Symantec Survey Highlights Encryption Plans, Pain

A new survey released today by Symantec Corp. -- the 2011Enterprise Encryption Trends Survey -- found an increase in enterprise adoption of encryption. That is, of course, no surprise, given that IT is trying to control storage costs amid massive data growth. The problem uncovered by the survey is that fragmented encryption solutions are “creating risk for organizations from the lack of centralized control of access to sensitive information,” as well as disrupting e-discovery and compliance monitoring.

“While many organizations understand the importance of encrypting their data, issues with key management and multiple point products can give them inconsistent visibility into what has been protected,” said Joe Gow, director of product management at Symantec, in a release announcing the results.

The state of these encryption solutions is having a financial impact: the survey estimates that “fragmented encryption solutions and poor key management is costing each organization an average of $124,965 per year.”

Nearly half (48 percent) of respondents say they increased encryption use over the past two years; for 38 percent, the encryption level remained the same. The respondents claim that 43 percent of their data is encrypted “at some point in its lifecycle.”

The solution(s) used varies widely. According to the report:

While adoption is high, that doesn’t mean everybody is on the same page. We didn’t see a consensus on a single, agreed-upon encryption product that was meeting everyone’s needs. Some enterprises reported as many as five different encryption solutions deployed in their data center. The typical organization reports they have five different encryption solutions deployed.

To my surprise, a third of those surveyed admit that they deployed encryption without approval of the security group “on a somewhat to extremely frequent basis.” Perhaps that’s why, as the report points out, “the projects are not necessarily following the company’s best practices, [and] 52 percent of organizations have experienced serious issues with encryption keys including lost keys (34 percent) and key failure (32 percent).”

Employee turnover is always a security problem -- enterprises must be diligent in terminating access to applications and data. Here’s another task to add to that list: “former employees who have refused to return keys,” a situation at more than a quarter (26 percent) of enterprises surveyed. Unfortunately, the survey found respondents expressing concern about managing encryption keys. “Forty percent are less than somewhat confident they can retrieve keys. Thirty-nine percent are less than somewhat confident they can protect access to business information from disgruntled employees.” That should make the security team nervous. Very nervous.

Key management causes further problems for enterprises; the most common is an inability to meet compliance requests (48 percent), followed by an inability to respond to eDiscovery requests (42 percent) or impeding access to important business information (41 percent).

Research for the trends survey was conducted in September by Applied Research, which examined the answers of “C-level, tactical management, and strategic management” respondents in 1,575 organizations from 37 countries.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 11/30/2011