At ESG, we have a technology vision called, "pervasive encryption." The thesis goes as follows. On the demand side, users are being driven by compliance and security concerns to secure the confidentiality and integrity of their data. To meet this challenge, they are deploying an increasing number of encryption technologies on laptops, backup tapes, networks, databases, etc. Recongizing these new requirements, supply side vendors are adding encryption technologies to their products. This is further driven by the availability of cheap cryptographic processing hardware.
In two years or so, large organizations will have encryption technologies everywhere -- thus pervasive encryption. This has the potential to improve data security but it could also create a security operations nightmare. Restoring data may involve multiple layers of de-cryption and key management. Administration of different systems may require special staff, skills, and processes. Key management systems may or may not be integrated.
Are large organizations ready for "pervasive encryption" and its ramifications? Not really. According to ESG Research, 31% of organizations still deploy encryption technologies on an ad-hoc basis, 31% are moving from an ad-hoc encryption approach to a more formal encryption strategy, and 31% already deploy/manage encryption technologies as part of a formal enterprise strategy. (Note: The remaining 8% responded "don't know" to this question.) In other words, most users are slowly moving toward a formal encryption strategy over time.
To me, this indicates that we are in a high-stakes race. If encryption technologies become pervasive before enterprise adopt a formal encryption (and key management) strategy, data security risks may actually increase as keys are mis-managed, lost, or stolen. The good news is that you will tell the CEO that the data is protected. The bad news is that you'll also have to admit that someone lost the encryption keys and you'll never be able to recover it.
CIOs and CISOs should be on notice. Encryption is great but it needs to be deployed intelligently and managed diligently. If you haven't created a formal encryption/key management plan, you are operating on borrowed time.