Encryption Key To Evolving Data-Centric Security Model

With data access no longer restricted to the four walls of the enterprise (or branch) and 9-to-5 business hours, enterprises that have traditionally relied on a perimeter-based approach to security are now seeing the benefits of a data-centric approach. Data encryption is paving the way for the transition to data-centric security methods, according to a survey of 506 IT professionals.

InformationWeek's "Data Encryption: Ushering In a New Era" report found that the trend of implementing data-centric security is growing as businesses increase their use of mobile devices and cloud computing services and architecture. Perimeter-based security's focus on encrypting the transport of data from the perimeter to its destination relies on technologies like IPSEC and SSL VPN, but it leaves data within the enterprise unencrypted, said Michael Davis, CEO of Savid Technologies and author of the report. It also relies on full-disk encryption for mobile devices, such as laptops, that leave the four walls of the enterprise. A data-centric model, however, takes the focus away from data transportation and the device, resting it firmly on the shoulders of the data itself.

"Furthermore, the determination of what is encrypted or not is based on the data itself," Davis said. "Depending on the classification schemes of the organization, it could mean credit card data, PII (personally identifiable information) or PHI (protected health information). Using this approach reduces the risk of having to manage and detect when data leaves the organization because you can be assured it is encrypted no matter where it is."

According to the survey, 36% of respondents indicated a belief they were ahead of the encryption curve, but only 47% have made mobile device encryption a priority. Most respondents (94%, down one point from the 2009 survey), said they have either already implemented IPSEC or SSL VPN technologies, or plan to do so in the next 12 to 24 months. Additionally, 81% indicated the same about email or communication systems encryption, 79% about mobile device encryption, 77% about backup media encryption, 77% about file system encryption, and 76% about file system encryption. In fact, all but IPSEC and SSL VPN increased in implementation or planned implementation from the 2009 survey.

Davis said most enterprises are engaging in a little bit of every type of data encryption.

In the shift from perimeter-focused to data-centric security, encryption is a cornerstone in any security. "The issue is less to do with what technologies they are using but how they are using them. Most organizations have not fully deployed a specific encryption technology enterprise wide. Rather, most base it on whether you are using data inside or outside the perimeter."

Although the perimeter-based security model comes with flaws with regard to data housed within the enterprise having no protection should someone with malicious intentions access it within the four walls of the enterprise, the data-centric security model has no competitive downside. The report concluded that there is no risk attached to security-sensitive data and embracing a data-centric security model.

Encryption has become a standard feature in many IT systems, including relational database management systems, so there is no reason not to lock down sensitive data, Davis said. Unfortunately, legacy systems provide a challenge because many legacy security systems are incapable of supporting encryption. Although a data-centric security model would benefit all enterprises, the shift from a perimeter-based security model doesn't come with an easily demonstrable ROI, meaning it's an uphill battle for IT departments to convince top decision-makers to invest in the technology. The survey found that cost is becoming less of an inhibitor to data-centric security technology adoption, though.

Last year another survey reported that 90% of organizations use encryption for data security and systems authentication, with about half encrypting data for three potentially sensitive data types (customer, employee and transactional), and just over a third for intellectual property data. A quarter of the organizations said they encrypt only data required by regulation, such as Payment Card Industry (PCI), while 40% said they encrypt data on mobile devices, reflecting regulatory requirements and rising security concerns over mobility.

Learn more about Research: Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).