2009 Enc and Key MGMT Industry Benchmark Report 201009

2009EncryptionandKeyManagement IndustryBenchmarkReport
Ariskmanagementbenchmarkfordataprotection
Author:KimberlyGetgen,Principal,TrustCatalyst
October20,2009

Page2 2009EncryptionandKeyManagementIndustryBenchmarkReport
Foreword:RiskManagementforDataProtection
Deardatasecurityprofessional, Wheredoesyourorganizationsriskmanagementstrategystandwhenitcomestodata protection?Despiteagrowingemphasisonencryptionandrelatedissues,feworganizations havehadtheharddataneededtobenchmarktheirriskmanagementeffortsagainstindustry standards.Untilnow. Asaleaderinencryptionandkeymanagement,Thaleswantedtoprovidetheindustrywitha muchneededbenchmark.WeengagedTrustCatalyst,aresearchfirm,toconductasurveyof industryprofessionalsandreportthefindings.Ifoundtheresulting2009EncryptionandKey ManagementIndustryBenchmarkReportfascinating.Ithinkyouwill,too.Butmore importantly,itsatoolyourorganizationcanusetolearnwhereitstandsinrelationtoindustry standardsandemergingtrends. Afterreadingthereport,Iwasstruckbytwothingsinparticular:Organizationshavemadegreat stridesinprotectingsensitivedataandthereismoretodo,especiallywithregardtomanaging encryptionkeysandprotectingbackuptapes. Thenextgreathurdleinencryptionisprotectingallsensitivedatanotjustsomeofit.Manyof therespondentstothesurveyareprogressinginthatdirection,whileothersareadvancing moreslowly.Eitherway,weallhavetheopportunitytolearnfromtheircollectiveexperiences. Iwanttothankallofyouwhoparticipatedinthesurveyforsharingyourtimeandinsights.I alsowanttothanktheThalescustomersandpartnerswhohavehelpedtomakeusanindustry leader.AtThales,wearepleasedtobeabletosponsorthisreport,andwehopethatallofyou willfindittobeavaluablebenchmarkingtool. Bestregards, BrytaSchulz VicePresident,ProductMarketing ThalesInformationSystemsSecurity

2009TrustCatalyst www.trustcatalyst.com
Telephone:+1.415.867.8842 Contact:info@trustcatalyst.com
TableofContents
Foreword:RiskManagementforDataProtection .......................................................................................2 . ExecutiveSummary.......................................................................................................................................4 KeyFindings..............................................................................................................................................4 SectionI:DataEncryptionTrendsandObstacles.........................................................................................7 EncryptionTrends.....................................................................................................................................7 ObstaclestoEncryption............................................................................................................................9 Cost.....................................................................................................................................................10 DataAvailability..................................................................................................................................10 KeyManagementTrends....................................................................................................................12 SectionII:RegulationsandComplianceDrivers.........................................................................................15 EncryptionBudgetAllocatedforCompliance.........................................................................................15 ComparingtheTopFiveRegulationsintheUSandEMEA.................................................................16 HowSurveyRespondentsExpectRegulationstoChange......................................................................17 TheNewConnectionBetweenKeyManagementandCompliance.......................................................18 Conclusion...............................................................................................................................................19 SectionIII:CloudComputing ......................................................................................................................21 . Conclusion...............................................................................................................................................23 AppendixA:ResearchMethodology..........................................................................................................28
ExecutiveSummary
Dataprotectionisanexerciseinriskmanagement.Adequatelyprotectingdataandmanaging compliancemustbebalancedwithoperatingefficiencyandprofitablegrowth.Gettingthiscombination rightismoreimportantthanever.ThesecondannualEncryptionandKeyManagementIndustry BenchmarkReportinvestigateshowITsecuritymanagersareaddressingthesechallengesandprovides recommendationstohelpyoureassessyourstrategyinlightofthenewdataprotectionimperative. Sincepublicationofthe2008EncryptionandKeyManagementIndustryBenchmarkReport,demandsto protectdatahaveonlygrown.Newdatabreachnotificationlawsandthecodificationofindustry specificstandardshavemadetheprotectionofdataanevenhigherpriority. IntheUS,HITECH(HealthInformationTechnologyforEconomicandClinicalHealthAct)rulesintroduce databreachnotificationrequirementsnationallyforhealthcaredata.USstaterulesinMassachusetts (MA201CMR17)andCalifornia(CASB1386)aremandatingtheuseofencryptiontoprotectdata. NevadasNVSB227wentevenfurtherbymandatingcompliancefortheindustrydevelopedPayment CardIndustryDataSecurityStandard(PCIDSS)forthoseacceptingcreditcards.InGermany,theFederal DataPrivacyActmandatesdatabreachnotificationforthefirsttime.AndintheUK,aggressiveactionby theInformationCommissionerOffice(ICO)andFinancialServicesAuthority(FSA)hasmadedatabreach notificationdefactolaw. Overthenext12months,regulationrequiringtheprotectionofdataandmandatorybreachnotification willonlycontinuetogrow.Atthesame,manyorganizationswillcontinuetoexperiencedamaging, costly,andverypublicdatabreaches.Asthissurveyshows,encryptionisoneofthemosteffective meanstoprotectdata.Usingencryptionwithautomatedkeymanagementgoesalongwaytoward helpingorganizationsachievetheircomplianceandIToperationsobjectives.
KeyFindings
TrustCatalystconductedthesecondannualdataprotectionsurveytoevaluateevolvingtrendsin encryptionandkeymanagement.Thisreport,sponsoredbyThales,providesnewanalysisandunique datatohelporganizationslearnfromthedataprotectionandriskmanagementdecisionsoftheirpeers. Thereportidentifiesthesekeyfindings: Unnecessaryrisk.TheAchillesheelofmanyorganizationsremainsthesameaslastyear: unencrypteddatabasesandbackuptapes.Lessthan50percentoforganizationsareencrypting backuptapesanddatabases,creatingacriticalvulnerabilityindataprotectionprograms.Nearly20 percentofparticipantswhoarenotencryptingbackuptapessaidtheirorganizationwouldwaituntil abreachoccurredbeforebeginningtoencrypttapes. Costofencryptionremainsatopconcern.Participantssaidcostremainsthesinglemostimportant factorpreventingtheencryptionofdatathatshouldbeencrypted.Overhalfcitedeitherthecostof
Page5 2009EncryptionandKeyManagementIndustryBenchmarkReport theencryptionsolution(26percent)orthecostofmanagingtheencryptionsolution(25percent)as theprimaryobstaclestoadoptingencryptionwhereitisneededmost. Operationalconcernsdelayencryptionprojects.Costisnttheonlybarriertoencryptionadoption. Thedecisiontoencryptrequiresorganizationstoweighotheroperationalefficienciesagainstthe needfordataprotection.Whenaskedwhatwaspreventingthemfromencryptingdatabases,25 percentofparticipantscitedperformanceasthekeyinhibitor.Forbackuptapes,thecomplexityof managingkeyswastheprimaryobstacle,citedby24percentofrespondents.Here,many participantstoldusavailabilityismoreimportantthanconfidentiality. Lostkeysdisruptbusiness.8percentoforganizationshaveexperiencedproblemswithlost encryptionkeys,creatingsecurityconcerns(50percent),causingdatatobepermanentlydestroyed (39percent),ordisruptingthebusiness(39percent),while19percentofrespondentssaidthey directlylostbusiness. Keymanagementandcompliance.Planninganorganizationskeymanagementstrategyisnoeasy feat.Athirdofsurveyrespondents(34percent)havebeenplanningtheirkeymanagementstrategy foroverayear.Forthefirsttime,theseparticipantsrankedprovingcompliancerequirementshave beenmetasthemostchallengingaspectofkeymanagement. Newencryptionmandatesconsideredhelpfultodataprotectionstrategies.Regulationsmandating encryptionwereseenashelpfulinmovingdataprotectionstrategiesforwardforanoverwhelming 71percentofsurveyparticipants,whileonly7percentdisagreed,sayingtheseregulationsharmed orobstructedtheirorganizationsdataprotectionefforts.Encryptionmandatesappeartobethe ammunitionmanyorganizationsneedtohelpselltheirdataprotectionstrategiesinternally.In addition,66percentofrespondentsexpecttoseemoreindustryregulationsoutliningdata protectionguidelines,and55percentexpecttoseemorenationalbreachnotificationlaws. Patientandcreditcarddataprotectiondrivesencryptionspending.PCIDSS,HIPAA,andtheEU DataPrivacyDirectivearethetopthreedataprotectionregulationsrequiringallocationofnew encryptionbudgetoverthenext24months.54percentofrespondentsindicatedtheywere allocatingbudgetforPCIDSS,29percentforHIPAAand22percentfortheEUDataPrivacyDirective. DataprotectionrulessuchasHIPAAandPCIaredrivingtheuseofencryptionacrossindustriesas theneedtoprotectspecifictypesofdatagrows. Cloudnotreadyforprimetime.52percentofparticipantscitedatasecurityconcernsasbeingthe numberonebarrierpreventingtheirorganizationfromadoptingcloudcomputing.43percentof surveyparticipantssaidtheyarenotcurrentlyplanningonmovingtothecloud,whileanother47 percentsaidtheywouldwaituntildataisencryptedbeforemoving.59percentsaidtheywould wanttomanagetheirownencryptionkeysifencrypteddatawasmovedtothecloud.
2009TrustCatalyst www.trustcatalyst.com Telephone:+1.415.867.8842 Contact:info@trustcatalyst.com
AboutThisPaper
Thispaperisorganizedintothefollowingfoursections: SectionI:DataEncryptionTrendsandObstacles SectionII:RegulationsandComplianceDrivers SectionIII:CloudComputing SectionIV:ImportanceofKeyManagementinNewDataProtectionImperative
ResearchmethodologyandinformationaboutthesurveyrespondentsareoutlinedinAppendixA.
SectionI:DataEncryptionTrendsandObstacles
Newcomplianceregulationsarepushingtheneedtoencryptmoredatathaneverbefore.Inthisyears survey,wewantedtounderstandnotonlywhatwasbeingencrypted,butalsowhatwaspreventing organizationsfromadoptingmoreencryptionwhereitsneededthemost.Inthissection,wesummarize thesetrendsbyexploring: Encryptiontrends Obstaclestoencryption Keymanagementtrends
EncryptionTrends
Table1comparesthe13applicationssurveyedin2008toshowthechangeinencryptiontrendsfrom 2008to2009.Theapplicationsarerankedfrommosttoleastwidelydeployedaccordingtothisyears surveyresults. Table1:Applicationsencryptingdatacomparing2008and2009results Encryptionapplication Rankin2009 Rankin2008 survey survey WebserverSSL 1 1 Fileencryptionserver 2 5 Fileencryptiondesktop 3 2 FTPencryption 4 4 Emailclient(e.g.S/MIMEorOpenPGP) 5 3 Emailgateway(e.g.TLS) 6 7 Fulldiskencryption 7 6 Databaseencryption 8 8 Mobiledeviceencryption 9 11 Tapebackupencryption 10 9 USBdeviceencryption 11 10 XMLencryption 12 12 Storagefabric/Switchencryption 13 13
Change 0 +3 1 0 2 +1 1 0 +2 1 1 0 0
ThemostsignificantincreasesinthisyearsresearchwereFileencryptionservermovingupfrom fifthtosecondplaceandMobiledeviceencryptionrisingfromeleventhtoninth.Emailencryptionat theclientsawthemostsignificantfall,fromthirdplacein2008tofifthin2009.Therewasnota significantincreaseinencryptionadoptionfordatabasesorbackuptapesin2009.Wecontinueto cautionorganizationsnotencryptingtheseapplicationsthattheyremainatseriousriskofdatabreach particularlywithregardtopatientandcreditcarddata. Thisyearsresearchsawtheadditionoffournewapplications:1)Networklinkencryption,2)Payment processing,3)Diskarray,and4)Cloudcomputing.Figure1andTable2comparetheresultsofall respondentstothoseofthefinancialservicesindustry,whichhasadoptedencryptionfaster.
Figure1:Encryptionadoptioncomparedtofinancialservicesindustry2009results
Table2:Encryptionapplicationsused2009results Encryptionapplication Allrespondents

WebserverSSL Fileencryptionserver Fileencryptiondesktop FTPencryption Networklinkencryption Emailclient(e.g.S/MIMEorOpenPGP) Emailgateway(e.g.TLS) Paymentprocessing Fulldiskencryption Databaseencryption Mobiledeviceencryption Tapebackupencryption USBdeviceencryption Diskarray XMLEncryption Storagefabric/Switchencryption Cloudcomputing 77% 57% 56% 54% 53% 52% 51% 50% 49% 43% 42% 41% 41% 25% 31% 20% 17%
Financialservicesindustry
86% 65% 62% 65% 70% 60% 68% 79% 56% 53% 63% 58% 45% 44% 33% 30% 19%

Page9 2009EncryptionandKeyManagementIndustryBenchmarkReport Herewecanseethatthefivemostwidelydeployedencryptionapplicationsoverallare: 1. 2. 3. 4. 5. Webservers(77percent) Fileencryptiononservers(57percent) Desktopfileencryption(56percent) FTPencryption(54percent) Networklinkencryption(53percent)
Thefinancialservicesindustrydiffersslightly,withemailencryptionatthegatewayandpayment processingamongthefivemostfrequentlyusedencryptionapplicationsinthisyearsresearch: 1. 2. 3. 4. 5. Webservers(87percent) Paymentprocessing(79percent) Networklinkencryption(70percent) Emailencryptionatthegateway(68percent) Tie:Fileencryptionattheserver(65percent)andFTPencryption(65percent)
Thefinancialservicesindustrydoeshaveahigherpercentageofdatabaseandbackuptapeencryption deployedthanthegeneralsurveypopulation.53percentoffinancialservicesparticipantsencrypt databasescomparedwith43percentoverall.58percentoffinancialservicesparticipantsencrypt backuptapescomparedwith41percentoverall.Sincethefinancialservicesindustryhasbeenthefocal pointofmoredataprotectionregulations,thistrendmaypointtowardfutureoverallgrowthin databaseandbackuptapeencryptionastheseregulationsbegintoimpactmoreindustries. Wemustcontinuetocautionorganizationsnotencryptingdatabasesandbackuptapesthattheyareat riskfortworeasons: 1. Recentresearchhasshownthatexposingasfewas10,000customerrecordscancostover$1 millionindamages1 andthattheaverageorganizationpays$6millionperbreach. 2 2. Tapesanddatabasesaretransportable.Tapesareoftensentoutsidetheprotectedperimeterofthe organization,makingdatavulnerable.Thisisalsotruefordatabaseswhendatabaseinformationis transferred,backeduptodisk,orstoredontape.Thismeanseverytimeabackupofthedatabaseis madetotapeandsentoutsideoftheorganizationunencrypted,thelikelihoodofadatabreach increases.
ObstaclestoEncryption
Inthisyearsresearch,wewantedtouncovermoreoftheobstaclestoencryption.Cost,availability,and keymanagementconcernstoppedthelist.Inthissection,welookateachfactorseparately.
1 2
Gartner,PayforMobileDataEncryptionUpfront,orPayMoreLater,November5,2008. PonemonInstitute,FourthAnnualUSCostofDataBreachStudy,January2009.
Cost
Costisstilltheprimaryissueformostorganizationsthatwanttoencryptmoredatawhereitisneeded most.Table3showsrespondentsanswerstothequestion,Ifthereisdatainyourorganizationthat shouldbeencryptedbutisnot,whatisthebiggestobstaclepreventingencryption?Slightlymorethan halfofrespondentsindicatedthecostofeitherdeployingormanagingthesolutionastheirbiggest obstacle.Another22percentofparticipantsciteddatarecoverycostsorkeymanagementchallengesas theirmostsignificantbarrier. Table3:Ifthereisdatainyourorganizationthatshouldbeencryptedbutisnot,whatisthebiggest obstaclepreventingencryption? Response Allrespondents Costofencryptionsolution 26% Costofmanagingencryptionsolution 25% Other 14% Managementdoesntseeconnectionbetweenencryptionandprotectingcustomers 13% thinksitsanunnecessaryexpense Costofdatarecoveryandkeymanagement 12% Datarecoveryconcernsresultingfromunresolvedkeymanagementchallenges 10%
DataAvailability
Thisyearsresearchfoundthatdatabaseandbackuptapeencryptionarestilllesswidelyadoptedthan encryptionformanyotherapplications.Oneparticipantsuccinctlysummarizedthereasoningbehind thisreluctance:Availabilityismoreimportantthanconfidentiality.Otherscitedignorance, underestimationofrisks,budget,andneglectasreasonswhyparticipantshavenotencrypted sensitivedata. Databaseencryption Whenitcomestoprotectingsensitivedataindatabases,mostthinkencryptingwillcreateperformance issuesforbusinesscriticalapplications.Evenrespondentsfromthefinancialservicesindustry,witha higherrateofdatabaseencryptionadoption,tendtoagree.Whenapplicationsprocessfewer transactionsbecauseofdatabaseencryption,organizationslosebusiness.Oneparticipanttoldusthat bothperformanceandcostblockedtheiradoptionofdatabaseencryption:Poordatabaseschema designsusesensitivedataasdatabasekeysandthusdrasticallyimpactsperformance.Thisfixisa schemaredesignthatmostorganizationsarenotwillingtofund.
Page11 2009EncryptionandKeyManagementIndustryBenchmarkReport Table4showsparticipantsideasaboutthemainfactorsthathavepreventedorganizationsfrom deployingdatabaseencryption. Table4:Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingtoencryptsensitive datainthedatabase? Response All Financial respondents services industry Createsperformanceimpactsthatmayallowfewercustomertransactions 21% 25% Dontseethebenefitofencryptingthedatabasewhenhackersattackthefront 18% 19% endoftheapplicationsandcangetaccesstodatawhetherencryptedornot Keymanagementissuesaretoocomplex 17% 18% Requiresadisruptiontotheapplicationenvironmentwhichmaycauselost 15% 13% business Waitingtobenativelyembeddedinthedatabasesolution 13% 14% Requiresmigratingdatathatwillcauseadisruptiontothebusiness 9% 13% Other 7% 6% Thesecondmostpopularresponsecamefromparticipantswhodontseethebenefitofencrypting databasesiftheycanstillbeattacked.Hostbasedattacks,SQLinjection,andinsiderthreatsmaynotbe thwartedbytheuseofdataencryption.Itsalwaysimportantthatadefenseindepthapproachto mitigatingrisksisused. However,oneoftheselayersshouldbeencryptingdatabases.Forexample,iforganizationsbackup theirdatabasestotapes,theycouldbeatseriousriskiftheyshipthosetapesunencrypted.Using databaseencryptionbeforebackingupthedatacanhelpprotectsensitiveinformationandpreventa databreachifatapeislostorstolen. Finally,17percentofparticipantssaidkeymanagementwastoocomplextoapplyencryptionatthe database.Aswewillseelaterinthissection,manyparticipantssaidtheywouldhavelessthananhour torecoverencrypteddatafromthedatabase,creatingdataavailabilityconcerns.Thismakeseffective keymanagementthatmuchmoreimportant. Backuptapeencryption Inregardtobackuptapeencryption,weaskedsurveyrespondentsasimilarquestion:Inyouropinion, whatisthemainreasonsomanyorganizationsarewaitingtoencryptbackuptapes?AsshowninTable 5,themostpopularresponsewaskeymanagementissuestoocomplexat24percent.Forexample, oneparticipanttoldusthatorganizationsWanttoensureaccesstobackuptapes[]ifencryptedand keyislostorunavailablethenthebackuptapeisworthless.Otherstoldusitwastheworryaboutdata recoverabilityafterlongperiodsofstoragethatdiscouragedencryption.
Page12 2009EncryptionandKeyManagementIndustryBenchmarkReport Table5:Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingto encryptbackuptapes? Choices All Respondents Keymanagementissuestoocomplex 24% Mostorganizationswillwaituntilafteradatabreachnotificationevent 19% Waitingtobenativelyembeddedinmybackuptapesolution 17% Decisiontopostponeencryptingtapesismadebythestoragedeptwithout 11% involvementfromthesecuritydept Encryptingtapescostmorethandatabreachsoitsnotcosteffectivetoencrypt 10% Toodifficulttomakekeyaccessibletothedisasterrecoverysite 10% Other 9% Cominginsecondplacewith19percentwastheresponsemostorganizationswouldwaituntilaftera databreacheventbeforetheywouldbewillingtotackletapebackupencryption.Thiswasconcerning becauseourassessmentofthecurrentregulatoryenvironmentconcludesthatorganizationsdonot havetheluxuryofwaitingtoencrypttapesasthelikelihoodofbreachesandcoststothebusinessare onlyincreasing.Inouropinion,organizationsthatshiptapesmustencrypttapes.
KeyManagementTrends
Asweveseenwithbackuptapesanddatabases,keymanagementconcernscontinuetoplague organizationsattemptingtoencryptsensitivedata.Oncethisdataisencrypted,itmustberecoverable atsomepointinthefuture,withlittleroomforerror.Firstandforemost,datamustbeavailable. Concernsarounddataavailabilityhavemadeplanninganorganizationskeymanagementstrategyno easyfeat.Athirdofsurveyrespondents(34percent)havebeenplanningtheirkeymanagement strategyforoverayear(upfrom26percentin2008).Table6belowshowshowmuchtime organizationshavespentplanningforkeymanagementcomparedtothefinancialservicesindustry. Unsurprisingly,morefinancialservicesparticipants(47percent)havespentoverayearplanningtheir keymanagementstrategy. Table6:Howmuchtimehasyourorganizationspentpreparingorplanningforkeymanagementissues? Lengthoftime Allrespondents Financialservices Over1year 34% 47% 612months 15% 19% 15months 23% 16% 1week 9% 6% None 19% 12% Dataavailabilityconcernsareoftendrivenbytheamountoftimeonehastorecoverencrypteddata. Thelesstimetorecoverdata,thegreatertheavailabilityconcerns.Table7belowshowsacceptable recoverytimeframesfordifferentapplications.
Page13 2009EncryptionandKeyManagementIndustryBenchmarkReport Table7:Whatisanacceptableamountoftimetorecoverdata? Lessthan1 Lessthan1day 2days1week Datalocation hour Laptops 22% 50% 26% Mobiledevices 29% 42% 29% Fileservers 41% 43.% 16% Databases 49% 37% 13% Email 30% 42% 27% Backuptapes 17% 43% 36% Cloudcomputing 31% 33% 27% Storagefabric 30% 36% 10% Paymentprocessing 54% 29% 13% Networklinkencryption 54% 30% 12%
1monthormore 1% 2% 1% 1% 1% 4% 9% 7% 4% 4%
Formostapplications,encrypteddataneedstoberecoveredinlessthanaday,butforbusinesscritical applicationslikedatabases,networklinkencryption,andpaymentprocessingapplications,dataoften mustberecoveredinlessthananhour. Withsuchhighdemandsondatarecoverabilitytimeframes,wewantedtoknowhowencryptionkeys werebeingstoredtoseeiftherewasaconnectionbetweenkeymanagementanddataavailability requirements.Table8belowshowstheresultsfromallsurveyparticipantsandallapplications. Table8:Whereareencryptionkeysstored? HSM Application WebserverSSL Fileencryptionserver Fileencryptiondesktop FTPencryption Networklinkencryption Emailclient(e.g.S/MIMEorOpenPGP) Emailgateway(e.g.TLS) Paymentprocessing Fulldiskencryption Databaseencryption Mobiledeviceencryption Tapebackupencryption USBdeviceencryption Diskarray Storagefabric/Switchencryption 23% 32% 23% 14% 26% 14% 13% 36% 24% 24% 17% 26% 14% 17% 19% Database 13% 14% 13% 11% 6% 12% 12% 7% 12% 21% 10% 9% 8% 6% 5% Software ordisk 29% 21% 29% 26% 20% 31% 30% 13% 30% 15% 23% 15% 16% 12% 9% USB device 9% 5% 9% 4% 3% 5% 4% 3% 5% 2% 5% 2% 19% 2% 2% Dont know 26% 29% 26% 46% 45% 37% 42% 41% 30% 37% 45% 49% 42% 63% 64%
Asitwaslastyear,themostpopularresponseformostapplicationswasdontknowevenforthe applicationsthatneededtoberecoveredinlessthananhour.However,forrespondentswhoknew
Page14 2009EncryptionandKeyManagementIndustryBenchmarkReport wherekeyswerestored,themajorityofapplicationsthatneededtoberecoveredinanhourweremost likelytobeinahardwaresecuritymodule(HSM).Thefourapplicationsforwhichrespondentspreferred tohavetheirkeysstoredinanHSMratherthansoftwareordiskwerePaymentprocessing,Network linkencryption,Databaseencryption,andTapebackupencryption(allhighlightedinboldinthe abovetable).HerewecanseetheimportanceofusingHSMstoautomatekeymanagementand overcomedataavailabilityconcerns.WithoutHSMsortheuseofautomatedkeymanagementtools,we believedataavailabilityconcernswillcontinuetostandinthewayofdataprotection.
Conclusion
Costisnttheonlybarriertoencryptionadoption.Thedecisiontoencryptrequiresorganizationsto weighoperationalfactorslikeavailabilityandperformanceagainsttheneedfordataprotection.Here, organizationsareunwillingtosacrificeoperationalefficienciesfordataencryption.Manyorganizations arecaughtinaholdingpatternwhiletheytrytodeterminehowtobestmeetdatarecoverability requirementsorfindbudgettomeetperformanceandavailabilitydemands.Sadly,manywillsuffera databreachbeforetheycanencryptsensitivedata.Nearly20percentofthosesurveyedbelieveitwill takeadatabreachtogettheapprovaltostartencryptingbackuptapes.Giventhenewregulatory climate,manyorganizationswillneedtoaskthemselveswhatwillbeworsepayingforautomated encryptionkeymanagementtoovercomedataavailabilityfears,orlosingcustomersinabreachwhen theyexposesensitivecreditcardorpatientdata.Consideringthehighercostsandrisksofabreach,we believepostponingtheseencryptiondecisions(particularlyforbackuptapes)isnolongerasustainable riskmanagementstrategy.
SectionII:RegulationsandComplianceDrivers
Thisyearsresearchshowsthattheprotectionhealthcareandcreditcarddataaredrivingfuture compliancespending.Thissectiontakesalookatregulationsimpactonorganizationssurveyedby exploring: Encryptionbudgetallocatedforcompliance Howsurveyrespondentsexpectregulationstochange Theconnectionbetweenkeymanagementandcompliance
EncryptionBudgetAllocatedforCompliance
Weprovidedparticipantswithalistof25dataprotectionregulationsandaskedwhichoneswould requiretheallocationofnewbudgetinthenext24months.Table9belowshowstheresponses,with PCIDSSleadingthecharge,followedbyUSHIPAAandtheEUDataPrivacyDirective. Table9:Regulationsrequiringallocationofnewencryptionbudgetovernext24months Regulation Allrespondents PCIDSS 54% USHIPAA 29% EUDataPrivacyDirective 22% USGrammLeachBliley 18% USMultipleStateDataBreachNotificationLaws 16% USCaliforniaDataBreachNotification(CASB1386) 15% USMassachusettsDataProtectionAct(MA201CMR17) 14% UKDataPrivacyAct 13% USFederalTradeCommissionRedFlagRules 12% CanadaPersonalInformationProtectionandElectronicDocumentsAct 10% USNevada(SenateBillNo.227) 9% CanadaPrivacyBreachGuideline 9% GermanyS93ActonProcessingofPersonalData 8% UKPrivacyCommissionerBreachNotificationGuidelines 7% SouthAfricaProtectionofPersonalInformationAct 7% ItalyDataProtectionCode 4% SpainPersonalDataProtectionandTelecommunicationsAct 4% JapanPersonalInformationAct 4% HongKongPersonalDataPrivacyOrdinance 4% AustraliaPrivacyCommissionerBreachNotificationGuidelines 3% FrancePostalandElectronicCommunicationsCode 3% AustraliaCommonwealthPrivacyAct 3% SouthKoreaActontheProtectionofPersonalInformation 2% NewZealandPrivacyCommissionerBreachNotificationGuidelines 2% NewZealandPrivacyBreachGuidelines 2% ItwasasurprisetoseeindustrydrivenregulationssuchasPCIDSSandHIPAAtoppingthelist,giventhat themajorityofsurveyrespondentswerenotfromfinancialservices,healthcare,andretail.Webelieve
Page16 2009EncryptionandKeyManagementIndustryBenchmarkReport thisindicatesthatencryptionbudgetallocationsaredrivenlessbytheindustryyouareinthanbythe typeofdatayouneedtoprotect.Asmoreindustriesstore,manage,andprocesscustomer,patient, employee,andbusinesspartnerinformation,theywillberequiredtoprotecttheirdataaccordingly.
ComparingtheTopFiveRegulationsintheUSandEMEA
Figure3andTable10belowtrackthetopfiveregulationsintheUSandEMEAandcomparethemtothe worldwideresponse.HereyoucanseethatwhilePCIDSSreceivedthehighestresponseinEMEA,HIPAA receivedthehighestresponseintheUS.
Figure2:Percentageofrespondentscitingnewencryptionspendingdrivenbymajorregulations

Page17 2009EncryptionandKeyManagementIndustryBenchmarkReport Table10:Percentageofrespondentscitingnewencryptionspendingdrivenbymajorregulations Regulation Allrespondents US PCIDSS 53% 48% USHIPAA 27% 53% EUDataPrivacyDirective 21% 13% USGrammLeachBliley 15% 32% USStateDataBreachNotificationLaws 15% 32% USMassachusettsDataProtectionAct 12% 26% UKDataPrivacyAct 11% 9% GermanyS93ActonProcessingPersonalData 5% 5% UKPrivacyCommissionerBreachNotificationGuidelines 5% 9%
EMEA 52% 8% 43% 5% 5% 3% 20% 15% 9%
HowSurveyRespondentsExpectRegulationstoChange
Wewantedtoknowhowparticipantsexpectedregulationstochangeovertimeandiftheythought regulationsmandatingtheuseofencryptionwerehelpfulorharmfultotheirdataprotectionstrategies. InFigure4andTable11,weaskedparticipantshowtheyexpectregulationstochangeinthenext24 months.Twothirds(66percent)indicatedtheybelievedtherewouldbenewindustryregulations,and 55percentsaidtheyexpectnewnationallaws.Only11percentbelievedtherewouldbenonewlaws introduced.
Figure4:Howdoyouexpectregulationstochangeinthenext24months?
Page18 2009EncryptionandKeyManagementIndustryBenchmarkReport Table11:Howdoyouexpectregulationstochangeinthenext24months? Response Therewillbenewindustryregulations Therewillbenewnationallaws Therewillbenewlocallaws(stateandregional) Therewillbenonewlawsintroduced
Allrespondents 66% 55% 43% 11%
Wealsowantedtoknowhowparticipantsvieweddatabreachregulationsthatrequiredtheuseof encryption.WeaskedthemiftheseregulationswereseenasHelpfultomovingforwardyour organizationsdataprotectioneffortsorHarmfulandgetsinthewayofyourorganizationsdata protectionefforts.Theoverwhelmingmajorityofrespondents(70percent)foundthemhelpful. Surprisingly,anevenhigherpercentage(79percent)ofrespondentsfromorganizationsthathave experiencedadatabreachfoundthemhelpful,withonly2percentfindingthemharmful. Table12belowcomparestheresponsesofparticipantswhoseorganizationshadexperiencedadata breachtothosewhohadnot. Table12:Databreachregulationsthatspellouttheneedforprotectingdatausingencryptingdataare Response Breachedorganizations Nonbreached organizations Helpfultomovingforwardyourorganizationsdata 79% 70% protectionefforts Undecided 19% 23% Harmfulandgetsinthewayofyourorganizationsdata 2% 7% protectionefforts
TheNewConnectionBetweenKeyManagementandCompliance
Overthelasttwoyearsofconductingthisresearch,weveaskedparticipantstoranktheaspectsofkey managementtheyvefoundthemostchallenging.Theresultsofthisyearsstudyhighlightaninteresting newfinding:Organizationsthathavespentthemosttimeplanningkeymanagementrankedtheirmost challengingaspectdifferentlyfromtheirpeers.Thosethathavebeenusingencryptionandhavespent themosttimepreparingforkeymanagementarenowmorefocusedondemonstratingcompliance comparedtoorganizationsthatarejustbeginningtoadoptencryption. Table13belowcomparesthesethreegroupsandrankstheirchoicesfrommostdifficulttoleastdifficult for:
Allresponses2008 Allresponses2009 2009responsesbythosewhohadspentoneyearormoreplanningkeymanagementstrategy
Page19 2009EncryptionandKeyManagementIndustryBenchmarkReport Table13:Relativedifficultyofdifferentaspectsofkeymanagement(1=mostdifficult) 2008 2009 2009 Aspectofkeymanagement Preparingfortheunfortunatepublicityand impactofdatabreach Rotatingkeys,decryptingandreencryptingdata Keepingtrackofkeys(havingtherightkeyatthe righttime) Meetingcompliancerequirements Longtermkeyarchival Provingcompliancerequirementshavebeen met Makingkeysaccessibletothedisasterrecovery site Backingupandrecoveringkeys Revoking/terminatingkeys(sodatacantbe accessed)
All Respondents All Respondents 1+Yearof KeyMgmt. Planning
2009Planning Difference
2009 (All)to 2009(1+Yearof Planning)
1 2 3 4 5 6 7 8 9
2 1 3 6 5 4 6 7 8
3 2 7 4 5 1 6 8 9
1 1 4 +2 0 +3 0 1 1
Respondentsfoundthefollowingamongthemorechallengingaspectsofkeymanagement: Rotating,decryptingandreencryptingdata Preparingfortheunfortunatepublicityandimpactofdatabreaches
Butthereweredifferenceswhenitcametowhatwasthemostchallenging.Provingcompliance requirementshavebeenmetwasrankedthemostdifficultbythegroupthathadbeenplanningkey managementlonger.Bycontrast,theparticipantsin2008rankedMeetingcompliancerequirements morechallengingthanprovingtheyhadbeenmet.Wethinkthisisasignificantfinding:Asorganizations becomemorematureintheirencryptionandkeymanagementstrategies,theyfindprovingcompliance moredifficultthanthemechanicsofkeymanagement. TherewerealsointerestingdifferencesregardingthedifficultyofKeepingtrackofkeys(havingthe rightkeyattherighttime).Thosewhohadnotbeenplanninglongerthanayearrankeditthirdin difficulty,whilethosewhohadbeenplanningthelongestfoundittobeoneoftheleastchallenging aspectsofkeymanagement.Thissuggeststhateffectivekeymanagementcanreducethetimeand operationscostsspentonkeymanagementtasks.
Conclusion
Participantsinthesurveyarefeelingtheimpactofdatabreachregulationsintwocriticalareas:the typesofdatatheywillneedtoprotectandtheirkeymanagementstrategies.Whilethemajorityof
Page20 2009EncryptionandKeyManagementIndustryBenchmarkReport participantsworldwidearebudgetingforPCIDSS,HIPAAisthemostimportantencryptionbudgetdriver intheUS.WebelievethisisaresultoftheHITECHruleintroducingbreachnotificationforsensitive healthcaredata. Second,thosewhohavebeenplanningtheirkeymanagementstrategiesthelongestseeaconnection betweenkeymanagementandtheircompliancestrategies.Theynowconsiderthemostchallenging aspectofkeymanagementtobeprovingthatcompliancerequirementshavebeenmet.These organizationshavemorematuredataprotectionmodelsandarelivinginacomplianceworldwherethe mostimportantaspectofdataprotectionistheirreportingcapability.Theyarespendingmoretime makingsuretheircomplianceeffortsaredemonstrableandlesstimedecidinghowandwhattoencrypt. Organizationsthatarelessexperiencedwithkeymanagementarelikelydealingwithnewerencryption deploymentsandoperationalissues.Theyhaventachievedtheoperationalefficienciesenjoyedby organizationsthathavebeenplanningtheirkeymanagementstrategiesthelongest.
SectionIII:CloudComputing
Thesecuritydebatearoundcloudcomputinghasarisensinceour2008survey.Thisyear,wewere interestedinunderstandingthreethings: Barrierstocloudcomputingadoption Roleofencryptionanddataprotectioninanorganizationsdecisiontomovetothecloud Expectationsforkeymanagementwithcloudcomputing
Figure5andTable14belowshowstheresponsetothequestion,Whatisthebiggestbarrierforyour organizationwhenadoptingcloudcomputing?52percentofsurveyparticipantsciteddatasecurity concernsasthebiggestbarrier,while18percentsaidtherearenobarriers. Table14:Whatisthebiggestbarrierforyourorganizationwhenadoptingcloudcomputing? Response Allrespondents Datasecurityconcerns 52% Therearenobarriers 18% Other 14% Compliance 8% Keymanagementconcerns 8%
Figure3:Biggestbarriertocloudcomputing
Page22 2009EncryptionandKeyManagementIndustryBenchmarkReport Organizationsarereluctanttomovetothecloud,withorwithoutdatasecurityinplace.Whenasked, Wouldyourorganizationmovetothecloudwithoutdataencryption?,47percentsaidtheywould waitforencryption,butalmostasmany(43percent)saidtheywerenotplanningonmovingtothe cloudatall. Table15andFigure6showthefindingsforallparticipants. Table15:Wouldyourorganizationmovetothecloudwithoutdataencryption? Response No,wewouldwaituntildataisencrypted No,wearenotplanningonmovingtothecloud Yes,encryptionisnotabarrierforustoadoptcloudcomputing Yes,wehavealreadymovedunencrypteddatatothecloud
Figure4:Wouldyourorganizationmovetothecloudwithoutdataencryption?
Allrespondents 47% 43% 7% 5%
Finally,wewantedtoknowifencryptionkeymanagementbasedinthecloudwouldbeacceptableto surveyparticipants,oriftheywouldprefertomanagetheencryptionkeysthemselves.An overwhelming58.8percentsaidtheywouldwanttomanagetheirownkeyscomparedto15.1percent whowouldntmindiftheirserviceproviderhandledkeymanagementontheirbehalf.
Page23 2009EncryptionandKeyManagementIndustryBenchmarkReport Table16andFigure7showthesefindings. Table16:Isencryptionkeymanagementbasedinthecloudacceptable? Response No,Iwouldwanttomanageourencryptionkeys Yes,Itrustmysolutionprovidertomanageencryptionkeysandrecovermy datainatimethatisacceptabletoourbusiness Dontknow

Figure5:Isencryptionkeymanagementbasedinthecloudacceptable?
AllRespondents 59% 15% 26%
No(59%) Yes(15%) Don'tknow(26%)
Conclusion
Ourresearchshowssurveyrespondentsareveryskepticalaboutcloudcomputing.Whilethereisnt enoughdataheretopredictanysubstantialtrendsforcloudcomputing,onethingisclear:Organizations shouldbesuretoanalyzewhetherornotamovetothecloudmakessensewithariskmanagement frameworkthatincorporatesdataprotectionandcompliancerequirements.Ifyourorganizationis adoptingcloudcomputing,thendataprotection,dataavailability,andkeymanagementexpectations shouldbewelldefinedinservicelevelagreements.Organizationsshouldalsooutlinewhentheyexpect tobenotifiedifbreachesoccur.Fromcustomersperspective,abreachatacloudserviceproviderwill beinterpretednodifferentlythanifyoucausedthebreach,sobesureyouandyourcustomersare protectedbeforeusingcloudservices.
Page24 2009EncryptionandKeyManagementIndustryBenchmarkReport Ontheotherhand,ifyouareacloudcomputingserviceprovider,yourhandlingofthedataprotection andcomplianceissuescoveredinthisreportcouldbetranslatedintocompetitiveadvantagesinselling yourservices.
SectionIV:ImportanceofKeyManagementinNewDataProtectionImperative
Withnewdataprotectionregulationsspecifyingencryptionforsafeharbororevenmandatingitsuse, webelieveitsbecomemuchriskierouttherefororganizationsthatarewaitingtoencryptcritical informationlikehealthcareandcreditcarddatainunprotectedbackuptapesanddatabases.Withless thanhalfofparticipantsencryptingbackuptapesandnearly20percentofrespondentssayingitwould takethepainofadatabreachtogettheirorganizationtoencrypt,webelievetoomanyorganizations areneedlesslyatrisk. Attheheartofthenewdataprotectionimperativeliesacriticalriskmanagementdecision. Organizationscaneither:1)Waittoencryptsensitivedataandlivewithamuchhigherriskofdata breachthaneverbefore,or2)Encryptdatabutriskbusinesscontinuityissuessuchasdataavailability withouteffectivekeymanagement.Thechartbelowsummarizesthisriskmanagementdecision,taking intoaccountafewofthefactorswefindmostimportant: Concern:Likelihoodofadatabreachversuslikelihoodoflosingakeyoncedataisencrypted Typeofnotification:Whathappensifyourconcerncomestrueandyouhavetotellothers Whoisnotified:Exactlywhoisonthedistributionlistandalertedwhenthingsgowrong Coststobusiness:3 Immediateandlongertermconsequences Howtoavoid:Actiontheorganizationmusttaketoavoidtheproblem
PleasecontactTrustCatalystfortheTrustCatalystDataBreachPrepKitacostworksheetthatcanhelpyou determinecostsofdatabreacheventsforyourorganization.
Page26 2009EncryptionandKeyManagementIndustryBenchmarkReport Operationalefficiencieslikeavailabilityandperformancecauseorganizationstopostpone implementationoftheirdataprotectionstrategiesforfearthatencryptionwillslowthebusinessdown (e.g.,databases)orthatlostencryptionkeyswillcauselostbusinesswhendataisnotavailable(e.g., backuptapes).Butwebelieveorganizationsnolongerhavetheluxuryofpostponingencryptionof criticaldatabecauseofkeymanagementconcerns.Asthechartaboveshows,therearemorecostsand negativeimpactstothebusinessassociatedwithdatabreachesthatinvolvepublicdisclosure,andmost couldbeavoidedbyencryptingdata. Injustthelastyear,wevelearnedalotmoreaboutthecostsoflossofcustomertrustafterabreach.A recentsurveyofdatabreachvictims 4 showedthesignificantimpactofabreachonthebusiness: 55percenttrustedtheorganizationless,whichgreatlyimpactedfuturebusiness. 30percentvowednevertopurchasegoodsfromtheorganizationagain. 29percentterminatedfuturerelationshipswiththeorganization. 69percentofthecostsofdatabreachcamefromlostbusiness.
Ourresearchshows,respondentsweremorelikelytohaveexperiencedadatabreachthantohavelost anencryptionkey,asTable17shows. Table17:Incidentrateforlostkeysanddatabreachesamongrespondents Event Lostkey Databreach(inthelast24months)
Incidentrate% 8% 12%
AsTable18belowshows,forthoseorganizationsthathavelostencryptionkeys,theeventcreated securityconcerns(50percent),resultedinpermanentdataloss(39percent),andcausedbusiness disruptions(39percent)andlostbusiness(19percent).Whilewedontwanttodiminishthebusiness impactsofbadkeymanagement,webelievetheycannolongerserveasanexcuseforpostponing encryptionparticularlyofhealthcareandcreditcarddata. Table18:Whatwastheimpactoflosingencryptionkeystoyourbusiness? Response Createdasecurityconcern Lostdatathatwasneverrecovered Createdabusinessdisruption Lostdatabutwewereabletorecoverit Causedlostbusiness Other
4
Respondentswho havelostkey 50% 39% 39% 31% 19% 4%
JavelinStrategyandResearch,ConsumerSurveyonDataBreachNotification,2008.
Conclusion
Weareconcernedfortworeasons.First,withoutautomatedkeymanagement,theencryption necessarytoprotectsensitivedatawhereitismostatriskwillnothappen.Webelievethelackofakey managementstrategyisnolongeranacceptablereasonforpostponingtheprotectionofcriticaldata likehealthcare,patient,andcreditcarddata.Theonlywayorganizationswillbeabletocomplywith regulationsandsafelyprotectpatientandconsumerdatawillbetoautomateencryptionkey management.TechnologieslikeHSMs(hardwaresecuritymodules)havelongbeenavailabletohelp organizationsautomatekeymanagementandavoiddataavailabilityissues.However,many organizationsseethesetechnologiesastoocostlytoimplement.Takingintoconsiderationthevalue organizationsplaceonavailability,theoperationalefficienciesgoodkeymanagementbrings,andthe abilitytoencryptmore,webelievethesetechnologiesarewellworththecost. Second,thecostsofbreachnotificationsareworsethanweoriginallythought.Postponingyourdecision toencryptwillcostalotmorethanmanyorganizationsinitiallyestimatedintheirassessmentoftheir risks.Onlywithautomatedmanagementofkeyswillavailabilityandcontinuityissuesstopobstructing encryptionprojects.Webelieveautomatingkeymanagementisnolongeranoptionespeciallywhenit comestoprotectingcreditcardandpatientdata.
AppendixA:ResearchMethodology
InAugust2009,TrustCatalystconductedanonlinesurveytoexaminethecurrentandplanneduseof encryptionandkeymanagementstrategieswithintodaysglobalenterprise.Prospectivesurvey respondentswereselectedfromadatabaseofglobalinformationsecurityprofessionalscollectedby Thales,aleaderintheprovisionofinformationandcommunicationsystemssecuritysolutionswhose customersincludesomeofthemostsecurityconsciousorganizationsintheworld.Over30,000emails weresenttoinformationsecurityprofessionalswhowereaskedtocompletetheonlinesurvey.Asan incentivetocompletethesurvey,weofferedtheresultsofthesurveycontainedwithinthisresearch report.Wereceived655completeandpartialresponses. Respondentsweregiventhefollowinginstructionsbeforestartingthesurvey: Thepurposeofthesurveyistogathermuchneededinformationaboutglobalmarketrequirementsin encryptionandkeymanagementtrendsatalevelofdepthandexperiencemissinginothersurveys completedtodate.Likelastyear,the2009researchreportwillbeaninvaluablebenchmarkshowinghow hundredsofotherorganizationscomparetoyoursintheuseofencryptionandrespondingtokey managementchallenges. Yourparticipationiscompletelyconfidentialandallresponseswillbecompiledatanaggregatelevelso yourparticipationiscompletelyanonymous. Followingarethedemographicsandorganizationalcharacteristicsofthe655respondents.Table19 showsparticipantsfunctionalresponsibilities.Table20providestheirselfreportedorganizationalroles. Table19:Functionalresponsibilitiesofrespondents Compliance Databaseadministration Informationsecurity Networksecurity Operations PKIdeployment Product/applicationdevelopment Riskmanagement Storageadministration/design Systemadministration/design Websiteadministration Other Percentof respondents 5% 1% 30% 6% 6% 8% 14% 4% 0.6% 5% 0.3% 21%
Figure8:Functionalresponsibilitiesofrespondents
Table20:Organizationalrolesofrespondents Administrator Architect Staff Manager Director Vicepresident Chiefinformationofficer Chiefsecurityofficer Chiefinformationsecurityofficer Chiefcomplianceofficer CEO Other Percentof respondents 6% 15% 8% 24% 8% 3% 2% 1% 2% 1% 3% 27%
Figure9:Organizationalrolesofrespondents
Table21showsthepercentagedistributionofsurveyrespondentsbyindustryclassification.Thetwo biggestindustrysegmentsweretechnologyandsoftware(28.5percent)andfinancialservices(25.7 percent). Table21:Industryclassificationofrespondents Automotive Defense Education Energy FinancialServices Foodservices Government Healthcare Hospitality InternetandISP LocalGovernment Manufacturing Media
Percentof respondents 0.3% 3% 3% 1% 26% 0.3% 8% 4% 0% 1% 1% 3% 0.5%

Page31 2009EncryptionandKeyManagementIndustryBenchmarkReport Pharmaceuticals ProfessionalServices Research Retail TechnologyandSoftware Telco,WirelessandCable Transportation Other 0.2% 6% 0.8% 2% 29% 3% 0.9% 8%
Figure10andTable22showthegeographicalbreakdownofsurveyrespondents,withthemajorityof respondentscomingfromeitherEMEA(Europe,theMiddleEast,andAfrica)ortheUnitedStates.
Figure10:Locationofrespondents
Table22:Locationofrespondents AsiaPacific Canada EMEA LatinAmerica UnitedStates

Percentof respondents 5% 6% 45% 5% 40%
Page32 2009EncryptionandKeyManagementIndustryBenchmarkReport Finally,respondentscompanysizeisdepictedinthefigurebelow,with48percenthavingfewerthan 1,000employees,30percenthaving1,00125,000employeesand22percenthavingmorethan25,000 employees.

Figure11Numberofemployeesinrespondentorganization
1,000orless(48%) 1,001 25,000(30%) 25,001ormore(22%)
AboutThales
Thalesisoneoftheworldleadersintheprovisionofinformationandcommunicationsystemssecurity solutionsforgovernment,defense,criticalinfrastructureoperators,enterprises,andthefinance industry.Thalessuniquepositioninthemarketisduetoitsendtoendsecurityofferingspanningthe entirevaluechaininthesecuritydomain.Thecomprehensiveofferingincludesarchitecturedesign, securityandencryptionproductdevelopment,evaluationandcertificationpreparation,andthroughlife managementservices. ThaleshasfortyyearsofunrivalledtrackrecordinprotectinginformationrangingfromSensitiveBut UnclassifieduptoTopSecret,aswellasacomprehensiveportfolioofsecurityproductsandservices, whichincludesnetworksecurityproducts,applicationsecurityproducts,andsecuredtelephony products.
AboutTrustCatalyst
TrustCatalysthelpsglobalorganizationsmakecriticaldecisionsabouthowtoprotecttheirmost valuableresourcetheircustomerstrust.Weunderstandthattheadoptionofasuccessfuldata protectionorsecurityprogramisaboutsellingastrategytoalargeraudience.Wespeakthelanguage businessexecutivesunderstandandquantifytheneedforsecuritybyhelpingestablishthecostsoflost customertrust,includingdisruptionofbusiness.Ascybercriminalsincreasinglytargetorganizationswith sensitivecustomerdata,wehelpbusinessesunderstandthethreats,thecostsofthosethreats,andhow tomaintaintrustedrelationshipswithcustomers.Youcanlearnmoreanddownloadourresearchat www.trustcatalyst.com.

2009 Enc and Key MGMT Industry Benchmark Report 201009

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2009 Enc and Key MGMT Industry Benchmark Report 201009

Hochgeladen von

Copyright:

Verfügbare Formate

2009EncryptionandKeyManagement IndustryBenchmarkReport

2009TrustCatalyst www.trustcatalyst.com Telephone:+1.415.867.8842 Contact:info@trustcatalyst.com

Table2:Encryptionapplicationsused2009results Encryptionapplication Allrespondents

Page9 2009EncryptionandKeyManagementIndustryBenchmarkReport Herewecanseethatthefivemostwidelydeployedencryptionapplicationsoverallare: 1. 2. 3. 4. 5. Webservers(77percent) Fileencryptiononservers(57percent) Desktopfileencryption(56percent) FTPencryption(54percent) Networklinkencryption(53percent)

EMEA 52% 8% 43% 5% 5% 3% 20% 15% 9%

Page18 2009EncryptionandKeyManagementIndustryBenchmarkReport Table11:Howdoyouexpectregulationstochangeinthenext24months? Response Therewillbenewindustryregulations Therewillbenewnationallaws Therewillbenewlocallaws(stateandregional) Therewillbenonewlawsintroduced

Allrespondents 66% 55% 43% 11%

Allresponses2008 Allresponses2009 2009responsesbythosewhohadspentoneyearormoreplanningkeymanagementstrategy

Respondentsfoundthefollowingamongthemorechallengingaspectsofkeymanagement: Rotating,decryptingandreencryptingdata Preparingfortheunfortunatepublicityandimpactofdatabreaches

Allrespondents 47% 43% 7% 5%

AllRespondents 59% 15% 26%

No(59%) Yes(15%) Don'tknow(26%)

Page24 2009EncryptionandKeyManagementIndustryBenchmarkReport Ontheotherhand,ifyouareacloudcomputingserviceprovider,yourhandlingofthedataprotection andcomplianceissuescoveredinthisreportcouldbetranslatedintocompetitiveadvantagesinselling yourservices.

Ourresearchshows,respondentsweremorelikelytohaveexperiencedadatabreachthantohavelost anencryptionkey,asTable17shows. Table17:Incidentrateforlostkeysanddatabreachesamongrespondents Event Lostkey Databreach(inthelast24months)

Respondentswho havelostkey 50% 39% 39% 31% 19% 4%

2009TrustCatalyst www.trustcatalyst.com Telephone:+1.415.867.8842 Contact:info@trustcatalyst.com

Percentof respondents 0.3% 3% 3% 1% 26% 0.3% 8% 4% 0% 1% 1% 3% 0.5%

Table22:Locationofrespondents AsiaPacific Canada EMEA LatinAmerica UnitedStates

Percentof respondents 5% 6% 45% 5% 40%

Page32 2009EncryptionandKeyManagementIndustryBenchmarkReport Finally,respondentscompanysizeisdepictedinthefigurebelow,with48percenthavingfewerthan 1,000employees,30percenthaving1,00125,000employeesand22percenthavingmorethan25,000 employees.

1,000orless(48%) 1,001 25,000(30%) 25,001ormore(22%)

Das könnte Ihnen auch gefallen