Encryption
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,400
On Slideshare
1,400
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
43
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Encryption and Key Management August 2007
  • 2. Encryption & Key Management Page 2 Executive Summary To support the broader deployment of encryption for the protection of “You have to plan. We spend a sensitive data and to deal with the management of encryption keys over lot of time planning. If you their lifecycle, Best-in-Class organizations are beginning to look towards don’t, you’re likely to get centralized key management and automated key distribution solutions to yourself in a hole you can’t get deliver higher scalability, lower operational costs, reduce risk, establish out of. The number of keys consistent security policies, and sustain regulatory compliance. under management never goes down … and we may need to go back and recover encrypted Best-in-Class Performance data at any time.” Based on feedback from more than 150 organizations, Aberdeen used the following performance criteria to distinguish Best-in-Class companies from ~ Trusted Computing Industry Average and Laggard organizations in the protection of sensitive Development Manager, data using encryption and key management: $5.7B US-based Industrial Equipment Manufacturer • Increase in the total percentage of sensitive data identified, (managing encryption keys compared to a year ago; since 1996, with >3M keys currently under management) • Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and • Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago. Competitive Maturity Assessment Survey results show that the firms enjoying Best-in-Class performance shared several common characteristics. Compared to one year ago: • 81% increased the number of application types / use cases using encryption • 71% increased the number of encryption keys under management • 50% increased the number of locations (including multiple sites, branches, outsourcing partners, partner extranets) implementing encryption • 46% increased the consistency of encryption and key management policies across multiple applications / use cases Required Actions In addition to the specific recommendations in Chapter 3 of this report, to achieve Best-in-Class performance organizations should build the strategic capability to support the flow of information across organizational and network boundaries, by using encryption solutions to secure the data coupled with an infrastructure to manage, protect and control access to the encryption keys that provide the foundation for this higher level of protection. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 3. Encryption & Key Management Page 3 Table of Contents Executive Summary....................................................................................................... 2 Best-in-Class Performance......................................................................... 2 Competitive Maturity Assessment........................................................... 2 Required Actions ......................................................................................... 2 Chapter One: Benchmarking the Best-in-Class ..................................................... 4 Expanding Use of Encryption .................................................................... 4 Maturity Class Framework ........................................................................ 5 Best-in-Class PACE Model......................................................................... 6 Chapter Two: Benchmarking Requirements for Success ..................................10 Competitive Assessment..........................................................................10 Organizational Capabilities and Technology Enablers .......................13 Chapter Three: Required Actions .........................................................................15 Laggard Steps to Success..........................................................................15 Industry Average Steps to Success.........................................................15 Best-in-Class Steps to Success ................................................................15 Appendix A: Research Methodology.....................................................................17 Appendix B: Related Aberdeen Research............................................................20 Figures Figure 1: Leading Drivers for Use of Encryption (all respondents) .................. 4 Figure 2: Strategic Approach to Securing Sensitive Data .................................... 7 Figure 3: Strategic Approach to Encryption............................................................ 8 Figure 4: Key Management – Level of Automation.............................................13 Tables Table 1: Companies with Top Performance Earn “Best-in-Class” Status ....... 5 Table 2: Best-in-Class PACE Framework ................................................................ 6 Table 3: Competitive Framework ...........................................................................11 Table 4: PACE Framework Key...............................................................................18 Table 5: Competitive Framework Key...................................................................18 Table 6: Relationship Between PACE and Competitive Framework..............19 © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 4. Encryption & Key Management Page 4 Chapter One: Benchmarking the Best-in-Class Expanding Use of Encryption Fast Facts Encryption is the process of transforming information into a form that cannot be read without the possession of special knowledge, referred to as a key. Compared to one year ago: The purpose of encryption is to ensure that the information remains private √ 81% of the Best-in-Class from anyone not authorized to read it, even from those who may have increased the total number access to the encrypted data. Although the use of encryption to protect of application types / use sensitive data – whether the data is at rest, in transit, or in use – is anything cases for encryption but new, its application is growing ever more widespread. High-profile data √ 71% of the Best-in-Class breaches, identity theft, industry and government regulations, insider increased the total number attacks, softening consumer confidence, and the increasing mobility of of encryption keys under sensitive information are among the many motivations for the expanding use management of encryption. √ 50% of the Best-in-Class increased the number of Figure 1: Leading Drivers for Use of Encryption (all respondents) locations (including multiple sites, branches, outsourcing partners, and partner 70% extranets) using encryption 60% 66% 50% 40% 30% 20% 19% 10% 13% 11% 0% Protect sensitive Protect against Protect against Support the data the threat of the threat of mobility external attacks internal attacks requirements of employees Source: Aberdeen Group, August 2007 The increasing adoption of encryption-enabled solutions, however, also translates to a proliferation of encryption keys, and creates a new security management problem: all keys have a lifecycle, which includes generation, distribution, storage, use, archiving, backup and retrieval, replacement, revocation, and eventual expiration and termination. To support the broader deployment of encryption and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 5. Encryption & Key Management Page 5 Objectives for this Report This research report was designed to give new insights into how organizations are leveraging encryption and key management solutions to: • Support the use of encryption across an increasing volume of applications, servers, end-users, and networked devices; • Manage encryption keys across their complete lifecycle, from generation to eventual termination; • Manage risk in a consistent way across multiple use cases and geographically dispersed locations; and • Achieve and sustain compliance with internal security policies and external regulations. For additional details on Aberdeen’s research methodology, see Appendix A. Maturity Class Framework Aberdeen used the following performance criteria to distinguish “Best-in- Class” organizations from “Industry Average” and “Laggard” organizations in their use of encryption and key management to protect sensitive data: • Increase in the total percentage of sensitive data identified, compared to a year ago; • Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and • Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago. Companies with top performance based on these criteria earn “Best-in- Class” status, as described in Table l. (For additional details, see Table 5 in Appendix A.) Table 1: Companies with Top Performance Earn Best-in-Class Status Definition of Maturity Mean Class Performance Class • 64% increased the total percentage of sensitive data identified, compared to a year ago Best-in-Class: • 82% decreased the number of incidents of exposed or Top 20% of potentially exposed data due to inconsistent encryption aggregate and key management policies, compared to a year ago performance • 72% decreased the number of incidents of inaccessible scorers data due to mismanagement of encryption keys, compared to a year ago © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 6. Encryption & Key Management Page 6 Definition of Maturity Mean Class Performance Class • 47% increased the total percentage of sensitive data Industry identified, compared to a year ago Average: • 6% increased the number of incidents of exposed or Middle 50% of potentially exposed data due to inconsistent encryption aggregate and key management policies, compared to a year ago performance • 4% increased the number of incidents of inaccessible scorers data due to mismanagement of encryption keys, compared to a year ago • 14% increased the total percentage of sensitive data identified, compared to a year ago Laggard: • 33% increased the number of incidents of exposed or Bottom 30% of potentially exposed data due to inconsistent encryption aggregate and key management policies, compared to a year ago performance • 31% increased the number of incidents of inaccessible scorers data due to mismanagement of encryption keys, compared to a year ago Note: the percentages reflected in Table 1 represent the net of all responses of “increased”, “remained the same”, and “decreased” compared to one year ago. Source: Aberdeen Group, 2007 Best-in-Class PACE Model Achieving superior performance in protecting sensitive data using encryption and key management requires a combination of strategic actions, organizational capabilities, and enabling technologies, as summarized in Table 2. (For a description of Aberdeen’s PACE Framework, see Table 4.) Table 2: Best-in-Class PACE Framework Pressures Actions Capabilities Enablers • Protect • Support the use • Flexible • File Encryption sensitive data of third-party distribution • Full-Disk encryption and integration Encryption solutions across of keys to a an increasing wide variety of • Mobile Device range of existing encryption- Encryption infrastructure, enabled applications, endpoints • USB Device servers, end- Encryption • Management of users, and • Database encryption networked Encryption keys across devices their complete • Storage / Backup • Protect and lifecycle, from Encryption control access to generation to the network and eventual • Application to the data itself termination Encryption © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 7. Encryption & Key Management Page 7 Pressures Actions Capabilities Enablers • Secure the data, • Enforcement of • Key Management and protect and consistent • Hardware control access to security Security Modules the encryption policies to (HSM) keys that secure manage the data business risk • Trusted Platform Modules (TPM) • Audit, analysis and reporting • Public-Key capabilities to Infrastructure address (PKI) compliance requirements • Smart Cards; Card Issuance Systems Source: Aberdeen Group, August 2007 In response to the pressure to protect sensitive data, 40% of the Best-in- Class indicate that they are supporting the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, end-users, and networked devices. Best-in-Class companies have begun to shift their strategic approach to securing sensitive data: • from the traditional, perimeter-based approach of protecting the network and controlling access to the data itself (39%), • to an information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data (25%). Compared to the Industry Average, the Best-in-Class companies in the survey were 1.9X more likely to have adopted an information-centric, de- perimeterized approach than a traditional, perimeter-based approach to securing sensitive data. See Figure 2. Figure 2: Strategic Approach to Securing Sensitive Data 50% 40% 45% 39% 30% 20% 25% 10% 15% 0% Best-in-Class Industry Average Protect and control access to the network and access to the data itself Secure the data, and protect and control access to the encryption keys that secure the data Source: Aberdeen Group, August 2007 © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 8. Encryption & Key Management Page 8 To date, the most common adoption of encryption across all companies surveyed has been the tactical deployment of point solutions where specific needs exist. However, the research indicates that a new, more strategic approach to encryption and key management has emerged. Best-in-Class companies have started to shift: • from tactical deployment of point solutions for encryption, where specific needs exist (46%), • to a top down, enterprise-wide view of encryption for protecting sensitive data (36%). Compared to the Industry Average, the Best-in-Class companies in the survey were 1.6X more likely to take a strategic, pan-enterprise approach to encryption and key management than a tactical, point wise approach to deployment of encryption solutions. See Figure 3. Figure 3: Strategic Approach to Encryption 60% 52% 40% 46% 36% 20% 26% 22% 18% 0% Top down, enterprise Point solutions for Limited deployments view of encryption for encryption have been of encryption protecting sensitive deployed where data specific needs exist Best-in-Class Industry Average Source: Aberdeen Group, August 2007 In the next chapter, we will see what the leading companies are doing to achieve superior performance in encryption and key management. Aberdeen Insights – Strategy Not quite 25 years ago now, the innate tension between two contrary aspects of electronic information was first noted: on the one hand, information can be immeasurably valuable; on the other hand, “information wants to be free”. This tension between value and the ease and convenience with which information can be perfectly replicated is at the heart of the different strategic approaches to protecting sensitive data that we see highlighted in this report. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 9. Encryption & Key Management Page 9 Aberdeen Insights – Strategy The traditional, perimeter-based approach to protecting sensitive data manages information in a central location, and controls access to the information itself – analogous to putting the eggs in one basket, then guarding that basket. But as more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized “fortress” model for data protection can be increasingly impractical and ineffective. In its place, an information-centric approach to protecting sensitive data is clearly emerging. By securing the data, rather than only the network and IT infrastructure, information that inherently “wants to be free” can flow freely across organizational and network boundaries – to stretch the previous egg/basket analogy, although they are no longer in one basket the eggs still have a protective shell. This information-centric approach requires – among other things – that along with encryption to secure the data, an infrastructure must be put in place to manage, protect, and control access to the encryption keys. The research shows clear evidence of growth in encryption-related infrastructure solutions that is consistent with the evolution from tactical point deployments of encryption to such a strategic enterprise-wide approach. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 10. Encryption & Key Management Page 10 Chapter Two: Benchmarking Requirements for Success The selection and deployment of encryption and key management solutions, Fast Facts and their successful integration with existing business process, plays a crucial role in the ability to leverage these enabling technologies to support higher Based on survey responses for current use vs. planned use in scale, reduce costs, manage security risk, and achieve compliance with the next 12 months, internal policy and external regulations. organizations will: Case Study: Maritz, Inc., Fenton, Missouri √ Significantly expand the use of encryption to gain control over ‘data in use’ by mobile Maritz, Inc., a $1.3B provider of integrated performance improvement, end-users, with greatest incentive travel, and market research services headquartered near St. attention on smart phones Louis, is home to 10 business units and 17 call centers. They use and PDAs, USB devices such encryption throughout the organization for file transfers, wireless as iPods and thumb drives, connections and to protect payment card data. Maritz has recently put and flash memory cards policy and process in place to centralize the management and distribution (>100% year-over-year of encryption keys and to enforce responsible key usage. growth) “Currently, most of our process is manual,” say enterprise architect Bill √ More uniformly deploy Hamilton. “We want physical signatures.” Hamilton says there’s been encryption for protection of data in back-end applications, some pushback within the organization against the strict language including database associated with key usage, but feels that Maritz is getting what it wants in encryption, application terms of manageability and accountability. ”Our key management process encryption, server-to-server is relatively new,” says Hamilton, “and it’s helping us manage our Service encryption, and encryption of Level Agreements. We want everything managed from one central Web Services transactions location, so we know exactly what got sent and when.” (>50% year-over-year growth) Identification and classification of information assets is the first step in any encryption and key management initiative, and as the saying goes the first step can be the hardest. “The hardest part [of protecting sensitive data] is finding all the places it’s being used,” notes Hamilton. A higher degree of automation of the key management process remains possible for the future, but in the early stages Maritz will continue to rely on its proven manual processes. “Because our auditors require paper trails, we’re likely to stick with our manual process for now – it’s working.” Competitive Assessment The aggregated performance of surveyed companies determined whether they ranked as Best-in-Class, Industry Average or Laggard. Each class also shared common characteristics in the following categories: (1) Process (scope of process standardization; efficiency and effectiveness of these processes); (2) Organization (how the company is organized to manage and optimize these processes); © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 11. Encryption & Key Management Page 11 (3) Knowledge (visibility into vital information and intelligence required to manage these processes); (4) Technology (selection of appropriate enabling tools, and intelligent deployment of those tools); and (5) Performance (measurement of the benefits of technology deployment, and use of the results to improve processes further). These characteristics (identified in Table 3 below) serve as a guideline for best practices and correlate directly with Best-in-Class performance across the respective metrics. Table 3: Competitive Framework Best-in-Class Average Laggards Distribution and integration of encryption keys to a wide variety of encryption-enabled endpoints 46% 30% 16% Management of encryption keys across their complete lifecycle, from generation to eventual termination 36% 26% 8% Enforcement of consistent security policies related to Process encryption and key management 46% 27% 14% Controls to ensure that monitoring and compliance methods satisfy the requirements of INTERNAL policies 71% 47% 31% Controls to ensure that monitoring and compliance methods satisfy the requirements of EXTERNAL regulations 64% 44% 20% Responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices Organization 50% 40% 18% Formal awareness and end-user training programs around encryption and key management 32% 14% 14% Consistent asset classification scheme 40% 40% 10% Knowledge All data assets are identified and classified 36% 27% 12% © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 12. Encryption & Key Management Page 12 Best-in-Class Average Laggards Selected encryption technologies currently in use: • 57% File • 51% File • 29% File encryption encryption encryption (desktop / (desktop / (desktop / laptop) laptop) laptop) • 57% File • 32% File • 27% File encryption encryption encryption (server) (server) (server) • 22% Full-Disk • 22% Full-Disk • 14% Full-Disk encryption encryption encryption Technology • 39% Database • 26% Database • 16% Database encryption encryption encryption • 46% Client • 37% Client • 12% Client certificates certificates certificates • 46% Public-Key • 38% Public-Key • 25% Public-Key Infrastructure Infrastructure Infrastructure (PKI) (PKI) (PKI) • 29% Key • 25% Key • 18% Key Management (as Management (as Management (as a standalone a standalone a standalone product) product) product) Support encryption at more endpoint types 81% 52% 35% Manage larger number of encryption keys 71% 55% 27% Greater consistency of encryption and key management policies across multiple applications / use cases Performance 46% 18% 8% Support encryption at more locations (including multiple sites, branches, outsourcing partners, partner extranets) 50% 38% 12% Greater consistency of encryption and key management policies across multiple locations 29% 18% 8% Note: the percentages reflected under “Performance” are in comparison to one year ago. Source: Aberdeen Group, August 2007 As shown in Figure 4, the research shows that Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a per-key basis. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 13. Encryption & Key Management Page 13 Figure 4: Key Management – Level of Automation 4 Average Performance Rating (1=Low, 5=High) Best in Class Industry Average 3.4 Laggards 3.0 3 2.9 2.3 2.3 2.0 2 1.8 1.6 1.4 1 ONE YEAR AGO CURRENTLY PROJECTED ONE YEAR FROM NOW Source: Aberdeen Group, August 2007 Organizational Capabilities and Technology Enablers A well-designed implementation strategy for encryption and key management includes the following essential steps: • Identify and classify all information assets – Best-in-Class organizations are 4X more likely than Laggards to have a consistent asset classification scheme, and 3X more likely than Laggards to have classified and identified all data assets. • Establish policies for all classifications, applications, use cases, and locations involving sensitive data – Best-in-Class organizations enforce consistent policies for encryption and key management at a rate 3.3X higher than that of Laggards. • Implement enabling technologies to remediate known risks and to protect against future risks to sensitive data – as detailed in Table 3, Best-in-Class organizations have deployed encryption technologies and encryption-related infrastructure more broadly than their counterparts in Industry Average or Laggard organizations to achieve these objectives. See additional discussion on enabling technologies in the Aberdeen Insights section on Technology, below. • Establish controls to ensure that monitoring and compliance methods satisfy the requirements of both internal policies and © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 14. Encryption & Key Management Page 14 external regulations – Best-in-Class organizations have established consistent controls at a rate 1.5X higher than that of the Industry Average, for both internal and external requirements. • Educate relevant stakeholders with formal awareness and end-user training programs around encryption and key management – Best- in-Class organizations do this with 2.3X higher incidence than all other companies, although at only 40% even the Best-in-Class can improve in this regard. Aberdeen Insights – Technology To date, companies surveyed deploying encryption to protect ‘data at rest’ on end-user devices have focused most heavily on file encryption (45%) and full- disk encryption (20%) on desktops and laptops. Nearly twice as many respondents indicate they will deploy full-disk encryption versus file encryption for desktops / laptops in the year to come. In the next 12 months, organizations surveyed also indicate that they are seeking to gain more control over the data that is flowing to end-user devices, with significantly increasing attention on smart phones and PDAs, as well as USB devices such as iPods (to combat potential “Pod-slurping”) and USB thumb drives (to prevent loss of data through “thumb-sucking”). Projected year-over-year growth in these areas (planned use versus current use) is >100%. The data wants to be free, and yet it must be protected. For protection of data in back-end applications, the data indicates more uniform deployment in areas such as database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions – each with >50% year-over-year growth in planned deployment. Indicated growth of several encryption-related infrastructure solutions is consistent with the expected evolution from tactical, point deployments to a more strategic, enterprise-wide approach to protecting sensitive data. Hardware Security Modules (HSMs), standalone Key Management solutions, Public-Key Infrastructure (PKI), and Smart Card Issuance systems all had year- over-year growth outlooks of about 50%. In addition, although starting from a relatively small base, the projected growth outlook for Trusted Platform Modules (TPMs) was very strong at >120%. As more technology solutions provide native, out-of-the-box support for encryption, organizations have the promise of broader deployment and better protection of sensitive data in the long term – as well as the short term potential for market confusion and redundant management costs. Compared to the Industry Average, Best-in-Class organizations are about 10% more likely to support the use of third-party encryption solutions, but they are 2X more likely to support the use of encryption as it is supported natively in their portfolio of deployed solutions. This open attitude towards early adoption of native encryption by the Best-in-Class is more feasible due to the fact that these are the companies who have also adopted the more strategic, enterprise-wide approach to encryption and key management. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 15. Encryption & Key Management Page 15 Chapter Three: Required Actions Whether an organization is trying to move its performance in encryption Fast Facts and key management from “Laggard” to “Industry Average,” or “Industry • Best-in-Class companies are Average” to “Best-in-Class,” the following actions will help drive the investing in automated key necessary performance improvements. management and key distribution capabilities to cope with, and reap the Laggard Steps to Success benefits of, significantly • Identity and classify all information assets – only 10% of Laggard broader use of encryption. organizations have a consistent asset allocation scheme, and only Compared to all companies surveyed, the Best-in-Class 12% indicate that they have identified and classified all data assets. supported 1.9X more keys The hardest part of protecting data is first finding where it is. with an estimated 34% lower • Establish consistent policies – very few (8%) Laggard organizations total annual cost on a per- indicated an increase in consistency of policies across multiple key basis. applications, use cases and locations compared to a year ago. Planning and knowing what to do is a critical prelude to implementation of enabling technologies. • Assign clear organizational ownership – only 18% of Laggard organizations have a responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices. Clear responsibility and accountability (“one throat to choke”) is a critical success factor for any IT security project. Industry Average Steps to Success • Identity and classify all information assets – Industry Average organizations are on par with the Best-in-Class at having a consistent asset allocation scheme (40%), but only 27% indicate that they have identified and classified all data assets. • Increase consistency of policies – more than 50% of Industry Average organizations indicated an increase in number of endpoint types using encryption and number of encryption keys under management … but only 18% indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. • Improve controls to sustain compliance – less than half of Industry Average organizations had implemented controls to ensure that their monitoring and compliance methods satisfy the requirements of both internal policies and external regulations. Best-in-Class Steps to Success • Identity and classify all information assets – Best-in-Class organizations led the way at having identified and classified their data © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 16. Encryption & Key Management Page 16 assets, but at only 40% they should continue to carry out their work in this vitally important step. • Continue steps towards a strategic, top-down view of encryption and key management – only 36% of Best-in-Class organizations currently report management of encryption keys across their complete lifecycle, from generation to eventual termination. • Invest in end-user training and awareness – only 32% of Best-in- Class organizations indicate that they currently have formal awareness and end-user training programs around encryption and key management. The technological aspect of data protection is necessary, but not sufficient – the human factor plays a critical role as well. Aberdeen Insights – Summary In an information-centric, de-perimeterized approach to protecting sensitive data, all organizations need to: • identify and classify their information assets; • establish consistent policies; • implement an appropriate portfolio of enabling technologies for encryption and key management; and • establish controls to ensure compliance with both internal policies and external regulations. Technical controls alone are not enough – companies must also educate all relevant stakeholders through formal awareness and end-user training programs around encryption and key management. Clear ownership and accountability for the creation and revision of encryption and key management policies and practices by a senior executive or team is also a critical factor for successful implementation. Best-in-Class organizations have not only deployed encryption more widely for the protection of sensitive data, but also have begun to implement centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance. © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 17. Encryption & Key Management Page 17 Appendix A: Research Methodology In August 2007, Aberdeen Group examined the current and planned use of encryption to protect sensitive data, and best practices for managing the encryption keys that secure the data over their life cycle. The experiences and intentions of more than 150 enterprises from a diverse set of organizations are represented in this study. Respondents completed an online survey that included questions designed to determine the following: • The degree to which organizations are using encryption across an increasing variety of applications, servers, end-users, and networked devices; • The approaches taken to manage encryption keys across their complete lifecycle, from generation to eventual termination; • The degree to which encryption is being used to help organizations manage risk in a consistent way across multiple use cases and geographically dispersed locations; and • The impact of encryption and key management on achievement of compliance with internal security policies and external regulations. Aberdeen supplemented this online survey effort with telephone interviews with select survey respondents, gathering additional information on encryption and key management strategies, experiences, and results. The study aimed to identify emerging best practices for encryption and key management, and to provide a framework by which readers can assess their own capabilities in these areas. Responding enterprises included the following: • Job title/function: The research sample included respondents with the following job titles: President/CEO/COO/CIO/CSO/Chief Compliance Officer (28%); Vice President/Director (20%); Manager (22%), Staff/Consultant (25%). The largest segment by functional responsibility was IT, representing 56% of the sample. • Industry: The research sample included respondents from a wide variety of industries, including Finance/Banking (20%), Government /Aerospace/Defense (17%), Telecommunications (14%), Healthcare (7%), and Insurance (7%). • Geography: The majority of respondents (54%) were from North America. Remaining respondents were from Europe/Middle East/Africa (25%), the Asia-Pacific region (16%), and South/Central America (5%). • Company size: Large enterprises (annual revenues above US$1 billion) represented 22% of the respondents; 26% were from © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 18. Encryption & Key Management Page 18 midsize enterprises (annual revenues between $50 million and $1 billion); and 52% of respondents were from smaller enterprises (annual revenues of $50 million or less). Solution providers recognized as sponsors of this research were solicited after the fact and had no substantive influence on the direction of the final Encryption & Key Management benchmark report. Their sponsorship has made it possible for Aberdeen Group to make these findings available to readers at no charge. Table 4: PACE Framework Key Overview Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions, capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These terms are defined as follows: Pressures — external forces that impact an organization’s market position, competitiveness, or business operations (e.g., economic, political and regulatory, technology, changing customer preferences, competitive) Actions — the strategic approaches that an organization takes in response to industry pressures (e.g., align the corporate business model to leverage industry opportunities, such as product/service strategy, target markets, financial strategy, go- to-market, and sales strategy) Capabilities — the business process competencies required to execute corporate strategy (e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners, financing) Enablers — the key functionality of technology solutions required to support the organization’s enabling business practices (e.g., development platform, applications, network connectivity, user interface, training and support, partner interfaces, data cleansing, and management) Source: Aberdeen Group, August 2007 Table 5: Competitive Framework Key Overview The Aberdeen Competitive Framework defines In the following categories: enterprises as falling into one of the following three Process — What is the scope of process standardization? levels of practices and performance What is the efficiency and effectiveness of this process? Best-in-Class (20%) — Practices that are the best Organization — How is your company currently currently being employed and significantly superior to organized to manage and optimize this particular process? the Industry Average, and result in the top industry performance. Knowledge — What visibility do you have into key data and intelligence required to manage this process? Industry Average (50%) — Practices that represent the Technology — What level of automation have you used to average or norm, and result in average industry support this process? How is this automation integrated performance. and aligned? Laggards (30%) — Practices that are significantly behind Performance — What do you measure? How frequently? the average of the industry, and result in below average What’s your actual performance? performance. Source: Aberdeen Group, August 2007 © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 19. Encryption & Key Management Page 19 Table 6: Relationship Between PACE and Competitive Framework PACE and Competitive Framework: How They Interact Aberdeen research indicates that companies that identify the most impactful pressures and take the most transformational and effective actions are most likely to achieve superior performance. The level of competitive performance that a company achieves is strongly determined by the PACE choices they make and how well they execute. Source: Aberdeen Group, August 2007 © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897
  • 20. Encryption & Key Management Page 20 Appendix B: Related Aberdeen Research Related Aberdeen research that forms a companion or reference to this report includes: • The Ins and Outs of Email Vulnerabilities (July 2007) • Protecting Cardholder Data: Best-in-Class Performance at Addressing the PCI Data Security Standard (June 2007) • Thwarting Data Loss (May 2007) Information on these and any other Aberdeen publications can be found at www.aberdeen.com. Author: Derek E. Brink, Vice President & Research Director, IT Security (Derek.Brink@aberdeen.com) Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. V073107b © 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897