Cloud encryption still lagging far behind other use cases: SafeNet

Increasing use of mobile and cloud-based services to store mission-critical data is raising the profile of enterprise data-encryption services, but a survey of Australian executives suggests that immature encryption-key management continues to compromise the technology's potential benefits.

Although 62 percent of respondents to the SafeNet Survey report were either experimenting with or running cloud computing, just 15 percent of respondents were using encryption as part of their cloud-services deployments. This compared with more than half who were using encryption in more-mature areas like virtual private networks (VPNs) and endpoint encryption.

Respondents were broadly aware of the importance of encryption, however: nearly 49 percent said they were likely or very likely to implement cloud or hard-disk encryption technology within the next 12 to 24 months.

Mark Yakabuski, SafeNet's vice president of product management for cryptography management, told CSO Australia that the growing profile of encryption technology was due to a growing sense that perimeter security had become fruitless in the cloud era: “there is a lot more focus on protection of data via encryption and discussion of its role when you're moving to the cloud,” he explained.

“Data centre consolidation starts with business justification – you want lower cost, higher efficiencies, better time to market, and better compliance. But data centre consolidation and the cloud are also driving a much wider and quicker expansion of those encryption use cases. Smart grids, mobile payments, document signing, SSL protection, DNS Sec, and code signing – all are examples of the proliferation of the expansion of encryption use cases.”

The enabling technology for those use cases, however, remains less than complete for a majority of Australian companies, according to the survey. Even where encryption was being used – or was planned to be used – respondents suggested that most companies are still struggling to implement robust management of encryption keys across encryption platforms.

More than 30 percent of respondents said they were using seven or more forms of encryption, yet only 22 percent said they had implemented encryption key-management technologies with the ability to centrally manage encryption based on business data-protection policies.

A quarter of the respondents had no key management solution in place at all.

Of those who had implemented key management, compliance was a significant driver in the decision to implement encryption, which was often correlated with a range of other compliance controls.

For example, those companies with centralised key management in place were three times more likely than other companies to have central logging, four times more likely to have separation of duties, over three times more likely to have audit controls, and almost five times more likely to have secure logging.

Those figures reflected the more mature position of companies with strong compliance cultures, but there are indications that a growing understanding of the need for cloud-based encryption – particularly when data is stored in other jurisdictions – has been improving the overall position, Yakabuski said.

“From an adoption cycle we're in the early stages,” he said. “The technology available today allows customers to deploy in virtual data centres all the way to the cloud, across the portfolio. Centralised control delivers a high-assurance, shared platform for internal cloud groups to provision out encryption services for their consuming party. And the technology will continue to evolve as the use cases evolve.”