I was talking about security with a good friend of mine who runs a software development company. He’s a really smart, technology-savvy guy but his take on encryption wasn’t positive. While he completely understands the need, he hates encryption (and security in general) because he says it always gets in the way when he’s trying to get work done. In this respect, I don’t think he’s that different from most people in the high tech world or, indeed, in the business world in general.
This general dislike of encryption is because encryption doesn’t seem valuable when it’s a virtual speed bump in the road to getting stuff done and its benefits, despite the huge increase in breaches and hacking, are hard to quantify. So, with the exception of the paranoid and security geeks, encryption has traditionally been seen as a belt added to the braces of other simpler and therefore more tolerable security measures.
Enterprise encryption increasing
… significantly more companies are embracing an enterprise-wide encryption strategy — an increase from 15 percent in FY2005 to 37 percent in this year’s study.
The study surveyed 5,009 individuals across 14 industry sectors in 11 countries and broke the respondents into two groups: “Mature” organizations, those that had an enterprise encryption strategy, and “immature”, those that either had no enterprise encryption strategy or had adopted an ad hoc approach. They concluded:
With the exception of Internet communications, mature companies have extensive usage rates that are higher in every encryption application category than the extensive usage rates among immature companies. The encryption applications with the widest variation between mature and immature companies are: (1) big data repositories (difference of 16 percent), (2) public cloud services (13 percent), (3) business applications (13 percent) and (4) private cloud infrastructure (11 percent).
In other words, in those application areas, mature companies have become significantly better protected than immature ones and certain industries are deploying encryption more than others:
Industries that have the highest overall extensive usage rates: financial services (56 percent), healthcare & pharmaceutical (49 percent) and technology & software (48 percent). The lowest usage rates are in manufacturing (25 percent), consumer products (27 percent) and entertainment & media (27 percent).
Who's got the keys?
The report is well worth reading and one item in particular really struck me; the finding that the 59% of enterprises entrust their encryption keys solely to, or share them with, cloud providers! This is an extremely bad idea for two major reasons. The first is that enterprises are trusting the largely untested competency of cloud providers and a breach at the provider will potentially expose the enterprises’ content. As we’ve seen over the past few years, service providers are not always forthcoming about the scale of breaches and their primary interest will tend to be minimizing damage to their brand.
Second, if we’re talking about the U.S., according to Law360, when it comes to Electronically Stored Information (ESI):
Civil opponents and the government may be able to obtain ... ESI directly from the cloud-service provider, and under certain circumstances without giving the owner of the documents notice or an opportunity to control the production.
… it is worth noting that provisions of the U.S. Patriot Act allow the government to obtain information directly from cloud service providers for national security purposes. First, the Foreign Intelligence Surveillance Act (FISA) orders allow the FBI to obtain data stored in the cloud. FISA orders include a “gag” provision, which prohibits a cloud service provider from alerting its customer as to the disclosure.
Second, a national security letter (NSL) allows certain government agencies, such as the FBI, to obtain data pertaining to government investigations. With regards to cloud service providers, the government may seek limited information mostly pertaining to the length of service, the account name and subscriber information of the user. Like a FISA order, an NSL includes a “gag” provision. However, unlike a FISA order, an NSL does not require court approval, and thus may be issued directly from the government agency.
The authors of the Law360 article, Timothy M. Broas and Matthew M. Saxon of Winston & Strawn LLP, conclude with some excellent advice:
- Before placing ESI in the cloud, evaluate your risk profile. For example, trade secrets and similarly sensitive information may be safer on the company’s own servers.
- Carefully consider who your cloud provider is and whether it can provide adequate protection for your ESI.
- Consider encrypting ESI that you decide to place in the cloud.
- Before signing a cloud service agreement, negotiate certain provisions regarding ownership, access and production of your ESI.
- Ensure that you are able to put legal holds in place and extract data pursuant to e-discovery.
Note that the fourth point about encrypting your ESI should also add “and don’t share your keys with your cloud provider!”
enterprise encryption RUSH
So, the big picture is that enterprises are adopting enterprise-wide encryption strategies at an increasing rate and today, some 41% of the enterprises surveyed have “extensive” encryption deployment. What’s interesting is the acceleration of enterprise encryption strategy adoption has been accompanied by a decrease in expenditure on encryption; up until FY12 there was a correlation between adoption and budgets but thereafter, the correlation has been negative because, the report offers three reasons for the downward trend:
... (1) price pressure resulting from increased competition among vendors, (2) shifting priorities to other IT security solution areas and (3) more efficient use of presently available encryption tools.
The consequence of decreasing budgets and increased enterprise demand is that turnkey solutions, including public clouds, become the easiest and cheapest way to go. The risk is that unless Broas and Saxon’s advice is observed and encryption keys are not shared with cloud providers, keeping encrypted ESI secure and private may be less certain than enterprises might assume.