% 40% 30% 20% 10% 0% Best-in-Class Industry Average
Protect and control access to the network and access to the data itself Secure the data, and protect and control access to the encryption keys that secure the data
39% 25%
45%
15%
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 8
To date, the most common adoption of encryption across all companies surveyed has been the tactical deployment of point solutions where specific needs exist. However, the research indicates that a new, more strategic approach to encryption and key management has emerged. Best-in-Class companies have started to shift: • • from tactical deployment of point solutions for encryption, where specific needs exist (46%), to a top down, enterprise-wide view of encryption for protecting sensitive data (36%).
Compared to the Industry Average, the Best-in-Class companies in the survey were 1.6X more likely to take a strategic, pan-enterprise approach to encryption and key management than a tactical, point wise approach to deployment of encryption solutions. See Figure 3. Figure 3: Strategic Approach to Encryption
60% 40% 36% 20% 0% Top down, enterprise Point solutions for Limited deployments of encryption view of encryption for encryption have been deployed where protecting sensitive specific needs exist data Best-in-Class Industry Average
Source: Aberdeen Group, August 2007
46% 26%
52%
18%
22%
In the next chapter, we will see what the leading companies are doing to achieve superior performance in encryption and key management. Aberdeen Insights – Strategy Not quite 25 years ago now, the innate tension between two contrary aspects of electronic information was first noted: on the one hand, information can be immeasurably valuable; on the other hand, “information wants to be free”. This tension between value and the ease and convenience with which information can be perfectly replicated is at the heart of the different strategic approaches to protecting sensitive data that we see highlighted in this report.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 9
Aberdeen Insights – Strategy The traditional, perimeter-based approach to protecting sensitive data manages information in a central location, and controls access to the information itself – analogous to putting the eggs in one basket, then guarding that basket. But as more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized “fortress” model for data protection can be increasingly impractical and ineffective. In its place, an information-centric approach to protecting sensitive data is clearly emerging. By securing the data, rather than only the network and IT infrastructure, information that inherently “wants to be free” can flow freely across organizational and network boundaries – to stretch the previous egg/basket analogy, although they are no longer in one basket the eggs still have a protective shell. This information-centric approach requires – among other things – that along with encryption to secure the data, an infrastructure must be put in place to manage, protect, and control access to the encryption keys. The research shows clear evidence of growth in encryption-related infrastructure solutions that is consistent with the evolution from tactical point deployments of encryption to such a strategic enterprise-wide approach.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 10
Chapter Two: Benchmarking Requirements for Success
The selection and deployment of encryption and key management solutions, and their successful integration with existing business process, plays a crucial role in the ability to leverage these enabling technologies to support higher scale, reduce costs, manage security risk, and achieve compliance with internal policy and external regulations. Case Study: Maritz, Inc., Fenton, Missouri Maritz, Inc., a $1.3B provider of integrated performance improvement, incentive travel, and market research services headquartered near St. Louis, is home to 10 business units and 17 call centers. They use encryption throughout the organization for file transfers, wireless connections and to protect payment card data. Maritz has recently put policy and process in place to centralize the management and distribution of encryption keys and to enforce responsible key usage. “Currently, most of our process is manual,” say enterprise architect Bill Hamilton. “We want physical signatures.” Hamilton says there’s been some pushback within the organization against the strict language associated with key usage, but feels that Maritz is getting what it wants in terms of manageability and accountability. ”Our key management process is relatively new,” says Hamilton, “and it’s helping us manage our Service Level Agreements. We want everything managed from one central location, so we know exactly what got sent and when.” Identification and classification of information assets is the first step in any encryption and key management initiative, and as the saying goes the first step can be the hardest. “The hardest part [of protecting sensitive data] is finding all the places it’s being used,” notes Hamilton. A higher degree of automation of the key management process remains possible for the future, but in the early stages Maritz will continue to rely on its proven manual processes. “Because our auditors require paper trails, we’re likely to stick with our manual process for now – it’s working.”
Fast Facts Based on survey responses for current use vs. planned use in the next 12 months, organizations will: √ Significantly expand the use of encryption to gain control over ‘data in use’ by mobile end-users, with greatest attention on smart phones and PDAs, USB devices such as iPods and thumb drives, and flash memory cards (>100% year-over-year growth) √ More uniformly deploy encryption for protection of data in back-end applications, including database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions (>50% year-over-year growth)
Competitive Assessment
The aggregated performance of surveyed companies determined whether they ranked as Best-in-Class, Industry Average or Laggard. Each class also shared common characteristics in the following categories: (1) Process (scope of process standardization; effectiveness of these processes); efficiency and
(2) Organization (how the company is organized to manage and optimize these processes);
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 11
(3) Knowledge (visibility into vital information and intelligence required to manage these processes); (4) Technology (selection of appropriate enabling tools, and intelligent deployment of those tools); and (5) Performance (measurement of the benefits of technology deployment, and use of the results to improve processes further). These characteristics (identified in Table 3 below) serve as a guideline for best practices and correlate directly with Best-in-Class performance across the respective metrics. Table 3: Competitive Framework Best-in-Class Average Laggards
Distribution and integration of encryption keys to a wide variety of encryption-enabled endpoints 46% 30% 16% Management of encryption keys across their complete lifecycle, from generation to eventual termination 36% 26% 8% Enforcement of consistent security policies related to encryption and key management 46% 27% 14% Controls to ensure that monitoring and compliance methods satisfy the requirements of INTERNAL policies 71% 47% 31% Controls to ensure that monitoring and compliance methods satisfy the requirements of EXTERNAL regulations 64% 44% 20% Responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices 50% 40% 18% Formal awareness and end-user training programs around encryption and key management 32% 14% 14% Consistent asset classification scheme 40% 40% 10% All data assets are identified and classified 36% 27% 12%
Process
Organization
Knowledge
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 12
Best-in-Class
Selected encryption • 57% File encryption (desktop / laptop) • 57% File encryption (server) • 22% Full-Disk encryption • 39% Database encryption • 46% Client certificates • 46% Public-Key Infrastructure (PKI) • 29% Key Management (as a standalone product)
Average
Laggards
Technology
technologies currently in use: • 51% File • 29% File encryption encryption (desktop / (desktop / laptop) laptop) • 32% File • 27% File encryption encryption (server) (server) • 22% Full-Disk • 14% Full-Disk encryption encryption • 26% Database • 16% Database encryption encryption • 37% Client • 12% Client certificates certificates • 38% Public-Key • 25% Public-Key Infrastructure Infrastructure (PKI) (PKI) • 25% Key • 18% Key Management (as Management (as a standalone a standalone product) product)
Performance
Support encryption at more endpoint types 81% 52% 35% Manage larger number of encryption keys 71% 55% 27% Greater consistency of encryption and key management policies across multiple applications / use cases 46% 18% 8% Support encryption at more locations (including multiple sites, branches, outsourcing partners, partner extranets) 50% 38% 12% Greater consistency of encryption and key management policies across multiple locations 29% 18% 8%
Source: Aberdeen Group, August 2007
Note: the percentages reflected under “Performance” are in comparison to one year ago.
As shown in Figure 4, the research shows that Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a per-key basis.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 13
Figure 4: Key Management – Level of Automation
Average Performance Rating (1=Low, 5=High) 4 Best in Class Industry Average Laggards 3 3.0 2.9 3.4
2
2.0 1.8
2.3
2.3
1.6 1.4 1 ONE YEAR AGO CURRENTLY PROJECTED ONE YEAR FROM NOW
Source: Aberdeen Group, August 2007
Organizational Capabilities and Technology Enablers
A well-designed implementation strategy for management includes the following essential steps: • encryption and key
Identify and classify all information assets – Best-in-Class organizations are 4X more likely than Laggards to have a consistent asset classification scheme, and 3X more likely than Laggards to have classified and identified all data assets. Establish policies for all classifications, applications, use cases, and locations involving sensitive data – Best-in-Class organizations enforce consistent policies for encryption and key management at a rate 3.3X higher than that of Laggards. Implement enabling technologies to remediate known risks and to protect against future risks to sensitive data – as detailed in Table 3, Best-in-Class organizations have deployed encryption technologies and encryption-related infrastructure more broadly than their counterparts in Industry Average or Laggard organizations to achieve these objectives. See additional discussion on enabling technologies in the Aberdeen Insights section on Technology, below. Establish controls to ensure that monitoring and compliance methods satisfy the requirements of both internal policies and
Telephone: 617 723 7890 Fax: 617 723 7897
•
•
•
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 14
external regulations – Best-in-Class organizations have established consistent controls at a rate 1.5X higher than that of the Industry Average, for both internal and external requirements. • Educate relevant stakeholders with formal awareness and end-user training programs around encryption and key management – Bestin-Class organizations do this with 2.3X higher incidence than all other companies, although at only 40% even the Best-in-Class can improve in this regard. Aberdeen Insights – Technology To date, companies surveyed deploying encryption to protect ‘data at rest’ on end-user devices have focused most heavily on file encryption (45%) and fulldisk encryption (20%) on desktops and laptops. Nearly twice as many respondents indicate they will deploy full-disk encryption versus file encryption for desktops / laptops in the year to come. In the next 12 months, organizations surveyed also indicate that they are seeking to gain more control over the data that is flowing to end-user devices, with significantly increasing attention on smart phones and PDAs, as well as USB devices such as iPods (to combat potential “Pod-slurping”) and USB thumb drives (to prevent loss of data through “thumb-sucking”). Projected year-over-year growth in these areas (planned use versus current use) is >100%. The data wants to be free, and yet it must be protected. For protection of data in back-end applications, the data indicates more uniform deployment in areas such as database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions – each with >50% year-over-year growth in planned deployment. Indicated growth of several encryption-related infrastructure solutions is consistent with the expected evolution from tactical, point deployments to a more strategic, enterprise-wide approach to protecting sensitive data. Hardware Security Modules (HSMs), standalone Key Management solutions, Public-Key Infrastructure (PKI), and Smart Card Issuance systems all had yearover-year growth outlooks of about 50%. In addition, although starting from a relatively small base, the projected growth outlook for Trusted Platform Modules (TPMs) was very strong at >120%. As more technology solutions provide native, out-of-the-box support for encryption, organizations have the promise of broader deployment and better protection of sensitive data in the long term – as well as the short term potential for market confusion and redundant management costs. Compared to the Industry Average, Best-in-Class organizations are about 10% more likely to support the use of third-party encryption solutions, but they are 2X more likely to support the use of encryption as it is supported natively in their portfolio of deployed solutions. This open attitude towards early adoption of native encryption by the Best-in-Class is more feasible due to the fact that these are the companies who have also adopted the more strategic, enterprise-wide approach to encryption and key management.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 15
Chapter Three: Required Actions
Whether an organization is trying to move its performance in encryption and key management from “Laggard” to “Industry Average,” or “Industry Average” to “Best-in-Class,” the following actions will help drive the necessary performance improvements.
Fast Facts • Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a perkey basis.
Laggard Steps to Success
• Identity and classify all information assets – only 10% of Laggard organizations have a consistent asset allocation scheme, and only 12% indicate that they have identified and classified all data assets. The hardest part of protecting data is first finding where it is. Establish consistent policies – very few (8%) Laggard organizations indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. Planning and knowing what to do is a critical prelude to implementation of enabling technologies. Assign clear organizational ownership – only 18% of Laggard organizations have a responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices. Clear responsibility and accountability (“one throat to choke”) is a critical success factor for any IT security project.
•
•
Industry Average Steps to Success
• Identity and classify all information assets – Industry Average organizations are on par with the Best-in-Class at having a consistent asset allocation scheme (40%), but only 27% indicate that they have identified and classified all data assets. Increase consistency of policies – more than 50% of Industry Average organizations indicated an increase in number of endpoint types using encryption and number of encryption keys under management … but only 18% indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. Improve controls to sustain compliance – less than half of Industry Average organizations had implemented controls to ensure that their monitoring and compliance methods satisfy the requirements of both internal policies and external regulations.
•
•
Best-in-Class Steps to Success
• Identity and classify all information assets – Best-in-Class organizations led the way at having identified and classified their data
Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 16
assets, but at only 40% they should continue to carry out their work in this vitally important step. • Continue steps towards a strategic, top-down view of encryption and key management – only 36% of Best-in-Class organizations currently report management of encryption keys across their complete lifecycle, from generation to eventual termination. Invest in end-user training and awareness – only 32% of Best-inClass organizations indicate that they currently have formal awareness and end-user training programs around encryption and key management. The technological aspect of data protection is necessary, but not sufficient – the human factor plays a critical role as well. Aberdeen Insights – Summary In an information-centric, de-perimeterized approach to protecting sensitive data, all organizations need to: • • • • identify and classify their information assets; establish consistent policies; implement an appropriate portfolio of enabling technologies for encryption and key management; and establish controls to ensure compliance with both internal policies and external regulations.
•
Technical controls alone are not enough – companies must also educate all relevant stakeholders through formal awareness and end-user training programs around encryption and key management. Clear ownership and accountability for the creation and revision of encryption and key management policies and practices by a senior executive or team is also a critical factor for successful implementation. Best-in-Class organizations have not only deployed encryption more widely for the protection of sensitive data, but also have begun to implement centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 17
Appendix A: Research Methodology
In August 2007, Aberdeen Group examined the current and planned use of encryption to protect sensitive data, and best practices for managing the encryption keys that secure the data over their life cycle. The experiences and intentions of more than 150 enterprises from a diverse set of organizations are represented in this study. Respondents completed an online survey that included questions designed to determine the following: • The degree to which organizations are using encryption across an increasing variety of applications, servers, end-users, and networked devices; The approaches taken to manage encryption keys across their complete lifecycle, from generation to eventual termination; The degree to which encryption is being used to help organizations manage risk in a consistent way across multiple use cases and geographically dispersed locations; and The impact of encryption and key management on achievement of compliance with internal security policies and external regulations.
• •
•
Aberdeen supplemented this online survey effort with telephone interviews with select survey respondents, gathering additional information on encryption and key management strategies, experiences, and results. The study aimed to identify emerging best practices for encryption and key management, and to provide a framework by which readers can assess their own capabilities in these areas. Responding enterprises included the following: • Job title/function: The research sample included respondents with the following job titles: President/CEO/COO/CIO/CSO/Chief Compliance Officer (28%); Vice President/Director (20%); Manager (22%), Staff/Consultant (25%). The largest segment by functional responsibility was IT, representing 56% of the sample. Industry: The research sample included respondents from a wide variety of industries, including Finance/Banking (20%), Government /Aerospace/Defense (17%), Telecommunications (14%), Healthcare (7%), and Insurance (7%). Geography: The majority of respondents (54%) were from North America. Remaining respondents were from Europe/Middle East/Africa (25%), the Asia-Pacific region (16%), and South/Central America (5%). Company size: Large enterprises (annual revenues above US$1 billion) represented 22% of the respondents; 26% were from
Telephone: 617 723 7890 Fax: 617 723 7897
•
•
•
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 18
midsize enterprises (annual revenues between $50 million and $1 billion); and 52% of respondents were from smaller enterprises (annual revenues of $50 million or less). Solution providers recognized as sponsors of this research were solicited after the fact and had no substantive influence on the direction of the final Encryption & Key Management benchmark report. Their sponsorship has made it possible for Aberdeen Group to make these findings available to readers at no charge. Table 4: PACE Framework Key Overview
Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions, capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These terms are defined as follows: Pressures — external forces that impact an organization’s market position, competitiveness, or business operations (e.g., economic, political and regulatory, technology, changing customer preferences, competitive) Actions — the strategic approaches that an organization takes in response to industry pressures (e.g., align the corporate business model to leverage industry opportunities, such as product/service strategy, target markets, financial strategy, goto-market, and sales strategy) Capabilities — the business process competencies required to execute corporate strategy (e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners, financing) Enablers — the key functionality of technology solutions required to support the organization’s enabling business practices (e.g., development platform, applications, network connectivity, user interface, training and support, partner interfaces, data cleansing, and management)
Source: Aberdeen Group, August 2007
Table 5: Competitive Framework Key Overview
The Aberdeen Competitive Framework defines enterprises as falling into one of the following three levels of practices and performance Best-in-Class (20%) — Practices that are the best currently being employed and significantly superior to the Industry Average, and result in the top industry performance. Industry Average (50%) — Practices that represent the average or norm, and result in average industry performance. Laggards (30%) — Practices that are significantly behind the average of the industry, and result in below average performance. In the following categories: Process — What is the scope of process standardization? What is the efficiency and effectiveness of this process? Organization — How is your company currently organized to manage and optimize this particular process? Knowledge — What visibility do you have into key data and intelligence required to manage this process? Technology — What level of automation have you used to support this process? How is this automation integrated and aligned? Performance — What do you measure? How frequently? What’s your actual performance?
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 19
Table 6: Relationship Between PACE and Competitive Framework PACE and Competitive Framework: How They Interact
Aberdeen research indicates that companies that identify the most impactful pressures and take the most transformational and effective actions are most likely to achieve superior performance. The level of competitive performance that a company achieves is strongly determined by the PACE choices they make and how well they execute.
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 20
Appendix B: Related Aberdeen Research
Related Aberdeen research that forms a companion or reference to this report includes: • • • The Ins and Outs of Email Vulnerabilities (July 2007) Protecting Cardholder Data: Best-in-Class Performance at Addressing the PCI Data Security Standard (June 2007) Thwarting Data Loss (May 2007)
Information on these and any other Aberdeen publications can be found at www.aberdeen.com.
Author: Derek E. Brink, Vice President & Research Director, IT Security ([email protected])
Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. V073107b
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
August 2007
Encryption & Key Management Page 2
Executive Summary
To support the broader deployment of encryption for the protection of sensitive data and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
“You have to plan. We spend a lot of time planning. If you don’t, you’re likely to get yourself in a hole you can’t get out of. The number of keys under management never goes down … and we may need to go back and recover encrypted data at any time.”
Best-in-Class Performance
Based on feedback from more than 150 organizations, Aberdeen used the following performance criteria to distinguish Best-in-Class companies from Industry Average and Laggard organizations in the protection of sensitive data using encryption and key management: • • Increase in the total percentage of sensitive data identified, compared to a year ago; Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.
~ Trusted Computing Development Manager, $5.7B US-based Industrial Equipment Manufacturer (managing encryption keys since 1996, with >3M keys currently under management)
•
Competitive Maturity Assessment
Survey results show that the firms enjoying Best-in-Class performance shared several common characteristics. Compared to one year ago: • • • 81% increased the number of application types / use cases using encryption 71% increased the number of encryption keys under management 50% increased the number of locations (including multiple sites, branches, outsourcing partners, partner extranets) implementing encryption 46% increased the consistency of encryption and key management policies across multiple applications / use cases
•
Required Actions
In addition to the specific recommendations in Chapter 3 of this report, to achieve Best-in-Class performance organizations should build the strategic capability to support the flow of information across organizational and network boundaries, by using encryption solutions to secure the data coupled with an infrastructure to manage, protect and control access to the encryption keys that provide the foundation for this higher level of protection.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 3
Table of Contents
Executive Summary....................................................................................................... 2
Best-in-Class Performance......................................................................... 2 Competitive Maturity Assessment........................................................... 2 Required Actions ......................................................................................... 2 Expanding Use of Encryption .................................................................... 4 Maturity Class Framework ........................................................................ 5 Best-in-Class PACE Model......................................................................... 6 Competitive Assessment..........................................................................10 Organizational Capabilities and Technology Enablers .......................13 Laggard Steps to Success..........................................................................15 Industry Average Steps to Success.........................................................15 Best-in-Class Steps to Success ................................................................15
Chapter One: Benchmarking the Best-in-Class ..................................................... 4
Chapter Two: Benchmarking Requirements for Success ..................................10
Chapter Three: Required Actions .........................................................................15
Appendix A: Research Methodology.....................................................................17 Appendix B: Related Aberdeen Research............................................................20
Figures
Figure 1: Leading Drivers for Use of Encryption (all respondents) .................. 4 Figure 2: Strategic Approach to Securing Sensitive Data .................................... 7 Figure 3: Strategic Approach to Encryption............................................................ 8 Figure 4: Key Management – Level of Automation.............................................13
Tables
Table 1: Companies with Top Performance Earn “Best-in-Class” Status ....... 5 Table 2: Best-in-Class PACE Framework ................................................................ 6 Table 3: Competitive Framework ...........................................................................11 Table 4: PACE Framework Key...............................................................................18 Table 5: Competitive Framework Key...................................................................18 Table 6: Relationship Between PACE and Competitive Framework..............19
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 4
Chapter One: Benchmarking the Best-in-Class
Expanding Use of Encryption
Encryption is the process of transforming information into a form that cannot be read without the possession of special knowledge, referred to as a key. The purpose of encryption is to ensure that the information remains private from anyone not authorized to read it, even from those who may have access to the encrypted data. Although the use of encryption to protect sensitive data – whether the data is at rest, in transit, or in use – is anything but new, its application is growing ever more widespread. High-profile data breaches, identity theft, industry and government regulations, insider attacks, softening consumer confidence, and the increasing mobility of sensitive information are among the many motivations for the expanding use of encryption. Figure 1: Leading Drivers for Use of Encryption (all respondents)
70% 60% 50% 40% 30% 20% 10% 0% 19% 13% 11% 66%
Fast Facts Compared to one year ago: √ 81% of the Best-in-Class increased the total number of application types / use cases for encryption √ 71% of the Best-in-Class increased the total number of encryption keys under management √ 50% of the Best-in-Class increased the number of locations (including multiple sites, branches, outsourcing partners, and partner extranets) using encryption
Protect sensitive Protect against Protect against Support the data the threat of the threat of mobility external attacks internal attacks requirements of employees
Source: Aberdeen Group, August 2007
The increasing adoption of encryption-enabled solutions, however, also translates to a proliferation of encryption keys, and creates a new security management problem: all keys have a lifecycle, which includes generation, distribution, storage, use, archiving, backup and retrieval, replacement, revocation, and eventual expiration and termination. To support the broader deployment of encryption and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 5
Objectives for this Report
This research report was designed to give new insights into how organizations are leveraging encryption and key management solutions to: • • • • Support the use of encryption across an increasing volume of applications, servers, end-users, and networked devices; Manage encryption keys across their complete lifecycle, from generation to eventual termination; Manage risk in a consistent way across multiple use cases and geographically dispersed locations; and Achieve and sustain compliance with internal security policies and external regulations. details on Aberdeen’s research methodology,
For additional see Appendix A.
Maturity Class Framework
Aberdeen used the following performance criteria to distinguish “Best-inClass” organizations from “Industry Average” and “Laggard” organizations in their use of encryption and key management to protect sensitive data: • • Increase in the total percentage of sensitive data identified, compared to a year ago; Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.
•
Companies with top performance based on these criteria earn “Best-inClass” status, as described in Table l. (For additional details, see Table 5 in Appendix A.) Table 1: Companies with Top Performance Earn Best-in-Class Status Definition of Maturity Class
Best-in-Class: Top 20% of aggregate performance scorers
Mean Class Performance
• 64% increased the total percentage of sensitive data identified, compared to a year ago • 82% decreased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 72% decreased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 6
Definition of Maturity Class
Industry Average: Middle 50% of aggregate performance scorers
Mean Class Performance
• 47% increased the total percentage of sensitive data identified, compared to a year ago • 6% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 4% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago • 14% increased the total percentage of sensitive data identified, compared to a year ago • 33% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago • 31% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago
Laggard: Bottom 30% of aggregate performance scorers
Note: the percentages reflected in Table 1 represent the net of all responses of “increased”, “remained the same”, and “decreased” compared to one year ago. Source: Aberdeen Group, 2007
Best-in-Class PACE Model
Achieving superior performance in protecting sensitive data using encryption and key management requires a combination of strategic actions, organizational capabilities, and enabling technologies, as summarized in Table 2. (For a description of Aberdeen’s PACE Framework, see Table 4.) Table 2: Best-in-Class PACE Framework Pressures
• Protect sensitive data
Actions
• Support the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, endusers, and networked devices • Protect and control access to the network and to the data itself
Capabilities
• Flexible distribution and integration of keys to a wide variety of encryptionenabled endpoints
Enablers
• File Encryption • Full-Disk Encryption • Mobile Device Encryption • USB Device Encryption
• Management of • Database encryption Encryption keys across their complete • Storage / Backup lifecycle, from Encryption generation to • Application eventual Encryption termination Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 7
Pressures
Actions
• Secure the data, and protect and control access to the encryption keys that secure the data
Capabilities
Enablers
• Enforcement of • Key Management consistent • Hardware security Security Modules policies to (HSM) manage business risk • Trusted Platform Modules (TPM) • Audit, analysis and reporting • Public-Key capabilities to Infrastructure address (PKI) compliance • Smart Cards; requirements Card Issuance Systems
Source: Aberdeen Group, August 2007
In response to the pressure to protect sensitive data, 40% of the Best-inClass indicate that they are supporting the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, end-users, and networked devices. Best-in-Class companies have begun to shift their strategic approach to securing sensitive data: • • from the traditional, perimeter-based approach of protecting the network and controlling access to the data itself (39%), to an information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data (25%).
Compared to the Industry Average, the Best-in-Class companies in the survey were 1.9X more likely to have adopted an information-centric, deperimeterized approach than a traditional, perimeter-based approach to securing sensitive data. See Figure 2. Figure 2: Strategic Approach to Securing Sensitive Data
50% 40% 30% 20% 10% 0% Best-in-Class Industry Average
Protect and control access to the network and access to the data itself Secure the data, and protect and control access to the encryption keys that secure the data
39% 25%
45%
15%
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 8
To date, the most common adoption of encryption across all companies surveyed has been the tactical deployment of point solutions where specific needs exist. However, the research indicates that a new, more strategic approach to encryption and key management has emerged. Best-in-Class companies have started to shift: • • from tactical deployment of point solutions for encryption, where specific needs exist (46%), to a top down, enterprise-wide view of encryption for protecting sensitive data (36%).
Compared to the Industry Average, the Best-in-Class companies in the survey were 1.6X more likely to take a strategic, pan-enterprise approach to encryption and key management than a tactical, point wise approach to deployment of encryption solutions. See Figure 3. Figure 3: Strategic Approach to Encryption
60% 40% 36% 20% 0% Top down, enterprise Point solutions for Limited deployments of encryption view of encryption for encryption have been deployed where protecting sensitive specific needs exist data Best-in-Class Industry Average
Source: Aberdeen Group, August 2007
46% 26%
52%
18%
22%
In the next chapter, we will see what the leading companies are doing to achieve superior performance in encryption and key management. Aberdeen Insights – Strategy Not quite 25 years ago now, the innate tension between two contrary aspects of electronic information was first noted: on the one hand, information can be immeasurably valuable; on the other hand, “information wants to be free”. This tension between value and the ease and convenience with which information can be perfectly replicated is at the heart of the different strategic approaches to protecting sensitive data that we see highlighted in this report.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 9
Aberdeen Insights – Strategy The traditional, perimeter-based approach to protecting sensitive data manages information in a central location, and controls access to the information itself – analogous to putting the eggs in one basket, then guarding that basket. But as more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized “fortress” model for data protection can be increasingly impractical and ineffective. In its place, an information-centric approach to protecting sensitive data is clearly emerging. By securing the data, rather than only the network and IT infrastructure, information that inherently “wants to be free” can flow freely across organizational and network boundaries – to stretch the previous egg/basket analogy, although they are no longer in one basket the eggs still have a protective shell. This information-centric approach requires – among other things – that along with encryption to secure the data, an infrastructure must be put in place to manage, protect, and control access to the encryption keys. The research shows clear evidence of growth in encryption-related infrastructure solutions that is consistent with the evolution from tactical point deployments of encryption to such a strategic enterprise-wide approach.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 10
Chapter Two: Benchmarking Requirements for Success
The selection and deployment of encryption and key management solutions, and their successful integration with existing business process, plays a crucial role in the ability to leverage these enabling technologies to support higher scale, reduce costs, manage security risk, and achieve compliance with internal policy and external regulations. Case Study: Maritz, Inc., Fenton, Missouri Maritz, Inc., a $1.3B provider of integrated performance improvement, incentive travel, and market research services headquartered near St. Louis, is home to 10 business units and 17 call centers. They use encryption throughout the organization for file transfers, wireless connections and to protect payment card data. Maritz has recently put policy and process in place to centralize the management and distribution of encryption keys and to enforce responsible key usage. “Currently, most of our process is manual,” say enterprise architect Bill Hamilton. “We want physical signatures.” Hamilton says there’s been some pushback within the organization against the strict language associated with key usage, but feels that Maritz is getting what it wants in terms of manageability and accountability. ”Our key management process is relatively new,” says Hamilton, “and it’s helping us manage our Service Level Agreements. We want everything managed from one central location, so we know exactly what got sent and when.” Identification and classification of information assets is the first step in any encryption and key management initiative, and as the saying goes the first step can be the hardest. “The hardest part [of protecting sensitive data] is finding all the places it’s being used,” notes Hamilton. A higher degree of automation of the key management process remains possible for the future, but in the early stages Maritz will continue to rely on its proven manual processes. “Because our auditors require paper trails, we’re likely to stick with our manual process for now – it’s working.”
Fast Facts Based on survey responses for current use vs. planned use in the next 12 months, organizations will: √ Significantly expand the use of encryption to gain control over ‘data in use’ by mobile end-users, with greatest attention on smart phones and PDAs, USB devices such as iPods and thumb drives, and flash memory cards (>100% year-over-year growth) √ More uniformly deploy encryption for protection of data in back-end applications, including database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions (>50% year-over-year growth)
Competitive Assessment
The aggregated performance of surveyed companies determined whether they ranked as Best-in-Class, Industry Average or Laggard. Each class also shared common characteristics in the following categories: (1) Process (scope of process standardization; effectiveness of these processes); efficiency and
(2) Organization (how the company is organized to manage and optimize these processes);
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 11
(3) Knowledge (visibility into vital information and intelligence required to manage these processes); (4) Technology (selection of appropriate enabling tools, and intelligent deployment of those tools); and (5) Performance (measurement of the benefits of technology deployment, and use of the results to improve processes further). These characteristics (identified in Table 3 below) serve as a guideline for best practices and correlate directly with Best-in-Class performance across the respective metrics. Table 3: Competitive Framework Best-in-Class Average Laggards
Distribution and integration of encryption keys to a wide variety of encryption-enabled endpoints 46% 30% 16% Management of encryption keys across their complete lifecycle, from generation to eventual termination 36% 26% 8% Enforcement of consistent security policies related to encryption and key management 46% 27% 14% Controls to ensure that monitoring and compliance methods satisfy the requirements of INTERNAL policies 71% 47% 31% Controls to ensure that monitoring and compliance methods satisfy the requirements of EXTERNAL regulations 64% 44% 20% Responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices 50% 40% 18% Formal awareness and end-user training programs around encryption and key management 32% 14% 14% Consistent asset classification scheme 40% 40% 10% All data assets are identified and classified 36% 27% 12%
Process
Organization
Knowledge
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 12
Best-in-Class
Selected encryption • 57% File encryption (desktop / laptop) • 57% File encryption (server) • 22% Full-Disk encryption • 39% Database encryption • 46% Client certificates • 46% Public-Key Infrastructure (PKI) • 29% Key Management (as a standalone product)
Average
Laggards
Technology
technologies currently in use: • 51% File • 29% File encryption encryption (desktop / (desktop / laptop) laptop) • 32% File • 27% File encryption encryption (server) (server) • 22% Full-Disk • 14% Full-Disk encryption encryption • 26% Database • 16% Database encryption encryption • 37% Client • 12% Client certificates certificates • 38% Public-Key • 25% Public-Key Infrastructure Infrastructure (PKI) (PKI) • 25% Key • 18% Key Management (as Management (as a standalone a standalone product) product)
Performance
Support encryption at more endpoint types 81% 52% 35% Manage larger number of encryption keys 71% 55% 27% Greater consistency of encryption and key management policies across multiple applications / use cases 46% 18% 8% Support encryption at more locations (including multiple sites, branches, outsourcing partners, partner extranets) 50% 38% 12% Greater consistency of encryption and key management policies across multiple locations 29% 18% 8%
Source: Aberdeen Group, August 2007
Note: the percentages reflected under “Performance” are in comparison to one year ago.
As shown in Figure 4, the research shows that Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a per-key basis.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 13
Figure 4: Key Management – Level of Automation
Average Performance Rating (1=Low, 5=High) 4 Best in Class Industry Average Laggards 3 3.0 2.9 3.4
2
2.0 1.8
2.3
2.3
1.6 1.4 1 ONE YEAR AGO CURRENTLY PROJECTED ONE YEAR FROM NOW
Source: Aberdeen Group, August 2007
Organizational Capabilities and Technology Enablers
A well-designed implementation strategy for management includes the following essential steps: • encryption and key
Identify and classify all information assets – Best-in-Class organizations are 4X more likely than Laggards to have a consistent asset classification scheme, and 3X more likely than Laggards to have classified and identified all data assets. Establish policies for all classifications, applications, use cases, and locations involving sensitive data – Best-in-Class organizations enforce consistent policies for encryption and key management at a rate 3.3X higher than that of Laggards. Implement enabling technologies to remediate known risks and to protect against future risks to sensitive data – as detailed in Table 3, Best-in-Class organizations have deployed encryption technologies and encryption-related infrastructure more broadly than their counterparts in Industry Average or Laggard organizations to achieve these objectives. See additional discussion on enabling technologies in the Aberdeen Insights section on Technology, below. Establish controls to ensure that monitoring and compliance methods satisfy the requirements of both internal policies and
Telephone: 617 723 7890 Fax: 617 723 7897
•
•
•
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 14
external regulations – Best-in-Class organizations have established consistent controls at a rate 1.5X higher than that of the Industry Average, for both internal and external requirements. • Educate relevant stakeholders with formal awareness and end-user training programs around encryption and key management – Bestin-Class organizations do this with 2.3X higher incidence than all other companies, although at only 40% even the Best-in-Class can improve in this regard. Aberdeen Insights – Technology To date, companies surveyed deploying encryption to protect ‘data at rest’ on end-user devices have focused most heavily on file encryption (45%) and fulldisk encryption (20%) on desktops and laptops. Nearly twice as many respondents indicate they will deploy full-disk encryption versus file encryption for desktops / laptops in the year to come. In the next 12 months, organizations surveyed also indicate that they are seeking to gain more control over the data that is flowing to end-user devices, with significantly increasing attention on smart phones and PDAs, as well as USB devices such as iPods (to combat potential “Pod-slurping”) and USB thumb drives (to prevent loss of data through “thumb-sucking”). Projected year-over-year growth in these areas (planned use versus current use) is >100%. The data wants to be free, and yet it must be protected. For protection of data in back-end applications, the data indicates more uniform deployment in areas such as database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions – each with >50% year-over-year growth in planned deployment. Indicated growth of several encryption-related infrastructure solutions is consistent with the expected evolution from tactical, point deployments to a more strategic, enterprise-wide approach to protecting sensitive data. Hardware Security Modules (HSMs), standalone Key Management solutions, Public-Key Infrastructure (PKI), and Smart Card Issuance systems all had yearover-year growth outlooks of about 50%. In addition, although starting from a relatively small base, the projected growth outlook for Trusted Platform Modules (TPMs) was very strong at >120%. As more technology solutions provide native, out-of-the-box support for encryption, organizations have the promise of broader deployment and better protection of sensitive data in the long term – as well as the short term potential for market confusion and redundant management costs. Compared to the Industry Average, Best-in-Class organizations are about 10% more likely to support the use of third-party encryption solutions, but they are 2X more likely to support the use of encryption as it is supported natively in their portfolio of deployed solutions. This open attitude towards early adoption of native encryption by the Best-in-Class is more feasible due to the fact that these are the companies who have also adopted the more strategic, enterprise-wide approach to encryption and key management.
© 2007 Aberdeen Group. www.aberdeen.com Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 15
Chapter Three: Required Actions
Whether an organization is trying to move its performance in encryption and key management from “Laggard” to “Industry Average,” or “Industry Average” to “Best-in-Class,” the following actions will help drive the necessary performance improvements.
Fast Facts • Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a perkey basis.
Laggard Steps to Success
• Identity and classify all information assets – only 10% of Laggard organizations have a consistent asset allocation scheme, and only 12% indicate that they have identified and classified all data assets. The hardest part of protecting data is first finding where it is. Establish consistent policies – very few (8%) Laggard organizations indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. Planning and knowing what to do is a critical prelude to implementation of enabling technologies. Assign clear organizational ownership – only 18% of Laggard organizations have a responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices. Clear responsibility and accountability (“one throat to choke”) is a critical success factor for any IT security project.
•
•
Industry Average Steps to Success
• Identity and classify all information assets – Industry Average organizations are on par with the Best-in-Class at having a consistent asset allocation scheme (40%), but only 27% indicate that they have identified and classified all data assets. Increase consistency of policies – more than 50% of Industry Average organizations indicated an increase in number of endpoint types using encryption and number of encryption keys under management … but only 18% indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. Improve controls to sustain compliance – less than half of Industry Average organizations had implemented controls to ensure that their monitoring and compliance methods satisfy the requirements of both internal policies and external regulations.
•
•
Best-in-Class Steps to Success
• Identity and classify all information assets – Best-in-Class organizations led the way at having identified and classified their data
Telephone: 617 723 7890 Fax: 617 723 7897
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 16
assets, but at only 40% they should continue to carry out their work in this vitally important step. • Continue steps towards a strategic, top-down view of encryption and key management – only 36% of Best-in-Class organizations currently report management of encryption keys across their complete lifecycle, from generation to eventual termination. Invest in end-user training and awareness – only 32% of Best-inClass organizations indicate that they currently have formal awareness and end-user training programs around encryption and key management. The technological aspect of data protection is necessary, but not sufficient – the human factor plays a critical role as well. Aberdeen Insights – Summary In an information-centric, de-perimeterized approach to protecting sensitive data, all organizations need to: • • • • identify and classify their information assets; establish consistent policies; implement an appropriate portfolio of enabling technologies for encryption and key management; and establish controls to ensure compliance with both internal policies and external regulations.
•
Technical controls alone are not enough – companies must also educate all relevant stakeholders through formal awareness and end-user training programs around encryption and key management. Clear ownership and accountability for the creation and revision of encryption and key management policies and practices by a senior executive or team is also a critical factor for successful implementation. Best-in-Class organizations have not only deployed encryption more widely for the protection of sensitive data, but also have begun to implement centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 17
Appendix A: Research Methodology
In August 2007, Aberdeen Group examined the current and planned use of encryption to protect sensitive data, and best practices for managing the encryption keys that secure the data over their life cycle. The experiences and intentions of more than 150 enterprises from a diverse set of organizations are represented in this study. Respondents completed an online survey that included questions designed to determine the following: • The degree to which organizations are using encryption across an increasing variety of applications, servers, end-users, and networked devices; The approaches taken to manage encryption keys across their complete lifecycle, from generation to eventual termination; The degree to which encryption is being used to help organizations manage risk in a consistent way across multiple use cases and geographically dispersed locations; and The impact of encryption and key management on achievement of compliance with internal security policies and external regulations.
• •
•
Aberdeen supplemented this online survey effort with telephone interviews with select survey respondents, gathering additional information on encryption and key management strategies, experiences, and results. The study aimed to identify emerging best practices for encryption and key management, and to provide a framework by which readers can assess their own capabilities in these areas. Responding enterprises included the following: • Job title/function: The research sample included respondents with the following job titles: President/CEO/COO/CIO/CSO/Chief Compliance Officer (28%); Vice President/Director (20%); Manager (22%), Staff/Consultant (25%). The largest segment by functional responsibility was IT, representing 56% of the sample. Industry: The research sample included respondents from a wide variety of industries, including Finance/Banking (20%), Government /Aerospace/Defense (17%), Telecommunications (14%), Healthcare (7%), and Insurance (7%). Geography: The majority of respondents (54%) were from North America. Remaining respondents were from Europe/Middle East/Africa (25%), the Asia-Pacific region (16%), and South/Central America (5%). Company size: Large enterprises (annual revenues above US$1 billion) represented 22% of the respondents; 26% were from
Telephone: 617 723 7890 Fax: 617 723 7897
•
•
•
© 2007 Aberdeen Group. www.aberdeen.com
Encryption & Key Management Page 18
midsize enterprises (annual revenues between $50 million and $1 billion); and 52% of respondents were from smaller enterprises (annual revenues of $50 million or less). Solution providers recognized as sponsors of this research were solicited after the fact and had no substantive influence on the direction of the final Encryption & Key Management benchmark report. Their sponsorship has made it possible for Aberdeen Group to make these findings available to readers at no charge. Table 4: PACE Framework Key Overview
Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions, capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These terms are defined as follows: Pressures — external forces that impact an organization’s market position, competitiveness, or business operations (e.g., economic, political and regulatory, technology, changing customer preferences, competitive) Actions — the strategic approaches that an organization takes in response to industry pressures (e.g., align the corporate business model to leverage industry opportunities, such as product/service strategy, target markets, financial strategy, goto-market, and sales strategy) Capabilities — the business process competencies required to execute corporate strategy (e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners, financing) Enablers — the key functionality of technology solutions required to support the organization’s enabling business practices (e.g., development platform, applications, network connectivity, user interface, training and support, partner interfaces, data cleansing, and management)
Source: Aberdeen Group, August 2007
Table 5: Competitive Framework Key Overview
The Aberdeen Competitive Framework defines enterprises as falling into one of the following three levels of practices and performance Best-in-Class (20%) — Practices that are the best currently being employed and significantly superior to the Industry Average, and result in the top industry performance. Industry Average (50%) — Practices that represent the average or norm, and result in average industry performance. Laggards (30%) — Practices that are significantly behind the average of the industry, and result in below average performance. In the following categories: Process — What is the scope of process standardization? What is the efficiency and effectiveness of this process? Organization — How is your company currently organized to manage and optimize this particular process? Knowledge — What visibility do you have into key data and intelligence required to manage this process? Technology — What level of automation have you used to support this process? How is this automation integrated and aligned? Performance — What do you measure? How frequently? What’s your actual performance?
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 19
Table 6: Relationship Between PACE and Competitive Framework PACE and Competitive Framework: How They Interact
Aberdeen research indicates that companies that identify the most impactful pressures and take the most transformational and effective actions are most likely to achieve superior performance. The level of competitive performance that a company achieves is strongly determined by the PACE choices they make and how well they execute.
Source: Aberdeen Group, August 2007
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
Encryption & Key Management Page 20
Appendix B: Related Aberdeen Research
Related Aberdeen research that forms a companion or reference to this report includes: • • • The Ins and Outs of Email Vulnerabilities (July 2007) Protecting Cardholder Data: Best-in-Class Performance at Addressing the PCI Data Security Standard (June 2007) Thwarting Data Loss (May 2007)
Information on these and any other Aberdeen publications can be found at www.aberdeen.com.
Author: Derek E. Brink, Vice President & Research Director, IT Security ([email protected])
Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. V073107b
© 2007 Aberdeen Group. www.aberdeen.com
Telephone: 617 723 7890 Fax: 617 723 7897
