2013 global encryption trends study

1,052 views
887 views

Published on

L’évolution du chiffrement au cours des 10 dernières années et ses conséquences sur la sécurité globale des entreprises

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,052
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2013 global encryption trends study

  1. 1. 2013 Global Encryption Trends Study Encryption continues along its path to mainstream adoption but key management concerns highlight potential barriers to deployment. Sponsored by Thales e-Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute© Research Report
  2. 2. 2013 Global Encryption Trends Study Table of Contents From Page To Page Part 1. Executive Summary 2 4 Part 2. Key Findings 5 36 Strategy and adoption of encryption 5 7 Trends in encryption adoption 8 10 Encryption and security effectiveness (SES) 11 13 Threats, main drivers and priorities 14 19 Deployment choices and decision criteria 20 22 Encryption features considered most important 23 23 Attitudes about key management 24 27 Importance of the key management interoperability protocol (KMIP) 28 29 Importance of hardware security modules (HSM) 30 32 Budget allocations 33 35 Part 3. Methods & Limitations 37 39 Appendix: Consolidated Findings 40 47 Thales e-Security & Ponemon Institute© Research Report Page 1
  3. 3. 2013 Global Encryption Trends Study1 Ponemon Institute, February 2014 Part 1. Executive Summary Ponemon Institute is pleased to present the findings of the 2013 Global Encryption Trends Study, sponsored by Thales e-Security. We surveyed 4,802 individuals across multiple industry sectors in eight countries - the United States, United Kingdom, Germany, France, Australia, Japan, Brazil 2 and, for the first time, the Russian Federation. The purpose of this research is to examine how the use of encryption has evolved over the past nine years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for 3 a US sample of respondents. Since then we have expanded the scope of the research to include respondents in all regions of the world. This year, for the first time, the survey included respondents in the Russian Federation. In our research we consider the threats organizations face and how encryption is being used to reduce these risks. As in prior years, we asked questions about the types of encryption technologies deployed, the most salient threats to sensitive and confidential information, data protection priorities, and budgeted expenditures for encryption and key management activities. Following is a summary of our most salient findings. More details are provided for each key finding listed below in the next section of this paper. We believe the findings are important because they demonstrate the relationship between encryption and a strong security posture. As shown in this research, organizations with a strong security posture are more likely to invest in encryption and key management to meet their security missions. Following are big encryption trends over nine years:  Steady improvement in the security posture of participating companies.  Increase in the use of encryption as part of an enterprise strategy rather than a point solution.  More influence at the business unit level in choosing and deploying encryption technologies.  Decrease in the importance of compliance as a main driver to encryption adoption as focus shifts to honoring privacy obligations.  Continued awareness of the key management interoperability protocol (KMIP) and adoption hardware security modules (HSM).  Increase in spending on encryption and key management as a percentage of the IT budget. Summary of key findings: More organizations are adopting an enterprise encryption plan or strategy rather than relying on ad hoc requirements or informal policies. Since the first study, the number of respondents reporting that their organizations have a comprehensive encryption strategy versus those who say their organizations do not have such a strategy has increased. Today, organizations that have a comprehensive strategy outnumber those that do not have such a strategy by more than two to one. Business unit leaders are gaining influence over their company’s use of encryption solutions. IT leaders are still most influential in determining the use of encryption. However, nonIT business managers are becoming more influential. This indicates that business unit leaders are taking a greater role in determining the encryption technologies their organizations need to ensure data security and privacy. 1 This year’s study was completed in December 2013 for eight country samples. In the figures, countries are abbreviated as follows: Germany (DE), Japan (JP), United States (US), United Kingdom (UK), Australia (AU), France (FR), Brazil (BZ) and Russia (RF). 3 The trend analysis shown in this study was performed on combined country samples spanning nine years (since 2005). 2 Thales e-Security & Ponemon Institute© Research Report Page 2
  4. 4. Encryption usage is an indicator of a strong security posture. Organizations that deploy encryption extensively throughout the enterprise as opposed to limiting its use to a specific purpose (i.e., point solutions) appear to be more aware of threats to sensitive and confidential information and spend more on IT security. In other words, encryption use makes a strong contribution to an organization’s overall security posture. Furthermore, organizations with a strong security posture are three times more likely to have an encryption strategy than those with a lower security posture. Employee mishap is considered the main threat to sensitive and confidential data. Concerns over accidental data leakage outweigh fears about attacks by malicious insiders or hackers by almost a factor of two. The main driver for using encryption is lessening the impact of data breaches. This represents a shift in priorities. In previous years, the primary driver was protecting brand or reputation. In Australia and France the main reason for encryption is to comply with privacy or data security regulations and requirements. Encryption has a major impact on the perceived need to disclose data breaches. There is a wide range in attitudes regarding the perceived need to disclose a breach. However, the findings indicate that respondents in all countries recognize that data encryption minimizes notification requirements to breach victims. The discovery of data at risk and the actual deployment of encryption are the top two challenges. Of least concern are allocating budget, selecting the right encryption solution and options and measuring effectiveness. The use of encryption is steadily growing in all categories. The encryption of external public networks, databases and backup files are most likely to be extensively deployed throughout the enterprise. Deployment of encryption in cloud environments remains low. Seventy percent of respondents report they are deploying five or more different types of encryption. Financial service companies are most likely to use encryption technologies throughout the enterprise. In contrast, manufacturing and retail organizations are less likely to extensively deploy encryption. The strongest growth in adoption of encryption is seen in the financial services and hospitality sectors. German, US and Russian companies are most likely to use encryption technologies throughout the enterprise. Australian, French and Japanese companies are the least likely to extensively use encryption technologies. Most important features of encryption technology solutions are system performance and latency, automated management of keys and automated enforcement of policies. The least important features are support for longer encryption keys and support for formal preserving encryption. The importance of all aspects of functionality has increased as more organizations deploy encryption. The issue of whether the encryption solution conforms to security standards has become more significant. Key management is painful for most organizations. More than half of all respondents rated the “pain” associated with key management to be 7 or higher (based on a scale of 1 = minor to 10 = severe). Even though more than 75 percent of respondents report that key management is a well-defined discipline in their organizations, only 23 percent say that the task of managing keys has dedicated resources or tools. Key management standards and hardware security modules (HSM) are increasing in importance for participating companies. Key management interoperable protocol (KMIP) and HSMs provide mechanisms for unifying and automating key management activities and reducing the risk of key management processes being subverted as a way to gain illicit access to encrypted data. Thales e-Security & Ponemon Institute© Research Report Page 3
  5. 5. Part 2. Key Findings Strategy and adoption of encryption Since conducting this study, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. Figure 1 shows these changes over the past nine years. Figure 1. Trends in encryption strategy 40% 38% 33% 35% 32% 33% 28% 28% 25% 26% FY2009 FY2010 30% 22% 25% 20% 15% 10% 35% 26% 15% 18% 20% FY2008 15% 19% FY2007 26% 5% 0% FY2005 FY2006 FY2011 FY2012 FY2013 Company has an encryption strategy applied consistently across the entire enterprise Company does not have an encryption strategy. According to Figure 2, the prevalence of an enterprise encryption strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy is reported in Germany followed by the US and Japan. Respondents in Australia and Brazil report the lowest adoption of an enterprise encryption strategy. Figure 2. Differences in enterprise encryption strategies by country 60% 53% 50% 40% 40% 36% 33% 31% 30% 34% 24% 22% 20% 10% 0% US UK DE FR AU JP BZ RF Company has an encryption strategy applied consistently across the entire enterprise Average Thales e-Security & Ponemon Institute© Research Report Page 4
  6. 6. Figure 3 shows the most influential functional areas for defining the company’s encryption strategy. The figure shows that IT operations are deemed most influential in determining the organization’s enterprise encryption strategy. In this study, “lines of business” are defined as those with commercial or executive responsibility within the organization. Figure 3. Most influential for determining the company’s encryption strategy IT operations 35% Lines of business or general management 26% No single function has responsibility 19% 15% Security 3% Finance Compliance 1% 0% 5% 10% 15% 20% 25% 30% 35% 40% Figure 4 shows that the IT operations function has consistently been most influential in framing the organization’s encryption strategy over nine years. However, that picture is steadily changing with business unit leaders gaining influence over their company’s encryption strategy. We posit that the rising influence of business leaders reflects a general increase in consumer concerns over data privacy and the importance of demonstrating compliance to privacy and data protection mandates. It is also probable that the rise of employee owned devices or BYOD and the general consumerization of IT has had an effect. It is interesting to note that the influence of the security function on encryption strategy has been relatively constant (flat line) over the past year years. Figure 4. Influence of IT operations, lines of business and security 60% 53% 51% 50% 48% 45% 42% 45% 39% 40% 37% 26% 30% 19% 20% 10% 10% 35% 13% 12% FY2006 22% 15% 11% 13% 14% 13% 14% 14% 15% FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 13% FY2005 19% 21% 0% FY2007 IT Operations Lines of business Thales e-Security & Ponemon Institute© Research Report Security Page 5
  7. 7. Figure 5 shows the distribution of respondents who rate IT operations, LOB and security as most influential in determining their organization’s encryption strategy. This chart shows IT operations as most influential followed by business managers in six of eight countries. Japanese, German and Australian respondents see the influence of IT at a much higher level than business managers and security. In contrast, the US and UK see business managers as more influential than IT operations. In addition, respondents in US and Australia rate security as having a higher level of influence on setting their organization’s encryption strategy than in other countries. Figure 5. Influence of IT operations, LOB and security by country 9% JP 17% 54% 12% DE 27% 19% 13% AU 44% 38% 13% FR 34% 34% 16% RF 25% 14% UK 33% 33% 15% BZ 26% 20% US 20% 0% 10% 33% 20% Security 31% 27% 30% Lines of business Thales e-Security & Ponemon Institute© Research Report 40% 50% 60% IT operations Page 6
  8. 8. Trends in adoption of encryption Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady 4 increase in the encryption solutions used by organizations. Figure 6 summarizes enterprisewide usage consolidated for various encryption technologies over nine years. This continuous growth in enterprise deployment suggests encryption is important to an organization’s security posture. Figure 6 also shows the percentage of the overall IT security budget dedicated to encryption-related activities. As expected, the patterns for deployment and budget show a strong correlation. Figure 6. Trend on the extensive use of encryption technologies 35% 30% 30% 25% 20% 20% 22% 23% 25% 23% 19% 16% 15% 16% 14% 10% 10% FY2006 13% FY2007 FY2008 14% 15% FY2010 FY2011 18% 18% FY2012 FY2013 10% FY2005 5% 27% 0% FY2009 Extensive deployment of encryption Percent of the IT budget earmarked for encryption 4 The combined sample used to analyze trends is explained in Part 3. Methods. Thales e-Security & Ponemon Institute© Research Report Page 7
  9. 9. Figure 7 shows a positive relationship between encryption strategy and the deployment of encryption. German organizations have the highest percentage of companies with an enterprise encryption strategy and they are the most extensive users of encryption technologies. In contrast, Australia has the lowest percentage of companies with an enterprise strategy for encryption. Figure 7. Extensive use and prevalence of an enterprise encryption strategy by country 60% 53% 50% 40% 40% 34% 30% 39% 36% 33% 31% 28% 24% 23%22% 32% 24% 34%34% 24% 20% 10% 0% US UK DE FR AU JP BZ RF Extensive deployment of encryption (average of 13 categories) Encryption strategy applied consistently across the entire enterprise Thales e-Security & Ponemon Institute© Research Report Page 8
  10. 10. Figure 8 shows the extensive usage of encryption solutions for 10 industry sectors over two years. With one exception (retailing), results suggest a steady increase in all industry sections between 2012 and 2013. The most significant increases in encryption usage occur in financial services and hospitality. Figure 8. The extensive use and availability of an enterprise strategy by industry 38% Financial services 43% 37% 39% Services 33% 35% Transportation 31% 33% Technology & software 29% 31% Health & pharma 21% Hospitality 26% 24% 25% Consumer products 23% 24% Public sector 21% 21% Retailing 17% 19% Manufacturing 0% 5% 10% 15% 20% Extensive use for FY2012 Thales e-Security & Ponemon Institute© Research Report 25% 30% 35% 40% 45% 50% Extensive use for FY2013 Page 9
  11. 11. Encryption and Security Effectiveness (SES) To estimate the security posture of organizations, we used the Security Effectiveness Score or 5 SES as part of the survey process. The SES range of possible scores is +2 (most favorable) to 2 (least favorable). We define an organization’s security effectiveness as being able to achieve the right balance between efficiency and effectiveness across a wide variety of security issues and technologies. A favorable score indicates that the organization’s investment in people and technologies is both effective in achieving its security mission and is also efficient. In other words, they are not squandering resources and are still being effective in achieving their security goals. Following is a summary of the average SES for each country sample for two years. Germany achieves the highest score, while Brazil has the lowest score over the past three years. Figure 9. Average security effectiveness score (SES) in ascending order by country *2011 and 2012 data is not available for the RF sample 1.19 1.27 1.25 DE 0.77 JP 0.66 0.74 0.8 US 0.45 UK RF* 0.56 0.61 0.47 0.25 0.25 0.33 AU -0.02 FR BZ 0.98 1.02 -0.48 -0.6 0.03 0.12 -0.25 -0.21 -0.4 -0.2 0 SES FY2011 0.2 0.4 SES FY2012 0.6 0.8 1 1.2 1.4 SES FY2013 5 The Security Effectiveness Score was developed by Ponemon Institute in its annual encryption trends survey to define the security posture of responding organizations. The SES is derived from the rating of 24 security features or practices. This method has been validated from more than 45 independent studies conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). Hence, a result greater than zero is viewed as net favorable. Thales e-Security & Ponemon Institute© Research Report Page 10
  12. 12. Figure 10 reports the SES results compiled from encryption trend studies conducted over nine years. The trend line shown below is increasing, which suggests the security posture of participating companies has increased over this time period. Figure 10. Trend in average Security Effectiveness Score (SES) 0.60 0.54 0.50 0.55 0.40 0.40 0.31 0.26 0.30 0.20 0.10 0.51 0.13 0.12 FY2006 FY2007 0.04 FY2005 FY2008 FY2009 SES FY2010 FY2011 FY2012 FY2013 Average Figure 11 summarizes a cross-tab analysis of SES and the percentage of organizations that have an enterprise-wide encryption strategy and the percentage that have an extensive deployment of encryption. We divide the overall sample into four quartiles based on SES. We see that organizations in the highest SES quartile sub-sample are nearly three times more likely to deploy a holistic encryption strategy than companies in the lowest SES quartile sub-sample (41 percent versus 16 percent). This figure also shows organizations in the highest SES quartile sub-sample are more than two times more likely to be extensive users of encryption technologies than companies in the lowest SES quartile sub-sample (38 percent versus 15 percent). The pattern of quartile averages in Figure 11 provides strong evidence that both encryption strategy and the use of encryption make an important contribution to organizations’ security posture. Figure 11. Analysis of encryption strategy and use by SES quartile (security posture) 0.50 0.45 0.40 0.35 0.30 0.25 0.20 0.15 0.10 0.05 - 0.45 0.41 0.38 0.33 0.32 0.28 0.26 0.19 First quartile (SES=1.29) Second quartile (SES=.81) Third quartile (SES=.23) Fourth quartile (SES=.01) Extensive deployment pf encryption (average of 13 categories) Encryption strategy applied consistently across the entire enterprise Thales e-Security & Ponemon Institute© Research Report Page 11
  13. 13. Figure 12 reports a scattergram showing the interrelationship between the respondents’ encryption use profile and SES. The encryption use profile is a ratio variable between +1 and -1 6 compiled from the extensive use of 11 encryption technologies. This diagram clearly shows a clustering of data points that form a positive (upward sloping) relationship, which suggest that encryption use and a strong security posture (high SES) are inextricably linked. Figure 12. Scattergram depicting the relationship between encryption use ratio and security posture 1 0.8 Encryption use profile 0.6 -2 0.4 0.2 0 -1.5 -1 -0.5 0 0.5 1 1.5 2 -0.2 -0.4 -0.6 -0.8 Low -1 SES High 6 Each respondent was assigned a profile score based on their organizations’ extensive use of encryption technologies. Those respondents who said their organizations extensively deployed all 11 encryption technologies were rated +1. Those respondents who said they did not extensively deploy any one of the 11 encryption technologies were rated -1. Hence, most respondents earned a rating between these two limits. Thales e-Security & Ponemon Institute© Research Report Page 12
  14. 14. Threats, main drivers and priorities Figure 13 shows for the past two years the most significant threats to the exposure of sensitive or confidential data is employee mistakes, legal and law enforcement requirements and system process malfunctions. In contrast, the least significant threats to the exposure of sensitive or confidential data include temporary or contract workers and third-party service providers. Concerns over inadvertent exposure (employee mistakes and system malfunction) outweigh concerns over actual attacks by hackers and malicious insiders. Figure 13. The most salient threats to sensitive or confidential data 26% 27% Employee mistakes 16% 15% Legal & law enforcement 15% 15% System malfunction 14% 13% Hackers 11% 10% Malicious insiders 9% 9% Temporary or contract workers 8% 8% Third party service providers 1% 1% Other 0% 5% 10% Main threats FY2012 Thales e-Security & Ponemon Institute© Research Report 15% 20% 25% 30% Main threats FY2013 Page 13
  15. 15. 7 Figure 14 lists in ascending order the top five perceived data threats by country. It shows marked differences among country samples. Accordingly, respondents in Japan, Australia and the UK rate employee mistakes at a much higher level than respondents in other country samples. In contrast, Japanese respondents are least likely to rate system malfunction as a top security threat. Figure 14. Top five perceived threats by country 24% 17% 39% 38% Employee mistakes 21% 20% 33% 26% 13% 22% 17% 21% Legal & law enforcement 10% 18% 8% 15% 17% 12% 3% 10% System malfunction 21% 22% 16% 17% 13% 12% 17% 12% Hackers 15% 13% 13% 13% 11% 9% 9% 9% Malicious insiders 12% 10% 11% 11% 0% 5% RF 7 10% BZ JP 15% AU 20% FR DE 25% UK 30% 35% 40% 45% US The consolidated average percentage for each threat category is presented in Figure 13. Thales e-Security & Ponemon Institute© Research Report Page 14
  16. 16. The main driver for using encryption is reducing the impact of data breaches. Six drivers for deploying encryption are presented in Figure 15. Respondents report lessening the impact of data breach (46 percent) and protecting the organization’s brand or reputation (44 percent) are the two top reasons for using encryption technologies. Other top drivers for encryption usage include honoring the organization’s privacy commitments (42 percent) and complying with privacy and data security regulations (40 percent). Figure 15. The main drivers for using encryption technology solutions More than one choice permitted To lessen the impact of data breaches 46% To protect our organization’s brand or reputation 44% To ensure that our organization’s privacy commitments are honored 42% To comply with privacy or data security regulations and requirements 40% To reduce the scope of compliance audits 22% To avoid having to notify customers or employees after a data breach occurs 6% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Thales e-Security & Ponemon Institute© Research Report Page 15
  17. 17. 8 Figure 16 illustrates marked country differences. As shown, US respondents provide their top rating to lessening the impact of data breaches. Japanese respondents provide their highest rating to protecting the organization’s brand or reputation. Australian and French respondents provide their highest rating to compliance with privacy or data protection regulations. Figure 16. The top five drivers for using encryption 43% 42% 49% 40% 35% 47% 46% To lessen the impact of data breaches 44% 47% 35% 33% To protect our organization’s brand or reputation To ensure that our organization’s privacy commitments are honored 32% 60% 42% 47% 45% 39% 45% 48% 39% 44% 48% 42% 35% 21% To comply with privacy or data security regulations and requirements 59% 43% 63% 58% 30% 40% 36% 25% 25% 17% 20% 25% 31% 20% 17% To reduce the scope of compliance audits 0% RF 8 BZ JP 10% AU FR 20% DE 30% UK 40% 50% 60% 70% US The consolidated average percentage for each driver is presented in Figure 15. Thales e-Security & Ponemon Institute© Research Report Page 16
  18. 18. Respondents believe data encryption reduces their organization’s obligation to notify individuals in the event data loss or theft. Figure 17 shows the results of a question asking respondents “Would your organization be required to notify customers after the data breach involving the loss or theft of their personal information?” This question presented two separate conditions: (1) breached data is encrypted and (2) breach data is not encrypted. As can be seen, respondents in all countries recognize that data encryption minimizes notification requirements to breach victims. US respondents appear to be most sensitive to this data breach notification requirement than those in all other countries. The overall average response to notification in the case of unencrypted data loss or theft is 37 percent. In contrast, the average response to notification in the case of encrypted data loss or theft is only 20 percent. Figure 17. Would a data breach of customers’ personal data require notification? 70% 61% 60% 46% 50% 40% 35% 33% 30% 33% 31% 30% 25% 24% 20% 20% 13% 15% 16% 16% 11%10% 10% 0% US UK DE FR Customer data was not encrypted Thales e-Security & Ponemon Institute© Research Report AU JP BZ RF Customer data was encrypted Page 17
  19. 19. Discovering where sensitive data resides in the organization is the biggest challenge. Figure 18 provides a list of six aspects that present challenges to the organization’s effective execution of its data encryption strategy in descending order of importance. Sixty one percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. In addition, 50 percent of all respondents cite deploying encryption technology as a significant challenge. Figure 18. Biggest challenges in planning and executing a data encryption strategy Two choices permitted Discovering where sensitive data resides in the organization 61% Deploying the encryption technology effectively 50% 37% Classifying which data to encrypt Obtaining the budget to deploy 24% Determining which encryption technologies are most effective 18% Measuring the effectiveness of the data encryption technologies deployed 11% 0% 10% Thales e-Security & Ponemon Institute© Research Report 20% 30% 40% 50% 60% 70% Page 18
  20. 20. Deployment choices and decision criteria We asked respondents to indicate if specific encryption technologies are widely or only partially deployed within their organizations. “Extensive deployment” means that the encryption technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is confined or limited to a specific purpose (a.k.a. point solution). As shown in Figure 19, no single technology dominates because organizations have very diverse deployments. Encryption of external public networks, databases and data backup are the most likely to be deployed. In contrast, encryption for smart phone and tablets and external cloud services are the least likely to be deployed. Figure 19. Consolidated view on the use of encryption technologies External public networks 35% Databases 47% 33% Backup files 48% 43% 38% Data center storage 33% 47% Software applications 32% 47% Desktop & workstation 31% 47% Internal networks 32% 46% Laptop 32% 45% Email 25% File server 27% Cloud encryption gateways 52% 27% Smart phone & tablet 48% 44% 24% External cloud services 40% 18% 0% 10% 19% 20% 30% Extensive deployment Thales e-Security & Ponemon Institute© Research Report 40% 50% 60% 70% 80% 90% Partial deployment Page 19
  21. 21. Figure 20 provides a histogram showing the percentage frequency of 13 encryption technologies deployed by respondents in all country samples combined. As can be seen, 70 percent of the consolidated sample says their organizations use five or more separate encryption technologies with 44 percent of organizations deploying between four and six different types of encryption technology. Figure 20. Histogram of 13 encryption technologies deployed 19% 20% 18% 15% 16% 13% 14% 12% 10% 10% 8% 8% 6% 8% 8% 5% 4% 4% 3% 4% 2% 2% 1% 0% 1 2 3 4 5 6 7 8 9 10 11 12 13 Number of seperate encryption technologies deployed The use of encryption varies among countries. Figure 21 reports the extensive and partial deployment data of encryption technologies for eight countries. As shown, respondents in Germany US and Russia have the highest encryption deployment rates than other countries. Figure 21. Extensive and partial deployment of data encryption technologies consolidated for 13 encryption technologies 100% 90% 80% 70% 60% 47% 49% 47% 50% 44% 41% 40% 40% 40% 39% 30% 20% 39% 34% 34% 32% 28% 24% 24% 23% US RF BZ UK JP FR AU 10% 0% DE Extensive deployment Thales e-Security & Ponemon Institute© Research Report Partial deployment Page 20
  22. 22. Figure 22 presents a proportional analysis of 13 encryption technologies extensively deployed within eight country samples. Specifically, Germany and the US are the most extensive users of the encryption technologies listed in the figure. In contrast, France, Japan and Australia seem to be the least extensive users of encryption. Please note that the percentage shown in each cell represents the extensive usage rate only. Because organizations are using multiple encryption tools as indicated in the histogram in Figure 20, the sum of these cells across encryption categories and countries exceed 100 percent. Figure 22. The extensive use of 13 encryption technologies by country Backup files 39% 41% 62% External public networks 44% Databases 37% 34% 41% 28% Data center storage 36% 33% 40% 25% Internal networks 30% Laptop 33% 29% 34% 23% 42% Software applications 34% 46% 28% 29% 40% Desktop & workstation 45% 28% 22% 39% 40% 30% 31% 25% File server 29% 25% 34% Email 25% Smart phone & tablet 22% 29% External cloud services 22% 28% 0% US 10% UK 28% 18% 32% 36% 29% 35% 43% 25% 30% 40% 50% 21% DE FR AU JP 60% BZ 38% 33% 34% 29% 31% 12% 37% 36% 30% 35% 26% 31% 33% 31% 25% 32% 29% 28% 14% 9% 19% 12% 16% 17% 20% Thales e-Security & Ponemon Institute© Research Report 40% 21% 15% 15% 28% 17% 33% 20% 19% 19% 19% 41% 22% 26% 31% 26% 51% 31% 28% 22% 17% 36% 57% 25% 30% 19% 21% 36% Cloud encryption gateways 32% 29% 26% 35% 70% 80% 90% 100% RF Page 21
  23. 23. Encryption features considered most important Respondents were asked to rate encryption technology features considered most important to their organization’s security posture. According to consolidated findings, system performance and latency, automated management of encryption keys and automated enforcement of policy are the three most important features. The ratings of encryption technology features are listed in descending order of importance in Figure 23. In comparing this year to last year’s results, it is interesting to see 10 of 12 encryption technology features receiving a higher rating. The most significant difference concerns conformance with security standards (Diff = 12 percent). Figure 23. Most important features of encryption technology solutions Very important response 51% System performance and latency 47% Automated management of keys 56% 52% 43% 47% Automated enforcement of policy 40% 44% System scalability 38% 41% Tamper resistance by dedicated hardware 27% Conformance with security standards 39% 35% 39% Centralized management interface 33% 30% Support for the widest range of applications 25% 28% Formal product security certifications 29% 28% Support for emerging algorithms 19% Support for format preserving encryption 26% 16% 19% Supports longer encryption keys 0% 10% Very important response FY2012 Thales e-Security & Ponemon Institute© Research Report 20% 30% 40% 50% 60% Very important response FY2013 Page 22
  24. 24. Attitudes about key management Using a 10-point scale, respondents were asked to rate the overall “pain” associated with managing keys or certificates within their organization (where 1 = minimal impact, risk and cost to 10 = severe impact, risk and cost). Figure 24 clearly shows that 53 percent of respondents chose ratings at or above seven – suggesting a fairly high pain point. Figure 24. The overall impact, risk and cost associated with managing keys or certificates 35% 29% 30% 24% 25% 21% 20% 15% 16% 11% 10% 5% 0% 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Rating of the overall impact, risk and cost associated with managing keys or certificates where 1 = nominal to 10 = severe Figure 25 shows the so-called “pain index” for respondents in eight countries. As can be seen, the extrapolated average in all country samples is above the scale median of 5.5, which suggests that most respondents view managing keys and certificates as a challenging activity. The highest value is 6.94 in Brazil and the lowest value is 5.60 in Japan. Figure 25. The average overall impact, risk and cost associated with managing keys or certificates 10.00 9.00 8.00 7.00 6.40 6.74 6.00 6.52 6.94 6.44 6.74 BZ RF 5.60 6.00 5.00 4.00 3.00 2.00 1.00 US UK DE FR Average rating on impact, risk and cost Thales e-Security & Ponemon Institute© Research Report AU JP Average Median Page 23
  25. 25. Figure 26 lists what respondents view as the primary drivers for developing a key management strategy. Increased business efficiency and reduced operational cost are the top two issues for the past two years. The largest difference between 2013 and 2012 is an eight percent increase in operating cost as a primary driver for building a key management strategy. In other words, cost reduction is a higher priority in 2013 than 2012. Figure 26. Primary drivers for developing a key management strategy 50% 52% Increase business efficiency 42% Reduce operational cost 50% 33% 36% Improve security 30% 30% Demonstrate compliance 31% 28% Reduce complexity 4% 4% None of the above 0% 10% 20% Primary drivers FY2012 Thales e-Security & Ponemon Institute© Research Report 30% 40% 50% 60% Primary drivers FY2013 Page 24
  26. 26. Figure 27 reports how key management tasks are viewed within respondents’ organizations. More than half (52 percent) of respondents believe their key management tasks are constrained because their organizations do not have dedicated staff or tools to perform key management tasks. Only 23 percent of respondents say their organizations are performing key management with a dedicated expert staff and specialized tools according to well defined practices. Figure 27. Key management deployment models Key management tasks are well defined but the organization does not have dedicated staff or tools to perform key management tasks 52% Key management activities are ad-hoc with minimal or no formal definition 25% Key management is viewed as a distinct discipline that is defined or performed by dedicated or specialist staff and associated tools according to well defined practices 23% 0% 10% 20% 30% 40% 50% 60% Figure 28 compares country samples for one of the conditions indicated in the above chart. Accordingly, following are the yes responses to the selection that key management is a distinct discipline performed by dedicated staff and specialized tools according to well-defined practices (a.k.a. the nirvana state). While all responses are fairly low, respondents in Germany have the highest percentage yes response while respondents in Japan have the lowest percentage yes response. Figure 28. Perceptions about the key management nirvana state Percentage Yes response 28% 30% 25% 23% 23% 26% 24% 22% 20% 25% BZ RF 17% 15% 10% 5% 0% US UK DE FR AU JP Key management is viewed as a distinct discipline that is defined or performed by dedicated or specialist staff and associated tools according to well defined practices Average Thales e-Security & Ponemon Institute© Research Report Page 25
  27. 27. Figure 29 reports the percentage of respondents that report their organizations operate an internal public key infrastructure (PKI). US organizations appear to have the highest percentage rate at 35 percent, while organizations in France has the lowest percentage rate at 15 percent. Figure 29. Percentage of respondents’ organizations that operate an internal PKI 40% 35% 35% 31% 30% 26% 24% 25% 20% 15% 18% 17% 19% BZ RF 15% 10% 5% 0% US UK DE FR AU JP Percentage of organizations that operate their own internal PKI Thales e-Security & Ponemon Institute© Research Report Average Page 26
  28. 28. Importance of the key management Interoperability protocol (KMIP) Figure 30 summarizes the response to the question,” Does your organization deploy encryption or key management products that support the KMIP key management standard?” As can be seen, 35 percent of respondents say they plan to make KMIP support a future requirement. Only 13 percent of respondents say KMIP support is a primary requirement today. Figure 30. Is KMIP supported as a primary or secondary requirement? No, but we plan to make KMIP support a future requirement 35% Yes, KMIP support is a secondary requirement 19% No, we have not considered KMIP support 19% No, KMIP support is not relevant 14% Yes, KMIP support is a primary requirement 13% 0% 5% 10% 15% 20% 25% 30% 35% 40% Does your organization deploy encryption or key management products that support the KMIP key management standard? Figure 31 summarizes the yes responses in the above chart for eight country samples. As shown, 47 percent of German respondents say their organizations presently support KMIP as either a primary or secondary requirement. Only 28 percent of respondents in Australia, Brazil and Russia say their organizations support KMIP as a primary or secondary requirement. Figure 31. KMIP support as a primary or secondary requirement by country 47% 50% 45% 40% 35% 34% 30% 30% US UK 30% 30% 28% 28% 28% BZ RF 25% 20% 15% 10% 5% 0% DE FR AU JP Yes, KMIP support is either a primary or secondary requirement Thales e-Security & Ponemon Institute© Research Report Average Page 27
  29. 29. According to 54 percent of respondents, KMIP is most important for cloud based applications and storage. This represents a 12 percent increase between 2013 and 2012. As shown in Figure 32, KMIP appears to be least important for end user devices such as laptops, tablets and smart phones or remote applications such as retail locations. Figure 32. Where KMIP is most important Two choices permitted 42% Cloud based applications and storage 54% 36% 37% Storage systems 35% 35% Application infrastructure in the data center 35% 34% Network infrastructure 16% 16% Remote applications 12% 13% End user devices 11% 9% None 0% 10% Where is KMIP most important, FY2012 Thales e-Security & Ponemon Institute© Research Report 20% 30% 40% 50% 60% Where is KMIP most important, FY2013 Page 28
  30. 30. Importance of hardware security modules (HSM) 9 Figure 33 summarizes the percentage of respondents in eight countries that deploy HSMs as part of their organization’s key management program or activities. As can be seen, the rate of HSM deployment increased in the US, UK, Germany, Australia, Japan and Brazil between 2012 and 2013. Similar to last year, the pattern of responses suggests Japanese and German respondents are more likely to deploy HSMs to their organization’s key management activities than other countries. The overall average deployment rate for HSMs as part of key management activities this year is 28 percent – representing six percent growth from last year’s average deployment rate. Figure 33. Deployment HSMs as part of key management activities *2012 data is not available for the RF sample 40% 35% 30% 38% 35% 35%34% 30% 27% 25% 26% 23% 24%25% 25%24% 23% 20%19% 20% 15% 10% 5% 0% US UK DE FR HSM deployment rate in FY2013 AU JP BZ RF* HSM deployment rate in FY2012 9 HSMs are devices specifically built to create a tamper-resistant environment in which to perform cryptographic processes (e.g. encryption or digital signing) and to manage the keys associated with those processes. These devices are used to protect critical data processing activities associated with server based applications and can be used to strongly enforce security policies and access controls. HSMs are typically validated to formal security standards such as FIPS 140-2. Thales e-Security & Ponemon Institute© Research Report Page 29
  31. 31. Figure 34 summarizes the percentage of respondents in eight countries that rate HSM as either very important or important to their organization’s key management program or activities. It is interesting to note that the importance level appears to be increasing between 2012 and 2013 for eight country samples. Similar to last year, the pattern of responses suggests Japanese and German respondents are most likely to assign importance to HSMs to their organization’s key management activities. The overall average importance rating in the current year is 46 percent. Last year’s average importance rating was 39 percent. Figure 34. Perceived importance of HSM as part of key management activities *2012 data is not available for the RF sample 60% 50% 56% 51% 55% 49% 45% 51% 48% 43% 45% 40% 40% 33% 36% 29% 30% 29% 26% 20% 10% 0% US UK DE FR Important or very important FY2013 Thales e-Security & Ponemon Institute© Research Report AU JP BZ RF* Important or very important FY2012 Page 30
  32. 32. Figure 35 summarizes the primary purpose or use cases for deploying HSMs. As can be seen, the number one purpose is authentication followed by SSL and database encryption. This chart also shows differences between today’s HSM use and deployment in 12 months. The most significant increases predicted for the next 12 months, according to respondents, are code signing, document signing and database encryption. Figure 35. How HSMs are deployed or planned to be deployed in the next 12 months More than one choice permitted 56% 54% Authentication 49% 48% SSL Database encryption 47% Application level encryption 37% Payments processing 35% PKI or credential management 26% Document signing 15% Code signing 10% 42% 41% 30% 23% 21% 8% 0% 54% 20% 30% HSMs planned to be deployed in the next 12 months Thales e-Security & Ponemon Institute© Research Report 40% 50% 60% HSMs deployed today Page 31
  33. 33. Budget allocations The percentages below are calculated from the responses to survey questions about resource allocations to IT security, data protection, encryption, and key management. These calculated values are estimates of the current state and we do not make any predictions about the future state of budget funding or spending. Figure 36 reports the average percentage of IT security spending relative to total IT spending over the last nine years. As shown, the trend appears to be upper sloping, which suggests the proportion of IT spending dedicated to security activities including encryption is increasing over time. Figure 36. Trend in the percent of IT security spending relative to the total IT budget 12.0% 9.1% 10.0% FY2005 8.0% 7.5% 7.2% 7.5% 7.9% FY2006 FY2007 FY2008 9.9% 8.6% 8.8% 9.1% FY2010 FY2011 FY2012 6.0% 4.0% 2.0% 0.0% FY2009 Percentage of IT security spending relative to the total IT budget FY2013 Average Figure 37 shows the percent of current IT security spending relative to the total IT budget for individual countries. As shown, Germany and Japan report the highest proportional ratings and UK and Brazil report the lowest proportional ratings. Figure 37. Percent of current IT security spending relative to the total IT budget by country 16.0% 13.7% 14.0% 12.0% 12.2% 10.1% 10.0% 9.9% 8.0% 9.3% 8.6% 7.8% 7.4% 6.0% 4.0% 2.0% 0.0% US UK DE FR AU JP Percentage of IT security spending relative to the total IT budget Thales e-Security & Ponemon Institute© Research Report BZ RF Average Page 32
  34. 34. Budget allocated to data protection. Figure 38 reports the percentage of data protection spending relative to the total IT security budget over nine years. This trend appears to be slightly upward sloping, which suggests data protection spending as a proportion of total IT security is on the rise. Figure 38. Trend in the percent of IT security spending dedicated to data protection activities 40.0% 34.5% 35.0% 30.0% 25.0% 22.7% 24.9% 23.6% FY2006 FY2007 26.1% FY2009 29.7% 32.4% 25.9% FY2008 32.7% 20.0% 15.0% 10.0% 5.0% 0.0% FY2005 FY2010 FY2011 FY2012 Percentage of IT security spending dedicated to data protection activities FY2013 Average Figure 39 shows the average percent of current IT security spending dedicated to data protection spending by country sample. As shown, the percentage of data protection spending relative to total IT security is highest in the UK and Germany and lowest in Brazil and Australia. Perhaps more important is the consistency in percentage values observed across most countries. Figure 39. Percent of current IT security spending dedicated to data protection activities by country 45.0% 38.3% 40.0% 35.0% 38.2% 31.4% 31.2% 30.0% 28.4% 31.1% 32.3% 28.4% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% US UK DE FR AU JP Percentage of IT security spending dedicated to data protection activities Thales e-Security & Ponemon Institute© Research Report BZ RF Average Page 33
  35. 35. Budget allocated to encryption. Figure 40 reports the nine-year trend in the percentage of encryption spending relative to the total IT security budget. Again, the trend appears to be increasing from a low of 9.7 percent in 2005 to 18.2 percent in the present year’s encryption trends study. Figure 40. Trend in the percent of IT security budget dedicated to encryption 17.6% 20.0% 18.0% 15.7% 16.0% 13.8% 14.0% 9.7% FY2006 FY2010 FY2011 FY2012 FY2013 15.1% 13.1% 10.3% FY2005 12.0% 14.6% 18.2% 10.0% 8.0% 6.0% 4.0% 2.0% 0.0% FY2007 FY2008 FY2009 Percentage of IT security spending dedicated to encryption Average 10 Figure 41 reports the percentage of IT security spending dedicated to encryption. Again, the country comparisons are very consistent. Respondents in Germany show the highest average percentage of encryption spending, while those in the UK show the lowest average percentage spending levels. Figure 41. Percent of the IT security budget dedicated to encryption by country 25.0% 20.0% 21.7% 16.6% 17.4% 15.8% 18.1% FR AU 19.7% 19.1% 16.9% 15.0% 10.0% 5.0% 0.0% US UK DE JP Percentage of IT security spending dedicated to encryption BZ RF Average 10 The figures in this graph suggest that encryption spending represents nearly 60 percent of the total data protection budget (which is a subset of the total IT security budget). However, debriefing interviews with a subset of respondents revealed that encryption spending might not be contained solely in the data protection category, but rather other earmark categories such as security technologies. Thales e-Security & Ponemon Institute© Research Report Page 34
  36. 36. Budget allocated to key management. Figure 42 reports the three-year comparison in the percentage of encryption key management spending as a proportion of the overall encryption 11 spend, showing a six percent increase. Figure 42. Budget allocation to key management 35.0% 31.9% 29.5% 30.0% 23.5% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% FY2011 FY2012 FY2013 Percentage of encryption spending dedicated to key management Average Figure 43 reports the proportion of spending on key management relative to the total spending on encryption solutions for country samples. Perhaps the most interesting finding is the consistency in spending on key management across all eight countries, with the exception of Australia and Brazil. Figure 43. Percent of encryption spending dedicated to key management activities by country 40.0% 35.0% 37.0% 33.6% 34.9% 32.7% 31.1% 31.3% 27.5% 27.2% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% US UK DE FR AU JP Percentage of encryption spending dedicated to key management BZ RF Average 11 The analysis of key management spending was first conducted in 2011 and, hence, we don’t have the ability to conduct a full trend analysis. Thales e-Security & Ponemon Institute© Research Report Page 35
  37. 37. Part 3. Methods & Limitations Table 1 reports the sample response for eight separate country samples. The sample response for this study was conducted over a 49-day period ending in December 2013. Our consolidated sampling frame of practitioners in all countries consisted of 118,423 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 4,802 returns of which 547 were rejected for reliability issues. Our final consolidated 2013 sample was 4,275, thus resulting in a 3.6% response rate. The first encryption trends study was conducted in the US in 12 2005. Since then we have expanded the scope of the research to include eight separate country samples. Trend analysis was performed on combined country samples. As noted before, we added the Russian Federation in this year’s study. Table 1. Sample response in eight countries Countries Sampling frame Total returns Rejected surveys Final sample United States 26,553 1,001 109 892 United Kingdom 15,995 688 71 637 Germany 16,030 650 48 602 France 15,916 558 80 478 Australia 9,503 456 42 414 Japan 14,020 569 48 521 Brazil 14,371 603 73 530 6,035 277 76 201 118,423 4,802 547 4,275 Russian Federation Total As noted in Table 2, the respondents’ average (mean) experience in IT, IT security or related fields is 10.25 years. Approximately 25 percent of respondents are female and 75 percent 13 male. Experience levels Overall experience IT or security experience Table 2. Other characteristics of respondents Mean years Gender 11.02 Female 10.25 Male Combined% 25% 75% 12 The following matrix summarizes the samples and sample sizes used in all figures showing trends. Country/year 2013 2012 2011 2010 2009 2008 2007 2006 2005 Australia 414 938 471 477 482 405 0 0 0 Brazil 530 637 525 0 0 0 0 0 0 France 478 584 511 419 414 0 0 0 0 Germany 602 499 526 465 490 453 449 0 0 Japan Russian Federation 521 466 544 0 0 0 0 0 0 201 0 0 0 0 0 0 0 0 United Kingdom 637 550 651 622 615 638 541 489 0 United States 892 531 912 964 997 975 768 918 791 4,275 4,205 4,140 2,947 2,998 2,471 1,758 1,407 791 Total 13 This skewed response showing a much lower frequency of female respondents in our study is consistent with earlier studies – all showing that males outnumber females in the IT and IT security professions within the seven countries sampled. Thales e-Security & Ponemon Institute© Research Report Page 36
  38. 38. Figure 43 summarizes the approximate position levels of respondents in our study. As can be seen, the majority (52 percent) of respondents are at or above the supervisory level. Figure 43. Distribution of respondents according to position level Consolidated from eight separate country samples 3% 3% 18% Executive/VP Director Manager/Supervisor 44% Associate/Staff/Technician Other 32% Figure 44 reports the respondents’ organizations primary industry segments. As shown, 16 percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Another 11 percent are located in public sector organizations, including central and local government. Figure 44. Distribution of respondents according to primary industry classification Consolidated from eight separate country samples 3% 2% 2% 16% 4% 4% 5% 11% 5% 5% 10% 5% 7% 7% 7% 7% Thales e-Security & Ponemon Institute© Research Report Financial services Public sector Manufacturing Healthcare & pharma Retailing Services Technology & software Hospitality & leisure Consumer products Transportation Communications Entertainment & Media Energy Education & research Defense Other Page 37
  39. 39. According to Figure 45, the majority of respondents (70 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees. Figure 45. Distribution of respondents according to organizational headcount Consolidated for eight separate country samples 4% 11% 12% Less than 500 500 to 1,000 18% 1,001 to 5,000 5,001 to 25,000 26% 25,001 to 75,000 More than 75,000 29% Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies.  Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in eight countries, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.  Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within the sample of eight countries selected.  Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses. Thales e-Security & Ponemon Institute© Research Report Page 38
  40. 40. Appendix 1: Consolidated Findings The following tables provide the percentage frequencies for all survey questions combined for eight country samples (weighted by sample size). All survey responses were gathered over a 49day period ending in December 2013. Please note that certain survey questions were omitted if not utilized in the report. Part 1: Your organization’s encryption posture Q1. Please select one statement that best describes your organization’s approach to encryption implementation across the enterprise. We have an overall encryption plan or strategy that is applied consistently across the entire enterprise We have an overall encryption plan or strategy that is adjusted to fit different applications and data types For certain types of sensitive or confidential data such as Social Security numbers or credit card accounts we have a limited encryption plan or strategy We don’t have an encryption plan or strategy Total . Q2a. Does your organization encrypt sensitive and confidential data when sending it by email? Yes, most of the time Yes, some of the time No Total Consolidated 35% 26% 24% 15% 100% Consolidated 25% 52% 23% 100% Q2b. Does your organization encrypt sensitive and confidential data stored on shared file servers? Yes, most of the time Yes, some of the time No Total Consolidated 27% 48% 25% 100% Q2c. Does your organization encrypt sensitive and confidential data stored on a laptop computers? Yes, most of the time Yes, some of the time No Total Consolidated 32% 45% 23% 100% Q2d. Does your organization encrypt sensitive and confidential data stored on a desktop PCs or workstations? Yes, most of the time Yes, some of the time No Total Consolidated 31% 47% 22% 100% Q2e. Does your organization encrypt sensitive and confidential data stored on a mobile data-bearing device such as a smart phones or tablets? Yes, most of the time Yes, some of the time No Total Consolidated 24% 40% 36% 100% Thales e-Security & Ponemon Institute© Research Report Page 39
  41. 41. Q2f. Does your organization encrypt sensitive and confidential data stored on backup files or tapes before sending it to off site storage locations? Yes, most of the time Yes, some of the time No Total Consolidated 43% 38% 19% 100% Q2g. Does your organization encrypt sensitive and confidential data when sending it by external public networks such as the Internet or VPN (for example using SSL or IPSec)? Yes, most of the time Yes, some of the time No Total Consolidated 35% 47% 17% 100% Q2h. Does your organization encrypt sensitive and confidential data when sending it by internal networks (i.e., within your own private network)? Yes, most of the time Yes, some of the time No Total Consolidated 32% 46% 22% 100% Q2i. Does your organization encrypt sensitive and confidential data located in databases? Yes, most of the time Yes, some of the time No Total Consolidated 33% 48% 18% 100% Q2j. Does your organization encrypt sensitive and confidential data within business software applications that are exposed to it? Yes, most of the time Yes, some of the time No Total Consolidated 32% 47% 21% 100% Q2k. Does your organization encrypt sensitive and confidential data that is passed to external cloud based services using cloud encryption gateways? Yes, most of the time Yes, some of the time No Total Consolidated 27% 44% 29% 100% Q2l. Does your organization encrypt sensitive and confidential data using encryption capabilities within external cloud based services? Yes, most of the time Yes, some of the time No Total Consolidated 18% 19% 63% 100% Q2m. Does your organization encrypt sensitive and confidential data stored within your datacenter storage environment? Yes, most of the time Yes, some of the time No Total Consolidated 33% 47% 20% 100% Thales e-Security & Ponemon Institute© Research Report Page 40
  42. 42. Q3. Please rate the following list of 13 encryption technologies based on the importance of each technology in protecting your organization’s sensitive or confidential data. Percentage very important and important responses combined. Email encryption File server encryption Laptop encryption Desktop or workstation encryption Smart phone or tablet encryption Data center storage encryption Back-up or tape encryption Encryption of external public networks Encryption on internal networks Database encryption Application level encryption Cloud encryption gateways Encryption within cloud based services Average Consolidated 42% 49% 52% 42% 35% 27% 66% 62% 57% 65% 39% 27% 24% 45% Q4. In your organization, who has responsibility or is most influential in directing your organization’s strategy for using encryption? Please select one best choice. No single function has responsibility IT operations Finance Lines of business (LOB) or general management Security Compliance Other Total Consolidated 19% 35% 3% 26% 15% 1% 0% 100% Q5. What are the reasons why your organization encrypts sensitive and confidential data? Please select the top two reasons. To lessen the impact of data breaches To avoid having to notify customers or employees after a data breach occurs To ensure that our organization’s privacy commitments are honored To protect our organization’s brand or reputation To comply with privacy or data security regulations and requirements To reduce the scope of compliance audits Total Consolidated 46% 6% 42% 44% 40% 22% 200% Q6. In your opinion, would your organization be required to notify customers after the data breach involving the loss or theft of their personal information? Q6a. If the data that was lost or stolen was not encrypted (in clear text) Yes No Unsure Total Consolidated 37% 54% 9% 100% Q6b. If the data that was lost or stolen was encrypted Yes No Unsure Total Consolidated 20% 71% 9% 100% Thales e-Security & Ponemon Institute© Research Report Page 41
  43. 43. Q7. What are your organization’s biggest challenges in planning and/or executing its data encryption strategy? Please select the top two challenges. Classifying which data to encrypt Discovering where sensitive data resides in the organization Determining which encryption technologies are most effective Deploying the encryption technology effectively Obtaining the budget to deploy Measuring the effectiveness of the data encryption technologies deployed Total Consolidated 37% 61% 18% 50% 24% 11% 200% Q8. What are the main threats that might result in the exposure of sensitive or confidential data? Please select the top two choices. Hackers Malicious insiders System or process malfunction Employee mistakes Temporary or contract workers Third party service providers Legal and law enforcement (e.g., e-discovery) Other (please specify) Total Consolidated 13% 10% 15% 27% 9% 8% 15% 1% 100% Q9. How important are the following features associated with encryption solutions that may be used by your organization? Most important and Important response combined. Automated enforcement of policy Automated management of keys Support for the widest range of applications Centralized management interface System scalability Tamper resistance by dedicated hardware (e.g. HSM) Conformance with security standards Support for format preserving encryption (FPE) System performance and latency Support for emerging algorithms (e.g. ECC) Supports longer encryption keys Formal product security certifications (e.g. FIPS 140) Average Consolidated 69% 71% 52% 69% 63% 57% 65% 52% 71% 66% 49% 55% 62% Part 3. Encryption key management Q11a. In general, how does your organization view key management tasks? Please select only one choice. Key management is viewed as a distinct discipline that is defined or performed by dedicated or specialist staff and associated tools according to well defined practices Key management tasks are well defined but the organization does not have dedicated staff or tools to perform key management tasks Key management activities are ad-hoc with minimal or no formal definition Total Thales e-Security & Ponemon Institute© Research Report Consolidated 23% 52% 25% 100% Page 42
  44. 44. Q11b. What are, or would be, the primary drivers for developing a key management strategy? Please select the top two choices? Increase business efficiency Reduce operational cost Reduce complexity Demonstrate compliance Improve security Other (please specify) None of the above Total Consolidated 52% 50% 28% 30% 36% 0% 4% 200% Q13. Please rate the overall “pain” associated with managing keys or certificates within your organization, where 1 = minimal impact, risk and cost to 10 = severe impact, risk and cost 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Total Consolidated 11% 16% 21% 24% 29% 100% Q14. Does your organization operate its own internal PKI? Yes No Total Consolidated 25% 75% 100% Q15. What best describes your level of knowledge about KMIP? Very knowledgeable Knowledgeable Not knowledgeable (Go to Q18) Total Consolidated 20% 30% 49% 100% Q16. Does your organization deploy encryption or key management products that support the KMIP key management standard? Yes – KMIP support is a primary requirement Yes – KMIP support is a secondary requirement No, but we plan to make KMIP support a future requirement No - KMIP support is not relevant No – we have not considered KMIP support Total Consolidated 13% 19% 35% 14% 19% 100% Q17. In what areas of your encryption and key management strategy is KMIP most important? Please select you top two choices. Storage systems Application infrastructure within the datacenter End user devices e.g. laptops, tablets or smart phones Remote applications e.g. retail locations Cloud based applications and storage Network infrastructure Other (please specific) None Total Consolidated 37% 35% 13% 16% 54% 34% 1% 9% 200% Thales e-Security & Ponemon Institute© Research Report Page 43
  45. 45. Q18. What best describes your level of knowledge about HSMs? Very knowledgeable Knowledgeable Not knowledgeable (Go to Part 5) Total Consolidated 26% 43% 30% 100% Q19a. Does your organization deploy HSMs? Yes No (go to Part 5) Total Consolidated 28% 72% 100% Q19b. For what purpose does your organization presently deploy or plan to deploy HSMs? Please select all that apply. Q19b-1. HSMs deployed today Application level encryption Database encryption SSL PKI or credential management Document signing (e.g. electronic invoicing) Code signing Authentication Payments processing Not used Other (please specify) Total Consolidated 37% 47% 48% 26% 15% 8% 54% 35% 7% 0% 279% Q19b-2. HSMs planned to be deployed in the next 12 months Application level encryption Database encryption SSL PKI or credential management Document signing (e.g. electronic invoicing) Code signing Authentication Payments processing Not planning to use Other (please specify) Total Consolidated 42% 54% 49% 30% 23% 21% 56% 41% 2% 0% 319% Q20. In your opinion, how important is HSM to your encryption or key management strategy? Very important and Important responses combined. Q20a. Importance today Q20b. Importance in the next 12 months Consolidated 46% 53% Q21. Who are your primary vendors for HSM products and services? Please select all that apply. Thales/nCipher SafeNet/Eracom IBM Utimaco HP/Atalla FutureX Bull None of the above Not using HSM Total Consolidated 17% 23% 27% 7% 15% 4% 7% 24% 7% 131% Thales e-Security & Ponemon Institute© Research Report Page 44
  46. 46. Part 4: IT security & encryption budget Q22a. Are you responsible for managing all or part of your organization’s IT budget in 2013? Yes No (Go to Part 5) Total Q22b. Approximately, what is the dollar range that best describes your organization’s IT budget for 2013? Extrapolated average value in millions (billions for JPY & RUB) Extrapolated values computed from scaled responses Q22c. Approximately, what percentage of the 2013 IT budget will go to IT security activities? Q22d. Approximately, what percentage of the 2013 IT security budget will go to data protection activities? Q22e. Approximately, what percentage of the 2013 IT security budget will go to encryption activities? Q22f. Approximately, what percentage of the 2013 encryption budget will go to key management activities? Q23b. Approximately, what percentage of the 2014 IT security budget will go to encryption activities? Q23c. Approximately, what percentage of the 2014 encryption budget will go to encryption key management activities? Consolidated 58% 42% 100% NA Consolidated 10% 33% 18% 32% 35% 29% Q23a. Please check the security initiatives that will be earmarked in the 2013 budget? Select all that apply. Identity & access management Intrusion detection and prevention systems Data loss prevention Encryption solutions Key and certificate management Security intelligence (e.g., SIEM) Tokenization Public key encryption (PKI) Database monitoring & behavior analysis Endpoint security Average Consolidated 52% 83% 19% 57% 38% 29% 19% 36% 53% 49% 44% Part 5: Security effectiveness Computed value based on 48 items Consolidated 0.60 Part 6: Role and organizational characteristics D1. What organizational level best describes your current position? Senior Executive Vice President Director Manager/Supervisor Associate/Staff/Technician Other Total Consolidated 1% 2% 18% 31% 44% 3% 100% Thales e-Security & Ponemon Institute© Research Report Page 45
  47. 47. D2. Check the functional area that best describes your organizational location. IT operations Security Compliance Finance Lines of business (LOB) Other Total Consolidated 60% 14% 8% 3% 13% 3% 100% D3. What industry best describes your organization’s industry focus? Financial services Public sector Technology & software Health & pharmaceuticals Manufacturing Communications Consumer products Hospitality & leisure Transportation Retailing Services Defense Education & research Energy Entertainment & Media Other Total Consolidated 16% 11% 7% 7% 10% 5% 5% 5% 5% 7% 7% 2% 3% 4% 4% 2% 100% D4. What is the worldwide headcount of your organization? Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 Total Consolidated 12% 18% 30% 26% 11% 4% 100% Thales e-Security & Ponemon Institute© Research Report Page 46
  48. 48. About Thales e-Security Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide payment transactions. Thales e-Security has offices in France, Hong Kong, Norway, United States and the United Kingdom. www.thales-esecurity.com. About Thales Thales is a global technology leader for the Defense & Security and the Aerospace & Transport markets. In 2011, the company generated revenues of €13 billion with 68,000 employees in more than 50 countries. With its 22,500 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers as local partners. www.thalesgroup.com. About Ponemon Institute Ponemon Institute is dedicated to independent research and education that advances information security, data protection and privacy management practices within businesses and governments. Our mission is to conduct high quality, empirical studies on critical issues affecting the security of information assets and the IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org. Thales e-Security & Ponemon Institute© Research Report Page 47

×