2018 Ncipher Ponemon Global Encryption Trends Study Ar PDF

GLOBAL ENCRYPTION
TRENDS STUDY
April 2018
1 PONEMON INSTITUTE© RESEARCH REPORT

TABLE OF CONTENTS
PART 1. EXECUTIVE SUMMARY 3 Attitudes about key management 12
PART 2. KEY FINDINGS 6 Importance of hardware security

Strategy and adoption of encryption 6 modules (HSMs) 15
Trends in encryption adoption 8 Budget allocations 19
Threats, main drivers and priorities 9 Cloud encryption 20
Deployment choices 10 APPENDIX 1. METHODS & LIMITATIONS 22
Encryption features considered APPENDIX 2. CONSOLIDATED FINDINGS 25

most important 11
OUR SPONSORS GEOBRIDGE
INDEPENDENTLY CONDUCTED
Sponsored by nCipher Security BY PONEMON INSTITUTE LLC
PART 1. EXECUTIVE SUMMARY
Ponemon Institute is pleased to present the findings of the 2018 Global Encryption
Trends Study,1 sponsored by nCipher Security. We surveyed 5,252 individuals
across multiple industry sectors in 12 countries: Arabia (which is a combination of
respondents located in Saudi Arabia and the United Arab Emirates)2, Australia,
Brazil, France, Germany, India, Japan, Mexico, the Russian Federation, the
United Kingdom, the United States and, for the first time, South Korea (hereafter
referred to as Korea).
The purpose of this research is to examine how the use of As shown in Figure 1, more organizations represented in this
encryption has evolved over the past 13 years and the impact research continue to recognize the importance of having an
of this technology on the security posture of organizations. The encryption strategy, either an enterprise-wide (43 percent of
first encryption trends study was conducted in 2005 for a US respondents) strategy or a limited plan that targets certain
sample of respondents.3 Since then we have expanded the applications and data types (44 percent of respondents).
scope of the research to include respondents in all regions of
the world. Presented below are the 2018 findings.
Strategy and adoption of encryption

Figure 1. Does your company have an
encryption strategy? Enterprise-wide encryption strategies increase. Since
conducting this study 13 years ago, there has been a steady
43% 44% 44% increase in organizations with an encryption strategy applied
41% consistently across the entire enterprise. In turn, there has been
37% a steady decline in organizations not having an encryption
plan or strategy. The results have essentially reversed over the
years of the study.
25%
Certain countries have more mature encryption strategies.
The highest prevalence of an enterprise encryption strategy
15% 14%
13% is reported in Germany followed by the US and Japan.
Respondents in Mexico, Russian Federation, Arabia, Brazil
and Australia report the lowest adoption of an enterprise
encryption strategy.
An overall A limited No encryption

encryption plan encryption plan plan or strategy IT operations function is the most influential in framing
or strategy that is or strategy that is an organization’s encryption strategy. However, in some
applied consistenly applied to certain
across the entire applications and
countries lines of business are more influential. These are
enterprise data types the United States, Australia and Mexico. IT security and IT
operations have a similar level of influence in the United
FY15 FY16 FY17 States, Australia and Mexico.
1 This year’s data collection was completed in January 2018. Throughout the report we present trend data based on the fiscal year (FY) the survey commenced rather than
the year the report is finalized. Hence, our most current findings are presented as FY17. The same dating convention is used in prior years.
2 Country-level results are abbreviated as follows: Arabian cluster (AB), Australia (AU), Brazil (BZ), France (FR), Germany (DE), India (IN), Japan (JP), Korea (KO), Mexico
(MX), Russia (RF), United Kingdom (UK), and United States (US).
3 The trend analysis shown in this study was performed on combined country samples spanning 13 years (since 2005).
PONEMON INSTITUTE© RESEARCH REPORT 3

The use of encryption increases in all industries. We looked
at the extensive usage of encryption solutions for 10 industry
sectors over seven years. Results suggest a steady increase in
100101001010010101001010101001
010010100101001010100101010100
43%
all industry sectors. The most significant increases in extensive
110110010110111001010010101001
010101001100101001010010101001 of organizations now
have a consistent,
010101001100101001010010101001
010101000101010011100000101010
encryption usage occur in healthcare & pharmaceutical, retail 010101100100101001010100101010
enterprise-wide
100110010101001110100100101011
and financial services. 010101001100101001010010101001

010010100101001010100101010100
010101001100101001010010101001
010101000101010011100000101010
100110010101001110100100101011
encryption strategy
Threats, main drivers and priorities 010101001100101001010010101001
010010100101001010100101010100
Employee mistakes are the most significant threat to Encryption features considered most important
sensitive data. In contrast, the least significant threats to the
exposure of sensitive or confidential data include government Certain encryption features are considered more critical
eavesdropping and lawful data requests. Concerns over than others. According to consolidated findings, system
inadvertent exposure (employee mistakes and system performance and latency, enforcement of policy and support
malfunction) significantly outweigh concerns over actual for both cloud and on-premise deployment are the three
attacks by temporary workers and malicious insiders. It is most important features. Support for both cloud and on-
interesting to note that the employee mistake threat is almost premise deployment has risen in importance as organizations
equal to the combined threat by both hackers and insiders. have increasingly embraced cloud computing and look for
consistency across computing styles.
The main driver for encryption is protection of information
against identified threats. Organizations are using encryption Which data types are most often encrypted? Payment
to protect information against specific, identified threats (54 related data and human resource data are most likely to be
percent of respondents). The most critical information is the encrypted – which emphasizes the fact that encryption has
enterprise’s intellectual property and the personal information now moved into the realm where it needs to be addressed
of customers (52 percent and 50 percent of respondents, by companies of all types. The least likely data type to be
respectively). Compliance with regulations remains a encrypted is health-related information, which is a surprising
significant driver for encryption, according to 49 percent result given the sensitivity of health information and recent high
of respondents. profile healthcare data breaches. Healthcare information did,
however, have the largest increase on this list over last year.
A barrier to a successful encryption strategy is the ability to
discover where sensitive data resides in the organization. Attitudes about key management
Sixty-seven percent of respondents say discovering where
sensitive data resides in the organization is the number one How painful is key management? Fifty-seven percent of
challenge. This challenge has come into focus as compliance respondents rate key management as very painful. The
activities driven by GDPR and other privacy regulations have average percentage in all country samples is 57 percent,
increased. In addition, 44 percent of all respondents cite which suggests respondents view managing keys as a very
initially deploying encryption technology as a significant challenging activity. The highest percentage pain threshold
challenge. Thirty-four percent cite classifying which data to of 65 percent occurs in India. At 33 percent, the lowest pain
encrypt as difficult. level occurs in Russia.
Deployment choices Companies continue to use a variety of key management

systems. Although the use of manual key management
No single encryption technology dominates in processes continue to decrease, manual processes continue to
organizations. Organizations have very diverse needs. be the most common form of key management systems.
Internet communications, databases and laptop hard drives The next most commonly deployed systems are formal
are the most likely to be encrypted and correspond to mature key management policy and formal key management
use cases. For the first time, the study tracked the deployment infrastructure (KMI).
of encryption on IoT devices and platforms. Forty-nine percent
of respondents say IoT encryption has been at least partially
deployed on both IoT devices and IoT platforms.

Importance of hardware security modules (HSMs) Budget allocations
Germany, US and Japan organizations are more likely The proportion of IT spending dedicated to security
to deploy HSMs. Germany, US and Japan are more likely activities, including encryption, is increasing over time.
to deploy HSMs for their organization’s key management According to the findings, 10.6 percent of the IT budget goes
activities than other countries. The overall average deployment to IT security activities and 12.3 percent of the IT security
rate for HSMs is 41 percent. budget goes to encryption activities.
How HSMs in conjunction with public cloud-based Cloud encryption

applications are primarily deployed today and in the next
12 months. Forty-seven percent of respondents own and Sixty-one percent of respondents say their organizations
operate HSMs on-premise for cloud-based applications, and transfer sensitive or confidential data to the cloud whether
36 percent of respondents rent/use HSMs from a public or not it is encrypted or made unreadable via some other
cloud provider for the same purpose. In the next 12 months, mechanism such as tokenization or data masking. Another 21
both figures will increase, by 6 and 5 percent respectively. percent of respondents expect to do so in the next one to two
Interestingly, the use of HSMs with Cloud Access Security years. These findings indicate the benefits of cloud computing
Brokers is expected to double in the next 12 months. outweigh the risks associated with transferring sensitive or
confidential data to the cloud.
The overall average importance rating for HSMs, as part
of an encryption and key management strategy, in the How do organizations protect data at rest in the cloud?
current year is 57 percent. The pattern of responses suggests Forty-seven percent of respondents say encryption is performed
Germany, India, US and Japan are most likely to assign on-premise prior to sending data to the cloud using keys their
importance to HSMs as part of their organization’s encryption organization generates and manages. However, 38 percent
or key management activities. of respondents perform encryption in the cloud, with cloud
provider generated/managed keys. Twenty-one percent of
What best describes an organization’s use of HSMs? respondents are using some form of Bring Your Own Key
Sixty-one percent of respondents say their organization has (BYOK) approach.
a centralized team that provides cryptography as a service
(including HSMs) to multiple applications/teams within their What are the top three cloud encryption features? When
organization (i.e., private cloud model). Thirty-nine percent asked specifically about features associated with cloud
say each individual application owner/team is responsible for encryption, respondents list (1) support for the KMIP standard
their own cryptographic services (including HSMs), indicative for key management (66 percent of respondents), (2) SIEM
of the more traditional siloed application-specific data center integration and visualization and analysis of logs (62 percent
deployment approach. More respondents indicate the of respondents) and (3) granular access controls (60 percent
centralized approach in this year’s study as compared to of respondents). This indicates a growing recognition of the
last year’s. importance of standards-based cloud key management and
specifically support for KMIP.
What are the primary purposes or uses for HSMs? The
two top uses are SSL/TLS and application-level encryption,
followed by database encryption. The most significant
increases predicted for the next 12 months, according to
61%
respondents, are SSL/TLS, database encryption and payment
transaction processing. It is significant to note that HSM
use for SSL/TLS will soon be deployed in 50 percent of the
organizations represented in this study. of respondents are
using more than one
public cloud provider

PART 2. KEY FINDINGS
In this section, we provide a deeper analysis of the key findings. The complete
audited findings are presented in the Appendix of the report. We have organized
the report according to the following themes.
• Strategy and adoption of encryption • Attitudes about key management

• Trends in adoption of encryption • Importance of hardware security
modules (HSMs) 4
• Threats, main drivers and priorities
• Budget allocations
• Deployment choices
• Encryption features considered
most important
Strategy and adoption of encryption
Enterprise-wide encryption strategies increase. Since first conducting this study 13 years ago, there has been a steady
increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a
steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of
the study. Figure 2 shows these changes over time.
Figure 2. Trends in encryption strategy

Country samples are consolidated
50%
43%
38%
40%
30%
20%
15%
13%
10%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Company has an encryption strategy applied consistently across the entire enterprise
Company does not have an encryption strategy
4 HSMs are devices specifically built to create a tamper-resistant environment in which to perform cryptographic processes (e.g., encryption or digital signing) and to
manage the keys associated with those processes. These devices are used to protect critical data processing activities and can be used to strongly enforce security
policies and access controls. HSMs are typically validated to formal security standards such as FIPS 140-2.

Certain countries have more mature encryption strategies. According to Figure 3, the prevalence of an enterprise encryption
strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy
is reported in Germany followed by the United States, the United Kingdom and Japan. Respondents in Mexico, Russian
Federation, Arabia, Brazil and Australia report the lowest adoption of an enterprise encryption strategy.
Figure 3. Differences in enterprise encryption strategies by country
80%
70% 67%
60% 56%
50% 45% 45%

40% 41%
40% 38% 37%
35% 34%
31% 30% 30%
30%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
We have an overall encryption plan or strategy that is Average

applied consistently across the entire enterprise
Figure 4 shows that the IT operations function is the most influential in framing an organization’s encryption strategy over the past
13 years. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico.
IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.
A possible reason why the lines of business are more influential than IT security is because of the growing adoption of Internet of
Things (IoT) devices in the workplace, proliferation of employee-owned devices or BYOD and the general consumerization of IT.
A consequence is that lines of business are required to be more accountable for the security of these technologies.
Figure 4. Influence of IT operations, lines of business and security

50%
43%
40%
32%
30%
22%
22%
20%
21%
12%
10%
0%
IT operations Lines of business Security

Trends in encryption adoption
The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in
2005, there has been a steady increase in the encryption solutions extensively used by organizations.5
Figure 5 summarizes enterprise-wide usage consolidated for various encryption technologies over 13 years. This continuous
growth in enterprise deployment suggests encryption is important to an organization’s security posture. Figure 6 also shows the
percentage of the overall IT security budget dedicated to encryption-related activities.
The pattern for deployment and budget show a positive correlation through FY13 and inverse relationship through FY17. We
postulate three reasons for this downward trend: (1) price pressure resulting from increased competition among vendors, (2)
shifting priorities to other IT security solution areas and (3) more efficient use of presently available encryption tools.
Figure 5. Trend on the extensive use of encryption technologies

50%
43%
40%
30%
20% 16%
12%
10%
10%
0%
Extensive deployment of encryption IT security budget earmarked for encryption
The use of encryption increases in all industries. Figure 6 shows the current year and the six-year average in the use of
encryption solutions for 10 industry sectors. Results suggest a steady increase in all industry sectors. The most significant
increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.
Figure 6. The extensive use of encryption by industry: current year versus 6-year average
Country samples are consolidated. Average of 13 encryption categories
50%
Financial services 60%
42%
Healthcare & pharma 55%
44%
Services 50%
42%
Tech & software 49%
31%
Retail 42%
39%
Transportation 41%
30%
Public sector 39%
29%
Hospitality 35%
24%
Manufacturing 33%
26%
Consumer products
27%
0% 10% 20% 30% 40% 50% 60%
6 year consolidation FY17
5 The combined sample used to analyze trends is explained in Appendix 1.

Threats, main drivers and priorities
Employee mistakes are the most significant threats to sensitive data. Figure 7 shows that the most significant threats to the
exposure of sensitive or confidential data are employee mistakes.
In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and
lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh
concerns over actual attacks by temporary or contract workers and malicious insiders. It is interesting to note that the employee
mistake threat is almost equal to the combined threat by both hackers and insiders.
Figure 7. The most salient threats to sensitive or confidential data

Consolidated country samples. More than one choice permitted
Employee mistakes 47%
System or process malfunction 31%
Hackers 30%
Temporary or contract workers 22%
Malicious insiders 22%
Third party service providers 19%
Government eavesdropping 17%
Lawful data request (e.g., by police) 12%
0% 10% 20% 30% 40% 50%
The main driver for encryption is protection of information against identified threats. Eight drivers for deploying encryption
are presented in Figure 8. Organizations are using encryption to protect information against specific, identified threats (54
percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of
customers, (52 percent and 50 percent of respondents, respectively).
This marks the first year that compliance with regulations has not been the top driver for encryption, indicating that encryption is
less of a “checkbox” exercise and is now used to safeguard targeted critical information.
Figure 8. The main drivers for using encryption technology solutions

Country samples are consolidated. Three responses permitted
To protect information against 54%

specific, identified threats
To protect enterprise intellectual property 52%
To protect customer personal information 50%
To comply with external privacy or data

49%
security regulations and requirement
To limit liability from breaches 32%

or inadvertent disclosure
To reduce the scope of compliance audits 29%
To comply with internal policies 21%
To avoid public disclosure 14%

after a data breach occurs
0% 10% 20% 30% 40% 50% 60%

A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization.
Figure 9 provides a list of six aspects that present challenges to the organization’s effective execution of its data encryption
strategy in descending order of importance. Sixty-seven percent of respondents say discovering where sensitive data resides
in the organization is the number one challenge. In addition, 44 percent of all respondents cite initially deploying encryption
technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.
Figure 9. Biggest challenges in planning and executing a data encryption strategy

Country samples are consolidated. More than one choice permitted
Discovering where sensitive data resides in the organization 67%

Initially deploying the encryption technology 44%
Classifying which data to encrypt 34%
Ongoing management of encryption and keys 29%
Training users to use encryption appropriately 13%
Determining which encryption technologies are most effective 13%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Deployment choices
No single encryption technology dominates in organizations. We asked respondents to indicate if specific encryption
technologies are widely or only partially deployed within their organizations. “Extensive deployment” means that the encryption
technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is confined or limited to a
specific purpose (a.k.a. point solution).
As shown in Figure 10, no single technology dominates because organizations have very diverse needs. Internet
communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases.
Encryption extensively used with public cloud services grew significantly year-over-year (11 percent).
For the first time, the study tracked the deployment of encryption on IoT devices and platforms. As shown, 49 percent of
respondents say IoT encryption has been at least partially deployed for devices and platforms.
Figure 10. Consolidated view on the use of 15 encryption technologies

Internet communications (e.g., SSL) 63% 25%

Databases 63% 24%
Laptop hard drives 58% 22%
Backup and archives 54% 26%
Internal networks (e.g., VPN/LPN) 48% 33%
Data center storage 43% 30%
Cloud gateway 43% 30%
Public cloud services 39% 35%
File systems 38% 31%
Email 38% 35%
Private cloud infrastructure 34% 29%
Big data repositories 28% 24%
Internet of Things (IoT) devices 26% 23%
Internet of Things (IoT) platforms 25% 24%
Docker containers 20% 29%
0% 20% 40% 60% 80% 100%

Extensively deployed encryption applications Partially deployed encryption applications

Encryption features considered most important
Certain encryption features are considered more critical than others. Figure 11 lists encryption technology features. Each
percentage defines the very important response (on a four point scale). Respondents were asked to rate encryption technology
features considered most important to their organization’s security posture.
According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and
on-premise deployment are the three most important features. The performance finding is not surprising given that encryption in
networking is a prominent use case, as well as the often emphasized requirement for transparency of encryption solutions.
Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud
computing and look for consistency across computing styles. In fact, the top findings in this area all correspond to features
considered important for cloud solutions.
Figure 11. Most important features of encryption technology solutions

Country samples are consolidated. Very important and Important responses combined
74%
System performance and latency 78%
71%
Enforcement of policy 72%
69%
Support for cloud and on-premise deployment
71%
66%
System scalability
68%
Management of keys 68%

68%
Integration with other security tools 64%

(e.g., SIEM and ID management) 64%
65%
Support for emerging algorithims (e.g., ECC) 59%
56%
Formal product security certifications (e.g., FIPS 140)
56%
54%
Separation of duties and role-based controls
54%
55%
Support for multiple applications or environments
52%
Tamper resistance by dedicated hardware (e.g., HSM) 55%

50%
Support for regional segregation (e.g., data residency) 43%

44%
0% 10% 20% 30% 40% 50% 60% 70% 80%
FY16 FY17
“ENCRYPTION EXTENSIVELY USED WITH PUBLIC CLOUD SERVICES

GREW SIGNIFICANTLY YEAR-OVER-YEAR (11%).”

11
Which data types are most often encrypted? Figure 12 provides a list of seven data types that are routinely encrypted by
respondents’ organizations. As can be seen, payment related data and human resource data are most likely to be encrypted
– the latter of which emphasizes the fact that encryption has now moved into the realm where it needs to be addressed by
companies of all types.
The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health
information and the recent high profile healthcare data breaches. Healthcare information had the largest increase on this list
over last year.
Figure 12. Data types routinely encrypted

56%
Payment related data 54%
61%
Employee/HR data 53%
47%
Intellectual property 52%
49%
Financial records 50%
40%
Customer information 43%
19%
Healthcare information 26%
32%
Non-financial business information 26%
0% 10% 20% 30% 40% 50% 60% 70%
FY16 FY17
Attitudes about key management
How painful is key management? Using a 10-point scale, respondents were asked to rate the overall “pain” associated with
managing keys within their organization, where 1 = minimal impact to 10 = severe impact. Figure 13 shows that 57 (24+33)
percent of respondents in FY17 chose ratings at or above 7; thus, suggesting a fairly high pain threshold.
Figure 13. Rating on the overall impact, risk and cost associated with managing keys
36%
33%
30%
22% 22% 23% 23% 24%

19%
16%
13% 12%
9% 8% 9%
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
FY15 FY16 FY17

Figure 14 shows the 7+ ratings on a 10-point scale for each country. As can be seen, the average percentage in all country
samples is 57 percent, which suggests respondents view managing keys as a very challenging activity. The highest percentage
pain threshold of 65 percent occurs in India. At 33 percent, the lowest pain level occurs in Russia.
Figure 14. Percentage “pain threshold” by country

Percentage 7 to 10 rating on a 10-point scale
70% 65%
63% 64%
60% 60% 59%
60% 58%
55%
52% 52%
50% 49%
40%
33%
30%
20%
10%
0
7 to 10 (high) rating Average
Why is key management painful? Figure 15 shows the reasons why the management of keys is so difficult. The top three
reasons are: (1) no clear ownership of the key management function, (2) lack of skilled personnel and (3) isolated or fragmented
key management systems.
Figure 15. What makes the management of keys so painful?

No clear ownership 59%

Lack of skilled personnel 57%
Systems are isolated and fragmented 56%
Key management tools are inadequate 46%
Insufficient resources (time/money) 33%
No clear understanding of requirements 23%
Technology and standards are immature 14%
Manual processes are prone to errors and unreliable 11%
0% 10% 20% 30% 40% 50% 60%

Which keys are most difficult to manage? Moving into the top position on this list for the first time this year, keys for external
cloud or hosted services rank as the most difficult keys to manage. As shown in Figure 16, they are followed by SSH keys,
signing keys, and keys for SSL/TLS. The least difficult include: (1) encryption keys for archived data, (2) encryption keys for
backups and storage and (3) embedded device keys.
Figure 16. Types of keys most difficult to manage

Country samples are consolidated. Very painful and painful response
Keys for external cloud or hosted services 59%

including Bring Your Own Key (BYOK) keys
SSH keys 55%
Signing keys (e.g., code signing, digital signatures) 51%
Keys associated with SSL/TLS 46%
End user encryption keys (e.g., email, full disk encryption) 39%
Payments-related keys (e.g., ATM, POS, etc.) 38%
Encryption keys for archived data 33%

Encryption keys for backups and storage 21%
Keys to embed into devices (e.g. at the time of manufacture in
17%
device production environments, or for IoT devices you use)
0% 10% 20% 30% 40% 50% 60%
As shown in Figure 17, respondents’ companies continue to use a variety of key management systems. The most commonly
deployed systems include: (1) manual process, (2) formal key management policy (KMP) and (3) formal key management
infrastructure (KMI).
Figure 17. What key management systems does your organization presently use?
Manual process (e.g., spreadsheet, paper-based) 49%
Formal key management policy (KMP) 49%
Formal key management infrastructure (KMI) 36%
Central key management system/server 33%
Removable media (e.g., thumb drive, CDROM) 32%
Hardware security modules 26%
Smart cards 24%
Software-based key stores and wallets 17%
0% 10% 20% 30% 40% 50%

Importance of hardware security modules (HSMs)
Germany, United States and Japan organizations are more likely to deploy HSMs. Figure 18 summarizes the percentage of
respondents that deploy HSMs. Germany, United States and Japan are more likely to deploy HSMs than other countries. The
overall average deployment rate for HSMs is 41 percent.
Figure 18. Deployment of HSMs
60% 56%
51%
50% 45% 47%
43% 43% 44%
40%
34%
29% 28%
30% 25%
23%
20%
10%
0
Does your organization use HSMs? Average
Deployment of HSMs increases steadily. Figure 19 shows a six-year trend for HSMs. As can be seen, the rate of global HSM
deployment has steadily increased.
Figure 19. HSM deployment rate over six years

41%
38%
33% 34%
29%
26%
FY12 FY13 FY14 FY15 FY16 FY17
41%
Overall HSM use grew Germany, the US and
to 41% – the highest Japan report the highest
level ever HSM usage rates

How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12
months. As shown in Figure 20, almost half (47 percent of respondents) own and operate HSMs on-premise for cloud-based
applications, and 36 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12
months, both figures will increase, by 6 and 5 percent respectively. Interestingly, the use of HSMs with Cloud Access Security
Brokers is expected to double in the next 12 months.
Figure 20. Use of HSMs in conjunction with public cloud-based applications

today and in the next 12 months
Own and operate HSMs on-premise at the organization, 47%

accessed real-time by cloud-hosted applications 53%
36%
Rent/use HSMs from public cloud provider, hosted in the cloud
41%
Own and operate HSMs for the purpose of generating
and managing BYOK (Bring Your Own Key) keys 17%
to send to the cloud for use by the cloud provider 24%
Own and operate HSMs that integrate with a
Cloud Access Security Broker to manage keys and 12%
cryptographic operations (e.g., encrypting data on the 24%
way to the cloud, managing keys for cloud applications)
1%
None of the above 1%
0% 10% 20% 30% 40% 50% 60%

What models do you use today? What models do you plan
to use in the next 12 months?
Figure 21 summarizes the percentage of respondents in 12 countries that rate HSMs as either very important or important
to their organization’s encryption or key management program or activities. The overall average importance rating in the
current year is 57 percent. The pattern of responses suggests Germany, India, the United States and Japan are most likely to
assign importance to HSMs as part of their organization’s encryption or key management activities.
Figure 21. Perceived importance of HSMs as part of encryption or key management

Very important & important responses combined
71%
70%
64% 63% 65%
60%
60% 56%
53%
51% 50%
50% 48%
44% 42%
40%
30%
20%
10%
0
How important are HSMs to your encryption or key management strategy? Average

Figure 22 shows a six-year trend in the importance of HSMs for encryption or key management, which has steadily increased
over time.
Figure 22. Perceived importance of HSMs as part of

encryption or key management over six years
55% 57%
48% 49%
39%
33%
FY12 FY13 FY14 FY15 FY16 FY17
What best describes an organization’s use of HSMs? As shown in Figure 23, 61 percent of respondents say their organization
has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their
organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for
their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center
deployment approach.
Figure 23. Which statement best describes how your organization uses HSMs?
We have a centralized team that provides

cryptography as a service (including HSMs)
39%
to multiple applications/teams within our
organization (i.e., private cloud model)
61%
Each individual application owner/team is
responsible for their own cryptographic services
(including HSMs) (i.e., traditional siloed,
application-specific data center deployment)
“61 PERCENT OF RESPONDENTS SAY THEIR ORGANIZATION HAS A CENTRALIZED

TEAM THAT PROVIDES CRYPTOGRAPHY AS A SERVICE (INCLUDING HSMs).”

What are the primary purposes or uses for HSMs? Figure 24 summarizes the primary purpose or use cases for deploying
HSMs. As can be seen, the two top choices are SSL/TLS and application-level encryption, followed by database encryption.
This chart shows a relatively small difference between today’s HSM use and that of 12 months from now.
The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption
and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of
the organizations represented in this study.
Figure 24. How HSMs are deployed or planned to be deployed in the next 12 months
43%
SSL/TLS 50%
41%
Application level encryption 40%
Database encryption 37%

44%
Public cloud encryption including for 32%
Bring Your Own Key (BYOK) 32%
30%
PKI or credential management 33%
29%
Payment transaction processing including P2PE 35%
Payment credential provisioning (e.g., mobile, IoT) 26%

29%
Private cloud encryption 26%

22%
Payment service provider interface 25%

(e.g., TSP, real-time payments, Open API) 28%
25%
Payment credential issuing (e.g., mobile, EMV) 30%
Blockchain applications (e.g., cryptocurrency, 20%

financial transfer) 21%
19%
With Cloud Access Security Brokers (CASBs) for
21%
encryption key management
12%
Document signing (e.g., electronic invoicing) 14%
12%
Internet of Things (IoT) root of trust 13%
12%
Big data encryption 7%
7%
Code signing
8%
3%
Other 2%
10%
0% 10% 20% 30% 40% 50%
HSMs used today HSMs to be deployed in the next 12 months

Budget allocations
The percentages below are calculated from the responses to survey questions about resource allocations to IT security, data
protection, encryption, and key management. These calculated values are estimates of the current state and we do not make
any predictions about the future state of budget funding or spending.
Figure 25 reports the average percentage of IT security spending relative to total IT spending over the last 13 years. As shown,
the trend appears to be upward sloping, which suggests the proportion of IT spending dedicated to security activities including
encryption is increasing over time.
Figure 25. Trend in the percent of IT security spending relative to the total IT budget
12%
10.6%
9.9% 10.0% 10.2%
10%
9.1% 9.1% 9.2%
8.6% 8.8%
8% 7.9%
7.5% 7.5%
7.2%
6%
4%
2%
0%
Percentage of IT security spending relative to the total IT budget Average
Figure 26 reports the percentage of the IT security budget dedicated to encryption. Spending on encryption has declined
since 2014.
Figure 26. Trend in the percentage of IT security spending dedicated to encryption activities
15.7%
14% 14.4%
12.3%
FY14 FY15 FY16 FY17

Cloud encryption
According to Figure 27, 61 percent of respondents say their organizations transfer sensitive or confidential data to the cloud
whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another
21 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing
outweigh the risks associated with transferring sensitive or confidential data to the cloud.
Figure 27. Do you currently transfer sensitive or confidential data to the cloud?
61%
21% 17%
Yes, we are No, but we are likely to do so No

presently doing so in the next 12 to 24 months
According to Figure 28, with respect to the transfer of sensitive or confidential data to the cloud, Germany, United States,
Japan, India and Korea are more frequently transferring sensitive data to the cloud.
Figure 28. Organizations that transfer sensitive or confidential data to the cloud by country
80%
69% 70%
70% 68% 67%
65%
61%
58% 58% 58%
60%
54%
52%
50% 46%
40%
30%
20%
10%
0
Yes, we are presently doing so Average
39%
Encryption in public cloud services grew from
28% to 39% in 2017 – 11% is the highest
year-over-year growth of any encryption use case

How do organizations protect data at rest in the cloud? As shown in Figure 29, 47 percent of respondents say encryption is
performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 38
percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of
respondents are using some form of Bring Your Own Key (BYOK) approach.
Figure 29. How does your organization protect data at rest in the cloud?
Encryption performed on-premise prior to sending data to the

47%
cloud using keys my organization generates and manages
Encryption performed in the cloud using keys 38%

generated/managed by the cloud provider
Encryption performed in the cloud using keys my 21%

organization generates and manages on-premise
Tokenization performed by the cloud provider 13%
Tokenization performed on-premise prior 12%

to sending data to the cloud
0% 10% 20% 30% 40% 50%
What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP
standard for key management (66 percent of respondents), SIEM integration, visualization and analysis of logs (62 percent of
respondents) and granular access controls (60 percent of respondents).
Figure 30. How important are the following features associated with cloud encryption to your organization?
Very important and important responses combined
Support for the KMIP standard for key management 66%
SIEM integration, visualization and analysis of logs 62%
Granular access controls 60%
Audit logs identifying key usage 57%
Privileged user access control 51%
Bring Your Own Key (BYOK) management support 49%
Ability to encrypt and rekey data 47%

while in use without downtime
Audit logs identifying data access attempts 39%
Support for FIPS 140-2 compliant key management 34%
0% 10% 20% 30% 40% 50% 60% 70%

APPENDIX 1. METHODS & LIMITATIONS
Table 1 reports the sample response for 12 separate country samples. The sample response for this study was conducted over a
49-day period ending in January 2018. Our consolidated sampling frame of practitioners in all countries consisted of 151,334
individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 5,861 returns of
which 609 were rejected for reliability issues. Our final consolidated 2017 sample was 5,252, thus resulting in an overall
3.5% response rate.
The first encryption trends study was conducted in the United States in 2005. Since then we have expanded the scope of
the research to include 12 separate country samples. Trend analysis was performed on combined country samples. As noted
before, we added Korea to this year’s study.
Table 1. Survey response in 12 countries
Legend Survey response Sampling frame Final sample Response rate
AB Arabian Cluster 9,466 308 3.3%
AU Australia 7,290 315 4.3%

BZ Brazil 13,200 507 3.8%
DE Germany 14,505 543 3.7%

FR France 12,650 370 2.9%
IN India 16,873 582 3.4%
JP Japan 14,013 468 3.3%
KO Korea 11,257 317 2.8%

MX Mexico 11,300 468 4.1%
RF Russian Federation 6,319 196 3.1%
UK United Kingdom 13,001 468 3.6%
US United States 21,460 710 3.3%
Consolidated 151,334 5,252 3.5%

Table 2 summarizes our survey samples for 12 countries over a 12-year period.
Table 2. Sample history over 12 years
Legend FY17 FY16 FY15 FY14 FY13 FY12 FY11 FY10 FY09 FY08 FY07 FY06
AB 308 316 368 0 0 0 0 0 0 0 0 0
AU 315 331 334 359 414 938 471 477 482 405 0 0
BZ 507 463 460 472 530 637 525 0 0 0 0 0
DE 543 531 563 564 602 499 526 465 490 453 449 0
FR 370 345 344 375 478 584 511 419 414 0 0 0
IN 582 548 578 532 0 0 0 0 0 0 0 0

JP 468 450 487 476 521 466 544 0 0 0 0 0
KO 317 0 0 0 0 0 0 0 0 0 0 0
MX 468 451 429 445 0 0 0 0 0 0 0 0
RF 196 206 201 193 201 0 0 0 0 0 0 0

UK 468 460 487 509 637 550 651 622 615 638 541 489
US 710 701 758 789 892 531 912 964 997 975 768 918
Total 5,252 4,802 5,009 4,714 4,275 4,205 4,140 2,947 2,998 2,471 1,758 1,407
Figure 31 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents
are at or above the supervisory levels.
Figure 32 identifies the organizational location of respondents in our study. Over half of respondents (55 percent) are located
within IT operations, followed by security at 20 percent of respondents and 12 percent of respondents are located within the
lines of business.
Figure 31. Distribution of respondents Figure 32. Distribution of respondents

according to position level according to organizational location
Country samples are consolidated Country samples are consolidated
3% 2% 3% 3% 3%
7%
17% Senior Executive IT operations
Vice President 12% Security
Director Lines of business

(LOB)
Manager/Supervisor
41%
Compliance
Associate/Staff/
Technician Finance
Other 20% Other
34% 55%

Figure 33 reports the industry classification of respondents’ organizations. Fifteen percent of respondents are located in the
financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards.
Twelve percent of respondents are located in manufacturing and industrial organizations and 11 percent of respondents are in
service organizations. Another nine percent are located in the public sector, including central and local government.
Figure 33. Distribution of respondents according to primary industry classification

2% 4% Financial services
2% 15%
3% Manufacturing & industrial
3% Services
3% Public sector
4% Technology & software
12% Health & pharmaceutical
7% Retail
Energy & utilities
Consumer products
8% Education & research
11% Hospitality
Transportation
8% Communications
9%
9% Entertainment & media
Other
According to Figure 34, the majority of respondents (63 percent) are located in larger-sized organizations with a global
headcount of more than 1,000 employees.
Figure 34. Distribution of respondents according to organizational headcount

4%
13%
8%
Less than 500
500 to 1,000
20% 1,001 to 5,000
24% 5,001 to 25,000
25,001 to 75,000
More than 75,000
31%

Limitations
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the
presented findings. The following items are specific limitations that are germane to most survey-based research studies.
•Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample
of IT and IT security practitioners in 12 countries, resulting in a large number of usable returned responses. Despite non-
response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying
beliefs from those who completed the survey.
•Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are
representative of individuals who are IT or IT security practitioners within the sample of 12 countries selected.
•Self-reported results: The quality of survey research is based on the integrity of confidential responses received from
respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity
checks, there is always the possibility that some respondents did not provide truthful responses.
APPENDIX 2. SURVEY DATA TABLES

The following tables provide the consolidated results for 12 country samples.
Survey response
Sampling frame 151,334

Total returns 5,861
Rejected or screened surveys 609

Final sample 5,252
Response rate 3.5%
Part 1. Encryption Posture
Q1. Please select one statement that best describes your organization’s
approach to encryption implementation across the enterprise.
We have an overall encryption plan or strategy that is applied

43%
consistently across the entire enterprise
We have a limited encryption plan or strategy that is applied to

44%
certain applications and data types
We don’t have an encryption plan or strategy 13%
Total 100%

701 758
4,802 5,009
Q2. Following are areas where encryption technologies can be deployed. Please check those areas where
encryption is extensively deployed, partially deployed or not as yet deployed by your organization.
Q2a-1 Backup and archives Q2b-1. Big data repositories
Extensively deployed 54% Extensively deployed 28%
Partially deployed 26% Partially deployed 24%
Not deployed 20% Not deployed 48%
Total 100% Total 100%
Q2c-1 Cloud gateway Q2d-1. Data center storage
Q2e-1. Databases Q2f-1. Docker containers

Q2g-1. Email Q2h-1. Public cloud services

Q2i-1. File systems Q2j-1. Internet communications
(e.g., SSL)
Extensively deployed 38%
Partially deployed 31%
Not deployed 31%
Not deployed 12%
Total 100%
Total 100%
Q2k-1. Internal networks Q2l-1. Laptop hard drives

(e.g., VPN/LPN)
Not deployed 20%
Not deployed 19%
Total 100%
Total 100%
Q2m-1 Private cloud infrastructure Q2n-1 Internet of things

(IoT) devices
Not deployed 36%
Not deployed 51%
Total 100%
Total 100%
Q2o-1 Internet of things

(IoT) platforms
Not deployed 51%
Total 100%

Q3. Who is most influential in directing your organization’s
encryption strategy? Please select one best choice.
IT operations 33%
Security 17%
Compliance 2%
Lines of business (LOB) or general management 25%
No single function has responsibility 22%
Total 100%
Q4. What are the reasons why your organization encrypts sensitive
and confidential data? Please select the top three reasons.
To protect enterprise intellectual property 52%

To protect customer personal information 50%
To limit liability from breaches or inadvertent disclosure 32%
To avoid public disclosure after a data breach occurs 14%
To protect information against specific, identified threats 54%
To comply with internal policies 21%
To comply with external privacy or data security regulations
49%
and requirement
To reduce the scope of compliance audits 29%
Total 300%
Q5. What are the biggest challenges in planning and executing a data
encryption strategy? Please select the top two reasons.
Discovering where sensitive data resides in the organization 67%
Classifying which data to encrypt 34%
Determining which encryption technologies are most effective 13%
Initially deploying the encryption technology 44%
Ongoing management of encryption and keys 29%
Training users to use encryption appropriately 13%
Total 200%

Q6. How important are the following features associated with encryption
solutions that may be used by your organization? Very important and
important response combined.
Enforcement of policy 72%
Management of keys 68%
Support for multiple applications or environments 52%
Separation of duties and role-based controls 54%
System scalability 68%
Tamper resistance by dedicated hardware (e.g., HSM) 50%
Integration with other security tools (e.g., SIEM and ID management) 64%
Support for regional segregation (e.g., data residency) 44%
System performance and Latency 78%
Support for emerging algorithms (e.g., ECC) 59%
Support for cloud and on-premise deployment 71%
Formal product security certifications (e.g., FIPS 140) 56%
Q7. What types of data does your organization encrypt?

Please select all that apply.
Customer information 43%
Non-financial business information 26%
Intellectual property 52%
Financial records 50%
Employee/HR data 53%
Payment related data 54%
Healthcare information 26%
Q8. What are the main threats that might result in the exposure of sensitive
or confidential data? Please select the top two choices.
Hackers 30%
Malicious insiders 22%
System or process malfunction 31%
Employee mistakes 47%
Temporary or contract workers 22%
Third party service providers 19%
Lawful data request (e.g. by police) 12%
Government eavesdropping 17%
Total 200%

Part 2. Key Management
Q9. Please rate the overall “pain” associated with managing keys or
certificates within your organization, where 1 = minimal impact to
10 = severe impact?
1 or 2 9%
3 or 4 12%
5 or 6 22%
7 or 8 24%
9 or 10 33%
Total 100%
Q10. What makes the management of keys so painful?

Please select the top three reasons.
No clear ownership 59%
Insufficient resources (time/money) 33%
Lack of skilled personnel 57%
No clear understanding of requirements 23%
Key management tools are inadequate 46%
Systems are isolated and fragmented 56%
Technology and standards are immature 14%
Manual processes are prone to errors and unreliable 11%
Total 300%
Q11. Following are a wide variety of keys that may be managed by your
organization. Please rate the overall “pain” associated with managing
each type of key. Very painful and painful response combined.
Encryption keys for backups and storage 21%
Encryption keys for archived data 33%
Keys associated with SSL/TLS 46%
SSH keys 55%
End user encryption keys (e.g., email, full disk encryption) 39%
Signing keys (e.g., code signing, digital signatures) 51%
Payments-related keys (e.g., ATM, POS, etc.) 38%
Keys to embed into devices (e.g. at the time of manufacture in

17%
device production environments, or for IoT devices you use)
Keys for external cloud or hosted services including

59%
Bring Your Own Key (BYOK) keys

Q12a. What key management systems does your
organization presently use?
Smart cards 24%
Total 267%
Q12b. What key management systems does your organization

presently not used or not aware of use?
Smart cards 58%
Total 381%

Part 3. Hardware Security Modules
Q13. What best describes your level of knowledge about HSMs?
Very knowledgeable 29%
Knowledgeable 30%
Somewhat knowledgeable 20%
No knowledge (skip to Q17a) 21%
Total 100%
Q14a. Does your organization use HSMs?
Yes 41%
No (skip to Q17a) 59%
Total 100%
Q14b. For what purpose does your organization presently deploy or

plan to use HSMs? Please select all that apply.
Q14b-1. HSMs used today
Public cloud encryption including for Bring Your Own Key (BYOK) 32%
SSL/TLS 43%
Document signing (e.g. electronic invoicing) 12%
Code signing 7%
Payment transaction processing including P2PE 29%
Payment service provider interface (e.g., TSP, real-time payments, Open API 25%
With Cloud Access Security Brokers (CASBs) for encryption key management 19%
Blockchain applications (e.g., cryptocurrency, financial transfer) 20%
Other 3%
Total 409%

Q14b-2. HSMs planned to be deployed in the next 12 months
Public cloud encryption including for Bring Your Own Key (BYOK) 32%
SSL/TLS 50%
Document signing (e.g. electronic invoicing) 14%
Code signing 8%
Payment transaction processing 35%
Payment service provider interface (e.g., TSP, real-time payments, Open API 28%
With Cloud Access Security Brokers (CASBs) for encryption key management 21%
Blockchain applications (e.g., cryptocurrency, financial transfer) 21%
Other 2%
Total 441%
Q14c-1. If you use HSMs in conjunction with public cloud based

applications, what models do you use today? Please select all that apply.
Rent/use HSMs from public cloud provider, hosted in the cloud 36%
Own and operate HSMs on-premise at your organization, accessed 47%
real-time by cloud-hosted applications
Own and operate HSMs for the purpose of generating and managing
BYOK (Bring Your Own Key) keys to send to the cloud for use by 17%
the cloud provider
Own and operate HSMs that integrate with a Cloud Access Security
Broker to manage keys and cryptographic operations (e.g., encrypting 12%
data on the way to the cloud, managing keys for cloud applications)
Total 113%

Q14c-2. If you use HSMs in conjunction with public cloud based
applications, what models do you plan to use in the next 12 months.
Please select all that apply.
Rent/use HSMs from public cloud provider, hosted in the cloud 41%
Own and operate HSMs on-premise at your organization, accessed

53%
real-time by cloud-hosted applications
Own and operate HSMs for the purpose of generating and managing
BYOK (Bring Your Own Key) keys to send to the cloud for use by 24%
the cloud provider
Own and operate HSMs that integrate with a Cloud Access Security
Broker to manage keys and cryptographic operations (e.g., encrypting 24%
data on the way to the cloud, managing keys for cloud applications)
Total 143%
Q15. In your opinion, how important are HSMs to your encryption or key
management strategy? Very important and important response combined
Q15a. Importance today 57%
Q15b. Importance in the next 12 months 65%
Q16. Which statement best describes how your organization uses HSMs?
We have a centralized team that provides cryptography as a service

(including HSMs) to multiple applications/teams within our organization 61%
(i.e. private cloud model).
Each individual application owner/team is responsible for their own

cryptographic services (including HSMs) (i.e. traditional siloed, 39%
application-specific data center deployment).
Total 100%
Part 4. Budget Questions
Q17a. Are you responsible for managing all or part of your organization’s
IT budget this year?
Yes 53%
No (skip to Q18) 47%
Total 100%

FY2017
Q17b. Approximately, what percentage of the 2017 IT budget will go 10.6%

to IT security activities?
FY2017
Q17c. Approximately, what percentage of the 2017 IT security budget 12.3%

will go to encryption activities?
Part 6: Cloud encryption: When responding to the following questions,

please assume they refer only to public cloud services
Q35a. Does your organization currently use cloud computing services for
any class of data or application – both sensitive and non-sensitive?
Yes, we are presently doing so 64%
No, but we are likely to do so in the next 12 to 24 months 20%
No (Go to Part 7 if you do not use cloud services for any class of 16%
data or application)
Total 100%
Q35b. Do you currently transfer sensitive or confidential data to the

cloud (whether or not it is encrypted or made unreadable via some
other mechanism)?
Yes, we are presently doing so 61%
No, but we are likely to do so in the next 12 to 24 months 21%
No (Go to Part 7 if you do not use or plan to use any cloud services 17%
for sensitive or confidential data)
Total 100%
Q35c. In your opinion, who is most responsible for protecting sensitive or

confidential data transferred to the cloud?
The cloud provider 49%
The cloud user 21%
Shared responsibility 31%
Total 100%

Q35d. How does your organization protect data at rest in the cloud?
Encryption performed in the cloud using keys generated/managed by

38%
the cloud provider
Encryption performed in the cloud using keys my organization generates

21%
and manages on-premise
Encryption performed on-premise prior to sending data to the cloud using 47%
keys my organization generates and manages
Tokenization performed by the cloud provider 13%
Tokenization performed on-premise prior to sending data to the cloud 12%
Total 136%
Q35e. For encryption of data at rest in the cloud, my organization’s

strategy is to…
Only use keys controlled by my organization 42%

Only use keys controlled by the cloud provider 19%
Use a combination of keys controlled by my organization and by the cloud
19%
provider, with a preference for keys controlled by my organization
Use a combination of keys controlled by my organization and by the cloud 20%

provider, with a preference for keys controlled by the cloud provider
Total 100%
Q35f. How important are the following features associated with

cloud encryption to your organization?
Very important and Important response provided.
Bring Your Own Key (BYOK) management support 49%
Privileged user access control 51%
Granular access controls 60%
Audit logs identifying key usage 57%
Audit logs identifying data access attempts 39%
SIEM integration, visualization and analysis of logs 62%
Support for FIPS 140-2 compliant key management 34%
Support for the KMIP standard for key management 66%
Ability to encrypt and rekey data while in use without downtime 47%

Q35g-1. How many public cloud providers does your organization
in use today?
1 39%
2 21%
3 14%
4 or more 26%
Total 100%
Q35g-2. How many public cloud providers does your organization

plan to use in the next 12 to 24 months?
1 29%
2 21%
3 15%
4 or more 35%
Total 100%
Part 7: Role and organizational characteristics
D1. What organizational level best describes your current position?
Senior Executive 2%
Vice President 3%
Director 17%
Manager/Supervisor 34%
Associate/Staff/Technician 41%
Other 3%
Total 100%

D2. Select the functional area that best describes your
organizational location.
IT operations 55%
Security 20%
Compliance 7%
Finance 3%
Lines of business (LOB) 12%
Other 3%
Total 100%
D3. What industry best describes your organization’s industry focus?
Agriculture & food services 1%
Communications 2%
Consumer products 4%
Defense & aerospace 0%
Education & research 3%
Energy & utilities 7%
Entertainment & media 2%
Financial services 15%
Health & pharmaceutical 8%
Hospitality 3%
Manufacturing & industrial 12%
Public sector 9%
Retail 8%
Services 11%
Technology & software 9%
Transportation 3%
Other 3%
Total 100%
D4. What is the worldwide headcount of your organization?
Less than 500 13%
500 to 1,000 24%
1,001 to 5,000 31%
5,001 to 25,000 20%
25,001 to 75,000 8%
More than 75,000 4%
Total 100%

About Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management
practices in business and government. To achieve this objective, the Institute conducts independent research,
educates leaders from the private and public sectors and verifies the privacy and data protection practices of
organizations in a variety of industries.
About nCipher Security

Today’s fast-moving digital environment enables enterprises to operate more efficiently, gain competitive
advantage and serve customers better than ever before. It also multiplies the security risks.
nCipher Security empowers world-leading organizations by delivering trust, integrity and control to their
business critical information and applications.
Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments
– and help meet new compliance mandates. Using the same proven technology that our customers
depend on today to protect against threats to their sensitive data, network communications and enterprise
infrastructure. We deliver trust for your business critical information and applications, ensuring the integrity
of your data and putting you in complete control – today, tomorrow, and at all times.
To find out more how nCipher Security can deliver trust, integrity and control to your business critical
information and applications, visit www.ncipher.com.
GEOBRIDGE Platinum partner – Geobridge

Established in 1997, GEOBRIDGE emerged as one of the first information security solutions providers
to support cryptography and payment applications for payment processors, financial institutions and
retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance
provider that provides Cryptography and Key Management, Payment Security, Compliance, and HSM
Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies,
financial institutions, healthcare organizations and government clients across North America and around
the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development,
enforcement and governance to help architect solutions to help mitigate risk for our clients.
Platinum partner – Venafi

Venafi is the cyber security market leader in machine identity protection, securing machine-to-machine
connections and communications. Venafi protects machine identity types by orchestrating cryptographic
keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine
identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual,
cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated
remediation that reduces the security and availability risks connected with weak or compromised machine
identities while safeguarding the flow of information to trusted machines and preventing communication
with machines that are not trusted.
With 31 patents currently in its portfolio, Venafi delivers innovative solutions for the world’s most
demanding, security-conscious Global 2000 organizations. Venafi is backed by top-tier investors,
including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners,
Mercato Partners and NextEquity. For more information, visit: www.venafi.com.

©2018 nCipher
40

2018 Ncipher Ponemon Global Encryption Trends Study Ar PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2018 Ncipher Ponemon Global Encryption Trends Study Ar PDF

Hochgeladen von

Copyright:

Verfügbare Formate

GLOBAL ENCRYPTION

1 PONEMON INSTITUTE© RESEARCH REPORT

PART 1. EXECUTIVE SUMMARY 3 Attitudes about key management 12

PART 2. KEY FINDINGS 6 Importance of hardware security

Trends in encryption adoption 8 Budget allocations 19

Threats, main drivers and priorities 9 Cloud encryption 20

Deployment choices 10 APPENDIX 1. METHODS & LIMITATIONS 22

Encryption features considered APPENDIX 2. CONSOLIDATED FINDINGS 25

OUR SPONSORS GEOBRIDGE

Strategy and adoption of encryption

An overall A limited No encryption

PONEMON INSTITUTE© RESEARCH REPORT 3

encryption usage occur in healthcare & pharmaceutical, retail 010101100100101001010100101010

and financial services. 010101001100101001010010101001

Deployment choices Companies continue to use a variety of key management

4 PONEMON INSTITUTE© RESEARCH REPORT

How HSMs in conjunction with public cloud-based Cloud encryption

PONEMON INSTITUTE© RESEARCH REPORT 5

• Strategy and adoption of encryption • Attitudes about key management

Strategy and adoption of encryption

Figure 2. Trends in encryption strategy

6 PONEMON INSTITUTE© RESEARCH REPORT

Figure 3. Differences in enterprise encryption strategies by country

50% 45% 45%

We have an overall encryption plan or strategy that is Average

Figure 4. Influence of IT operations, lines of business and security

IT operations Lines of business Security

PONEMON INSTITUTE© RESEARCH REPORT 7

Figure 5. Trend on the extensive use of encryption technologies

Extensive deployment of encryption IT security budget earmarked for encryption

0% 10% 20% 30% 40% 50% 60%

6 year consolidation FY17

5 The combined sample used to analyze trends is explained in Appendix 1.

8 PONEMON INSTITUTE© RESEARCH REPORT

Figure 7. The most salient threats to sensitive or confidential data

Employee mistakes 47%

System or process malfunction 31%

Temporary or contract workers 22%

Malicious insiders 22%

Third party service providers 19%

Government eavesdropping 17%

Lawful data request (e.g., by police) 12%

0% 10% 20% 30% 40% 50%

Figure 8. The main drivers for using encryption technology solutions

To protect information against 54%

To protect enterprise intellectual property 52%

To protect customer personal information 50%

To comply with external privacy or data

To limit liability from breaches 32%

To reduce the scope of compliance audits 29%

To comply with internal policies 21%

To avoid public disclosure 14%

0% 10% 20% 30% 40% 50% 60%

PONEMON INSTITUTE© RESEARCH REPORT 9

Figure 9. Biggest challenges in planning and executing a data encryption strategy

Discovering where sensitive data resides in the organization 67%

Classifying which data to encrypt 34%

Ongoing management of encryption and keys 29%

Training users to use encryption appropriately 13%

Determining which encryption technologies are most effective 13%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Figure 10. Consolidated view on the use of 15 encryption technologies

Internet communications (e.g., SSL) 63% 25%