Companies Encrypting Data, But Not Everywhere, Venafi Survey Finds

An overwhelming majority of organizations, 90%, use encryption for data security and systems authentication, according to a survey of security practices conducted on behalf of enterprise key and certificatemanagement firm Venafi. Moreover, the survey showed strong overall security programs in the majority of organizations.

In terms of overall security practice, well over half the organizations surveyed have formal management policies and procedures in place in all eight areas designated by the survey: change, patch, vulnerability, encryption key, IP address, server traffic, network and configuration management.

About half the respondents encrypt data for three potentially sensitive data types (customer, employee and transactional), and just over a third encrypt intellectual property data.

However, only a fifth of the companies encrypt data across all four information categories, according to the survey of 420 senior-level security managers in enterprises and government agencies, mostly in the United States, conducted by information security research firm Echelon One.

A quarter of the organizations said they only encrypt data required by regulation, such as Payment Card Industry (PCI), which covers credit card data. Two of five respondents said they encrypt data on mobile devices, reflecting regulatory requirements and rising security concerns over mobility.

More than a third of the respondents encrypt information in public and private clouds, while about a quarter don’t. But 40% said they did not know if they are encrypting data in the cloud, perhaps indicating the use of cloud services outside IT knowledge or control.

"There is giant hole in knowledge and practice around how to encrypt in cloud," says Venafi CEO Jeff Hudson. "Speaking with customers and prospects, the majority don’t understand how to encrypt and manage keys in the cloud."

Best practices regarding key management, generally regarded as the most problematic aspect of encryption, were a mixed bag. More than 70% of the organizations have key management policies and processes in place. Seven of 10 ensure separation of duties for administrative access to encryption keys, while only 15% who knew say they do not.

But only about a fifth of the respondents say they rotate Secure Shell (SSH) keys annually, while a quarter rotate them every two to five years. One in 10 organizations never rotate SSH keys. This indicates a real gap in privilege management.

"SSH keys are not being cycled, they’re not being tracked," says Hudson. "SSH is used to manage routers, servers, often in very sensitive environments, yet weak keys are used for outward-facing networks, and are often embedded in systems and can’t be changed withoutdisrupting production. Admins come and go with the same keys, which can be sitting on thumb drives anywhere, with anyone," he says.

"This keeps popping up; it’s sort of a dirty little secret," Hudson says.

See more on this topic by subscribing to Network Computing Pro Reports Database Defenses (subscription required).