Actual Functions of Encryption—Why All the Confusion?
There’s a fair amount of confusion and misconception in the industry surrounding encryption services. Considering that breaches have become the norm and businesses with sensitive data are forever scrambling to keep up with new vulnerabilities, it’s not surprising that people who do not have expertise with security aren’t correctly interpreting encryption. Ultimately, encryption is an extremely powerful, final security measure against data breaches that empowers you to meet security requirements and protect critical assets.
On the bright side, new developments in encryption applications are making the practice easier to understand and implement. The idea that encryption is an extremely high-tech, elaborate process is starting to be broken down, but a few misconceptions remain.
Top Encryption Myths
According to Peak 10’s Encryption Research Study, the following are common misunderstandings about encryption among organizations from all industries, as well as the reality:
Some form of encryption is built into my company’s infrastructure, so we’re in compliance.
This is probably the most common misunderstanding. Many organizations believe that since some form of encryption has been built into the infrastructure, compliance requirements for security are met by default. One Peak 10 expert says, “We’ve seen a lot of companies who have incorporated disparate and proprietary encryption deployments that may or may not meet compliance requirements. This results in segmented systems that vary in complexity and are not unified in their management.” The existence of encryption in your environment does not automatically mean your company meets compliance requirements related to data access control. Working with a qualified auditor will help you determine which systems and processes are truly compliant and whih are not.
Full disk encryption (FDE) satisfies compliance requirements.
FDE was designed for end user device encryption such as laptops. Regarding a storage array, once the disk is powered on and the first user accesses data, the data on the disk is fully accessible. Therefore, the data is only protected when it is powered off. FDE primarily protects against physical theft of the disk but may not protect against other threats.
Encrypting data in transit will adequately protect our organization’s sensitive data.
It’s important to encrypt your data in transit, which most companies do well with varying types of encrypted communication like TLS – Transport Layer Security; however, the majority breaches involve data at rest – data stored on a disk. This is the data that most often goes unprotected. An encryption strategy for business-critical data at rest is critical.
Our Encryption as a Service provider meets compliance requirements, thus by extension, so do we.
Many organizations believe that service providers with security and compliance programs absolve them of the need to develop a strong compliance practice, but this is not the case—your business is still very much responsible for the details of your security program. Be careful not to confuse your provider’s meeting its requirements as you meeting yours. Your provider may meet a segment of an overarching security requirement, but it is your company’s responsibility to protect proprietary and customer data.
Finding the Right Encryption as a Service Provider
The safest tactic for proper implementation of encryption is working with an experienced, reputable partner who can help you understand which measures are sufficient for covering your unique regulatory encryption needs, as well as maximizing the security of your data.
When talking to possible partners about implementing an encryption practice that will work for your business, look for the following:
Proven security expertise
Not all service providers take a security-by-design approach to IT services and software and hardware development. It’s important to work with a partner who emphasizes building security into products, rather than treating it as an afterthought. Working with a third-party who does not have a specific program for security will not yield the best results for your business in the long run.
Strong compliance program
Does your prospective partner have a team for compliance? Cloud services that already meet HIPAA and PCI DSS standards, for example, will help you meet your security needs (but don’t forget, you’re ultimately still responsible for compliance; a provider cannot shoulder that obligation on the behalf of your business). Look for a partner who has compliance experts in-house and can take a consultative approach to building out a strategy that will complement your industry and government regulatory obligations.
Specific competency in Encryption
Many third-party providers can manage your IT and may even have considerable security expertise, experience in security isn’t much help without specific experience with encryption. If your service provider has a security program, but doesn’t offer encryption, you may receive the recommendation to implement encryption, but be left with figuring out how to take on the project yourself.
Implementing encryption as a critical component of your security strategy is key to keeping pace with changing risks. The security team at Peak 10 cannot stress it enough: all organizations with sensitive data must encrypt it; the risk of breach is too high to leave to chance. When in doubt, encrypt.
The Peak 10 Encryption Video Series
The outcomes of Peak 10’s Encryption Study generated a great deal of feedback from your IT security peers on regulatory pressures, perceived criticality of encryption, and various methods of encryption.
To help present the findings, we developed a five-part Encryption Video Series so your security team and IT decision makers can learn more about how encryption can protect your critical data and foster business value.
Peak 10 experts are always available to discuss your business’ security needs and help you figure out whether encryption is necessary, what method is best and how to implement it. If your security team has any questions related to encryption, please feel free to get in touch by visiting www.peak10.com/contact-us or calling 866-473-2510.