ESG Market Study: Key Learnings on Operationalizing Encryption and Key Management

Nishant singh fortanix
Nishant Singh
Published:Feb 15, 2024
Reading Time:4min
operationalizing encryption and key management

Welcome to the post-COVID world order. One where the onus of organizational success is intricately tied to the actions of technology executives and the leadership they exhibit. Where every tech investment has the potential to impact the very DNA of an organization, making it better, faster, and more secure—or sometimes quite the opposite.

So, what are the decision-makers thinking? How are they planning to keep up with the swarm of new challenges in 2024 and manage the spillover from 2023?

Fortanix recently did a joint market study with Enterprise Strategy Group, where we spoke to 387 IT, compliance, DevOps, and cybersecurity professionals at organizations in North America (US and Canada) involved with encryption and data security technology and processes.

Top observations:

1. The broadening data threat landscape and the growing need for encryption

Lack of encryption is the primary reason for data loss.

We began by asking if the respondents had experienced any data loss over the last 12 months.

While 20% of them answered yes, the other 26% were unsure if they did. Meaning, they either lack the tech sophistication to be able to detect data loss or they do not have the right tools in place.

FYI—data loss can happen in more ways than one can fathom.

For instance, the headlines over the past few years were dominated by Denial-of-Service attacks, where attackers get into an environment, encrypt the data and prevent users from accessing it and going about their usual business.

But, as businesses overcome that pattern by having immutable backups, the threat actors are now focusing on data exfiltration and holding it hostage.

Another type of data loss is when folks get exposed to data internally that they shouldn’t have access to.

For instance, the PCI DSS regulation specifies that payment data, i.e., credit card numbers, etc., should always be encrypted, and no one should be able to see them. Now, even though the numbers do not leave the company if exposed to unauthorized personnel, it falls under the data loss category.

2. Operational issues plague encryption deployments.

Knowing where the data is and when to apply encryption is very difficult.

While much to our expectation, 68% of the respondents cited encryption as their primary mode of data security—when and where to apply it emerged as the top challenge.

Businesses have a plethora of data to protect, usually scattered around complex IT environments. Hyper-cloud setups where sensitive data is stored on-premises across multiple IaaS, PaaS infrastructures, and SaaS providers are the new norm. So, knowing where the data is and when to apply encryption is very difficult.

This finding ties directly into our first finding around data loss, where respondents unanimously agreed that lack of encryption is the primary reason for data loss.

3. Data security is a team sport

Security is no more a siloed operation

Deciding what should be secured, framing the right policies, and nurturing a pro-security posture plugs in multiple teams across the board.

Think about it. Compliance and legal teams are an emerging part of the security puzzle, then there is the network team as a lot of sensitive data is in motion and needs to be encrypted and secured accordingly, participation from the business leaders is crucial to decide the definition of sensitive and non-sensitive data.

Similarly, the legal team is involved for legal reasons, and the DevOps team and Appdev team as they have to implement the encryption protocols inside the applications to ensure that the data these apps are accessing abide by proper cryptographic policies.

All of this hint strongly that data security is a team sport.

4. Cloud vs On-Prem

Increasing adoption of cloud to store sensitive data

Around half of the respondents had their sensitive data stored in the cloud and within the next 24 months that number is expected to go up to 68%.

While the numbers clearly indicate that businesses are getting increasingly comfortable working their data in the cloud—it’s more than a forklift movement from on-prem to the cloud. In reality, as we use more cloud services, tools and applications, we tend to need more variations of data for those cloud providers, services and infrastructure offerings to run upon.

Despite the growing cloud culture, in reality it is very hard to get rid of the on-prem component from these setups completely. Even if your business is 100% cloud in terms of infrastructure, you still end up with data on the endpoint that needs to be protected, which is a big concern—and failure to make this transition has its own risks and can prevent an organization from capitalizing on the benefits of modern data management approaches, infrastructures, and analytics capabilities.

5. Complexity leads to KMS and HSM integration challenges

Challenge of integrating KMS with modern cloud and DevOps environments

Operational KMS complexities emerged as the top challenge amongst businesses embarking upon their cryptographic journey. Some operational concerns are:

  • Integrating key management into their existing environment.
  • Managing thousands and thousands of keys distributed across multiple geographic locations.
  • Integrating KMS with their API and DevOps automation tools and further integrating those applications developed in house.

There is more!

I am sure those stats seem very interesting, but you might have multiple questions and strong opinions to share. Also, this is just a gist of what we found out in the survey, and there is a lot more from where these come from.

Would you want a free copy of the report?

Join industry analyst Jack Poller, Enterprise Strategy Group (ESG), and Glenn Rhodes, VP of Product Marketing, Fortanix as they discuss the latest issues, trends, and market insights around all things data security on 21st Feb at 8AM PDT. 

Also, we will be giving away a free copy of the report post the event.

Should I count you in?

Share this post: