Financial services is big on encryption. With its stringent regulations, highly sensitive data and cybercriminals looking for a vulnerability to expose, it’s no surprise. But is it reducing the amount of data is compromised? A new study from Ponemon/Thales e-Security looks at the implications of increased encryption but why it can’t be the be-all and end-all of a security strategy.
Encryption is now a payments best practice.
That’s one of the key takeaways from the latest Global Encryption Application Trends Study, which is an independent research study conducted by the Ponemon Institute and sponsored by Thales e-Security. The report tracks how various industry sectors and geographies use encryption coupled with business applications to protect their data.
Peter Galvin, Thales’ VP of strategy and marketing, said that the number of companies reporting extensive use of encryption increased by 7 percent in the 2016 study, increasing to 41 percent – the largest increase the report has seen.
“Not only are companies adopting encryption as a compliance need, which we've often seen especially in the payments industry, but as more of a best practice as well," Galvin explained.
Though the report has shown an upward trend of encryption technology usage over the years, Galvin said that this year’s results are destined for the record books.
In the financial services and payments industry, the need to comply with more stringent regulations has naturally led to higher usage rates of encryption technology. But Galvin pointed out although encryption is being adopted as a best practice across many industries, it’s especially predominant in the financial services vertical.
Locking Down Encryption Keys
Picture locking the front door of your home, only to put the key right under the welcome mat. Even though the door is locked, it’s still easy for the wrong person to get in if they can get easy access to that key.
That same concept, Galvin explained, can be applied to the importance of keys, as well as where they are stored and managed, to the payments industry's encryption practices.
If encryption keys are not well protected, then the encrypted data itself is still vulnerable.
The interesting thing about there being an overall increase in deployments of encryption is that the adoption of the technology also comes with its own set of challenges.
John Grimm, Thales’ senior director of security strategy, observed that “as people start to use encryption more, they also start to struggle with the problem of managing all the keys associated with encryption.”
Though it may seem like a no-brainer for a company to use encryption, typically the difficulties that come with securing and managing encryption keys can provide significant barriers to adoption.
"If a financial institution is using a limited number of keys across a wide range of applications, they’re exposing themselves to more risk and on the flip side, if we divide it up too much there are too many keys to manage,” Grimm explained.
“A lot of organizations just don't have the manpower, expertise and enough familiarity with some of the tools out there to help do that.”
Key management pain is an ongoing theme — one that typically tops the list of encryption challenges — that’s been expressed by companies over the years.
The Encryption Learning Curve
What Grimm describes as a “ray of hope” in the research when it comes to issues with encryption key management is that the pain level typically decreased for companies utilizing automated tools or hardware security modules (HSMs).
These purpose-driven devices are designed to protect encryption keys and perform crypto operations, ultimately eliminating the need for manually tracking their keys.
But those using HSMs aren’t just feeling the burden lifted when it comes to key management pain, they are also receiving additional benefits that come with automation.
Grimm said that with the introduction of HSMs, organizations can let go of having notes on paper, using spreadsheets or whatever means they may have used to manage keys in a more manual way.
“[HSMs] also lets you lay in a policy on how long keys should be used, who should be able to access them, and who should be in control of the applications that are drawing services from the module,” he added.
“They bring some order to what is becoming an increasingly chaotic type of a situation in enterprises.”
With technology enabling highly sensitive data to be moved to even more places, organizations typically have many different products and applications that are doing encryption and numerous management processes for the subsequent keys.
Not only do companies typically lack consistency in the management of their keys, Grimm explained, but they also deal with a huge operational problem because they usually don't have the expertise in-house to go and operate encryption across all the different products.
But in an industry like financial services, it seems that companies are well ahead of the encryption learning curve.
The research study showed that in highly regulated industries like commerce and finance, those heavy encryption users came out with lower key management pain.
A heavier use of automated tools like HSMs, as well as being more advanced and mature in how they deal with the management of keys, has resulted in the financial services sector having a greater maturity when it comes to using encryption services, Grimm noted.
“If you're not using encryption too much you're certainly not going to feel a lot of encryption or key management pain, as you go up the curve and use it more you're going to feel more,” he explained.
And like with any curve, the encryption key management pain drops as a company moves down the other side of the curve and applies effective tools to manage their encryption like HSMs.
“You can follow those trends through the more mature industries, while the ones that are a little further behind still feel the pain because they haven't quite figured out how to use the tools in the most advantageous way," Grimm said.
The Strategic Factor
Those industries with the greatest concerns about employee and consumer data – such as financial services and health care – are shown in the report to be leading the way in encryption adoption.
With heavier data requirements and increased compliance and regulation pressure, these sections are expected to rise higher on the security scale.
Though organizations in the more mature encryption industries are known to deploy their measures more consistently, they also demand more control over their encryption keys and may lack trust in newer services that utilize the cloud for storage and management.
"We are always careful to say that encryption doesn't solve all the security problems in the world, it's just yet another layer in the strategy but it's a valuable layer today, because data is going so many different places and encryption is a protection that basically follows the data," Grimm noted.
This year’s report showed that employee and HR data is actually being encrypted at a higher rate than any other type of data, even beating out financial and credit card data.
This higher sensitivity to the personal data of individuals has caused many organizations to implement more layers of control. Grimm said this continues to drive people back to encryption because it is much more data-centric and is designed to follow the data around.
As data continues to disperse and the amount of sensitive data needing adequate protection increases, the market for encryption may continue its significant upward swing.
"We see a lot of organizations trying to get a handle on all the places their data is going – making sure they don't encrypt and protect data really well in one place, but leave it exposed in two or three other places and sort of shoot themselves in the foot,” Grimm emphasized.
Peter Galvin, VP of Strategy & Marketing, Thales e-Security
Peter is a product and marketing strategist for Thales e-Security with over two decades of experience in the high tech industry. He has worked for Oracle, Inktomi, Openwave, Proofpoint, and SOASTA.
John Grimm, Senior Director Product Marketing, Thales e-Security
John Grimm has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor's degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society.