Big data & analytics

Cut through the hype of enterprise data encryption

Share this post:

Encryption is experiencing growing interest and scrutiny. It is increasingly positioned as a technology that addresses the triple threat driving the security landscape:

  1. Supporting regulatory compliance
  2. Counter-acting the continually evolving threat landscape
  3. Limiting enterprise exposure to the risk posed by digital transformation

Ideally, enterprise data encryption would be a hygiene behavior, perceived as a fundamental activity. However, the uptake of encryption has not matched the expectations of many vendors and commentators. Encryption is a well-established technology, a $1.5 billion dollar market according to IDC’s research, so why is it not broadly adopted by everyone?

Encryption – A technology issue?

This gap between the perception and adoption of encryption arises from a security/usability imbalance. While encryption makes it tougher for threat actors to compromise enterprise data, it can also obstruct genuine user access. For example, encrypted data may not be usable within data analytics tools. This makes encryption adoption a question of risk appetite. What does the board fear most: A loss of IP through non-encrypted data compromise; or a loss of market share due to lack of digital transformation? The difficulty resolving this imbalance often drives the latter response. So, what can be done?

From a technological perspective, an important step is recognizing that encryption is not a total solution for enterprise data privacy and security. It is important, but must be accompanied by, for example, key management solutions (or services). Pervasive encryption is an example of how technology vendors can help enterprises address the problem. This is built into IBM Z, IBM’s mainframe systems, at the operating system level. With encryption built-in to data at rest in the mainframe, enterprise leaders need not worry about which data to encrypt at the application level. For more detail, check out these recent test results on the impact of Pervasive Encryption on IBM Z performance in one of IBM’s banking clients.

However, not all enterprises are at this level of technology maturity. In these cases, there are organizational obstacles to address first.

Encryption – A human issue?

In a recent encryption Crowd Chat co-hosted by IBM and IDC, for many participants the pain points related more to people and process than to technology. In fact, there were three focus areas: Culture, leadership and process.

In IDC’s opinion, culture is the most nebulous issue, but the most critical in building consensus around encryption deployment. It relates not just to a culture of data encryption, but to one that strives for security excellence. Only then will there be a breeding ground for concepts like pervasive encryption beyond niche data silos.

On leadership, Crowd Chat attendees wondered “Who is the right person to champion encryption?” However, for IDC the question should be framed differently: “Who in my enterprise has sufficient understanding and influence to drive a consistent approach to encryption?” This cannot be pre-determined with set job roles, and must account for organization specifics.

Regarding process, attendees wondered “What data should we encrypt?” Given the security/usability imbalance, pervasive encryption is a continuous journey, not a destination. Enterprises ought to start small, focusing on the most sensitive data. From here, encryption can be expanded, driven by the “champion”. Considerations should include the nature or classification of data, government requirements, regulatory compliance and responsibilities towards the stakeholders whose data is held.

Call to action

Encryption cannot be promoted as a panacea for data privacy and security. But more can be done to support broader adoption across the enterprise. Business decisions are taken based on risk, highlighting the usability/security imbalance, but decision-makers must hold all the facts. For example, with the EU’s General Data Protection Regulation approaching, can enterprises afford not to encrypt personal data?

IDC proposes five enabling factors for encryption:

  1. Handle encryption within a broader product environment, not a standalone solution.
  2. Identify the right encryption champion for your enterprise.
  3. The encryption champion must work in step with a broader security culture evolution.
  4. Start small with encryption – don’t bite off more than you can chew.
  5. Build a process to identify what data to encrypt, based not just on compliance but also on brand values and responsibilities to stakeholders.

Learn more about combating cyber threats from infrastructure to endpoint.

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the IBM Systems IT Infrastructure blog. The opinions in these blogs are their own, and do not necessarily reflect the views of IBM.

Research Manager, IDC European security research team

More Big data & analytics stories

The evolution of the IBM Blockchain Platform: Choice and control on IBM Z and LinuxONE

We’re living in a multicloud world. Today, 85 percent of businesses rely on multiple clouds to meet their IT needs, with 71 percent using more than three[1]. What this means in practice for enterprise clients is that they have multiple architectures in place. This may be fine for “tried and true” workloads–like credit card processing […]

Continue reading

Modern data protection innovations to fight cyber threats

In 2018, the average cost of a data security breach approached $3.9 million. But organizations that fully deployed security automation saved over $1.5 million per breach.[1] These metrics demonstrate the value of effective data protection and security solutions, and underscore the significance of recent data security-related announcements from IBM. “ESG’s research clearly shows that data […]

Continue reading

Security considerations for critical environments

In today’s digital world, data is the primary asset for most organizations. Access to data and changes of the data need to be restricted to authorized persons, devices or processes. IT devices need to be protected from the execution of non-authorized code as well as from denial of service attacks. The cost of data breaches […]

Continue reading