GLOBAL ENCRYPTION TRENDS STUDY - nCipher Security · respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS

1 PONEMON INSTITUTE© RESEARCH REPORT

GLOBAL ENCRYPTIONTRENDS STUDYApril 2018


PART 1. EXECUTIVE SUMMARY 3 PART 2. KEY FINDINGS 6

Strategy and adoption of encryption 6

Trends in encryption adoption 8

Threats, main drivers and priorities 9

Deployment choices 10

Encryption features considered most important 11

TABLE OF CONTENTS

Attitudes about key management 12

Importance of hardware security modules (HSMs) 15

Budget allocations 19

Cloud encryption 20

APPENDIX 1. METHODS & LIMITATIONS 22 APPENDIX 2. CONSOLIDATED FINDINGS 25

Sponsored by nCipher Security INDEPENDENTLY CONDUCTEDBY PONEMON INSTITUTE LLC

OUR SPONSORS GEOBRIDGE

3PONEMON INSTITUTE© RESEARCH REPORT

PART 1. EXECUTIVE SUMMARYPonemon Institute is pleased to present the findings of the 2018 Global Encryption Trends Study,1 sponsored by nCipher Security. We surveyed 5,252 individuals across multiple industry sectors in 12 countries: Arabia (which is a combination of respondents located in Saudi Arabia and the United Arab Emirates)2, Australia, Brazil, France, Germany, India, Japan, Mexico, the Russian Federation, the United Kingdom, the United States and, for the first time, South Korea (hereafter referred to as Korea).

The purpose of this research is to examine how the use of encryption has evolved over the past 13 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a US sample of respondents.3 Since then we have expanded the scope of the research to include respondents in all regions of the world.

As shown in Figure 1, more organizations represented in this research continue to recognize the importance of having an encryption strategy, either an enterprise-wide (43 percent of respondents) strategy or a limited plan that targets certain applications and data types (44 percent of respondents).

Presented below are the 2018 findings.

Strategy and adoption of encryption

Enterprise-wide encryption strategies increase. Since conducting this study 13 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study.

Certain countries have more mature encryption strategies. The highest prevalence of an enterprise encryption strategy is reported in Germany followed by the US and Japan. Respondents in Mexico, Russian Federation, Arabia, Brazil and Australia report the lowest adoption of an enterprise encryption strategy.

IT operations function is the most influential in framing an organization’s encryption strategy. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico. IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.

1 This year’s data collection was completed in January 2018. Throughout the report we present trend data based on the fiscal year (FY) the survey commenced rather than the year the report is finalized. Hence, our most current findings are presented as FY17. The same dating convention is used in prior years.

2 Country-level results are abbreviated as follows: Arabian cluster (AB), Australia (AU), Brazil (BZ), France (FR), Germany (DE), India (IN), Japan (JP), Korea (KO), Mexico (MX), Russia (RF), United Kingdom (UK), and United States (US).

3 The trend analysis shown in this study was performed on combined country samples spanning 13 years (since 2005).

An overall encryption plan

or strategy that is applied consistenly across the entire

enterprise

A limited encryption plan

or strategy that is applied to certain applications and

data types

No encryption plan or strategy

Figure 1. Does your company have anencryption strategy?

37%41%

43%

25%

44% 44%

15% 14%13%

FY15 FY16 FY17


The use of encryption increases in all industries. We looked at the extensive usage of encryption solutions for 10 industry sectors over seven years. Results suggest a steady increase in all industry sectors. The most significant increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.

Threats, main drivers and priorities

Employee mistakes are the most significant threat to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary workers and malicious insiders. It is interesting to note that the employee mistake threat is almost equal to the combined threat by both hackers and insiders.

The main driver for encryption is protection of information against identified threats. Organizations are using encryption to protect information against specific, identified threats (54 percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of customers (52 percent and 50 percent of respondents, respectively). Compliance with regulations remains a significant driver for encryption, according to 49 percent of respondents.

A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Sixty-seven percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. This challenge has come into focus as compliance activities driven by GDPR and other privacy regulations have increased. In addition, 44 percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.

Deployment choices

No single encryption technology dominates in organizations. Organizations have very diverse needs. Internet communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases. For the first time, the study tracked the deployment of encryption on IoT devices and platforms. Forty-nine percent of respondents say IoT encryption has been at least partially deployed on both IoT devices and IoT platforms.

Encryption features considered most important

Certain encryption features are considered more critical than others. According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and on-premise deployment are the three most important features. Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud computing and look for consistency across computing styles.

Which data types are most often encrypted? Payment related data and human resource data are most likely to be encrypted – which emphasizes the fact that encryption has now moved into the realm where it needs to be addressed by companies of all types. The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health information and recent high profile healthcare data breaches. Healthcare information did, however, have the largest increase on this list over last year.

Attitudes about key management

How painful is key management? Fifty-seven percent of respondents rate key management as very painful. The average percentage in all country samples is 57 percent, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 65 percent occurs in India. At 33 percent, the lowest pain level occurs in Russia.

Companies continue to use a variety of key management systems. Although the use of manual key management processes continue to decrease, manual processes continue to be the most common form of key management systems. The next most commonly deployed systems are formal key management policy and formal key management infrastructure (KMI).

Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesConsumer productsEducation & researchHospitalityTransportationCommunicationsEntertainment & mediaOther

of organizations nowhave a consistent, enterprise-wideencryption strategy

43%100101001010010101001010101001010010100101001010100101010100110110010110111001010010101001010101001100101001010010101001010101001100101001010010101001010101000101010011100000101010010101100100101001010100101010100110010101001110100100101011010101001100101001010010101001010010100101001010100101010100010101001100101001010010101001010101000101010011100000101010100110010101001110100100101011010101001100101001010010101001010010100101001010100101010100


Importance of hardware security modules (HSMs)

Germany, US and Japan organizations are more likely to deploy HSMs. Germany, US and Japan are more likely to deploy HSMs for their organization’s key management activities than other countries. The overall average deployment rate for HSMs is 41 percent.

How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. Forty-seven percent of respondents own and operate HSMs on-premise for cloud-based applications, and 36 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12 months, both figures will increase, by 6 and 5 percent respectively. Interestingly, the use of HSMs with Cloud Access Security Brokers is expected to double in the next 12 months.

The overall average importance rating for HSMs, as part of an encryption and key management strategy, in the current year is 57 percent. The pattern of responses suggests Germany, India, US and Japan are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.

What best describes an organization’s use of HSMs? Sixty-one percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach. More respondents indicate the centralized approach in this year’s study as compared to last year’s.

What are the primary purposes or uses for HSMs? The two top uses are SSL/TLS and application-level encryption, followed by database encryption. The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of the organizations represented in this study.

Budget allocations

The proportion of IT spending dedicated to security activities, including encryption, is increasing over time. According to the findings, 10.6 percent of the IT budget goes to IT security activities and 12.3 percent of the IT security budget goes to encryption activities.

Cloud encryption

Sixty-one percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 21 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.

How do organizations protect data at rest in the cloud? Forty-seven percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 38 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.

What are the top three cloud encryption features? When asked specifically about features associated with cloud encryption, respondents list (1) support for the KMIP standard for key management (66 percent of respondents), (2) SIEM integration and visualization and analysis of logs (62 percent of respondents) and (3) granular access controls (60 percent of respondents). This indicates a growing recognition of the importance of standards-based cloud key management and specifically support for KMIP.

of respondents are using more than one public cloud provider

61%


PART 2. KEY FINDINGSIn this section, we provide a deeper analysis of the key findings. The complete audited findings are presented in the Appendix of the report. We have organized the report according to the following themes.

• Strategy and adoption of encryption

• Trends in adoption of encryption

• Threats, main drivers and priorities

• Deployment choices

• Encryption features considered most important

• Attitudes about key management

• Importance of hardware security modules (HSMs) 4

• Budget allocations

Strategy and adoption of encryption

Enterprise-wide encryption strategies increase. Since first conducting this study 13 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study. Figure 2 shows these changes over time.

4 HSMs are devices specifically built to create a tamper-resistant environment in which to perform cryptographic processes (e.g., encryption or digital signing) and to manage the keys associated with those processes. These devices are used to protect critical data processing activities and can be used to strongly enforce security policies and access controls. HSMs are typically validated to formal security standards such as FIPS 140-2.

0%

10%

20%

30%

40%

50%43%

38%

15%13%

FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17

Company has an encryption strategy applied consistently across the entire enterprise

Figure 2. Trends in encryption strategyCountry samples are consolidated

Company does not have an encryption strategy


Certain countries have more mature encryption strategies. According to Figure 3, the prevalence of an enterprise encryption strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy is reported in Germany followed by the United States, the United Kingdom and Japan. Respondents in Mexico, Russian Federation, Arabia, Brazil and Australia report the lowest adoption of an enterprise encryption strategy.

Figure 4 shows that the IT operations function is the most influential in framing an organization’s encryption strategy over the past 13 years. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico. IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.

A possible reason why the lines of business are more influential than IT security is because of the growing adoption of Internet of Things (IoT) devices in the workplace, proliferation of employee-owned devices or BYOD and the general consumerization of IT. A consequence is that lines of business are required to be more accountable for the security of these technologies.

30%

US UK DE FR AU JP BZ RF IN MX AB

41%

KO

We have an overall encryption plan or strategy that is applied consistently across the entire enterprise

Average

56%

45%

67%

40%45%

35%31% 30%

34%

0

10%

20%

30%

40%

50%

60%

70%

80%

Figure 3. Differences in enterprise encryption strategies by country

38% 37%

0%

10%

20%

30%

40%

50%43%

Figure 4. In�uence of IT operations, lines of business and security Country samples are consolidated

Lines of businessIT operations Security

US UK DE FR

32%

22%

21%

22%

12%

AU JP BZ RF IN MX AB KO


Trends in encryption adoption

The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady increase in the encryption solutions extensively used by organizations.5

Figure 5 summarizes enterprise-wide usage consolidated for various encryption technologies over 13 years. This continuous growth in enterprise deployment suggests encryption is important to an organization’s security posture. Figure 6 also shows the percentage of the overall IT security budget dedicated to encryption-related activities.

The pattern for deployment and budget show a positive correlation through FY13 and inverse relationship through FY17. We postulate three reasons for this downward trend: (1) price pressure resulting from increased competition among vendors, (2) shifting priorities to other IT security solution areas and (3) more efficient use of presently available encryption tools.

The use of encryption increases in all industries. Figure 6 shows the current year and the six-year average in the use of encryption solutions for 10 industry sectors. Results suggest a steady increase in all industry sectors. The most significant increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.

0%

10%

20%

30%

40%

50%43%

16%

10%12%


Extensive deployment of encryption IT security budget earmarked for encryption

Figure 5. Trend on the extensive use of encryption technologiesCountry samples are consolidated

5 The combined sample used to analyze trends is explained in Appendix 1.

50%60%

42%55%

44%50%

42%49%

31%42%

39%41%

30%39%

29%35%

24%33%

26%27%

Figure 6. The extensive use of encryption by industry: current year versus 6-year averageCountry samples are consolidated. Average of 13 encryption categories

Financial services

Healthcare & pharma

Services

Tech & software

Retail

Transportation

Public sector

Hospitality

Manufacturing

Consumer products

6 year consolidation FY17

0% 10% 20% 30% 40% 50% 60%


Threats, main drivers and priorities

Employee mistakes are the most significant threats to sensitive data. Figure 7 shows that the most significant threats to the exposure of sensitive or confidential data are employee mistakes.

In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary or contract workers and malicious insiders. It is interesting to note that the employee mistake threat is almost equal to the combined threat by both hackers and insiders.

Figure 7. The most salient threats to sensitive or confidential dataConsolidated country samples. More than one choice permitted

Employee mistakes

System or process malfunction

Hackers

Temporary or contract workers

Malicious insiders

Third party service providers

Government eavesdropping

Lawful data request (e.g., by police)

47%

31%

30%

22%

22%

19%

17%

12%

0% 10% 20% 30% 40% 50%

Figure 8. The main drivers for using encryption technology solutions Country samples are consolidated. Three responses permitted

To protect information againstspecific, identified threats

To protect enterprise intellectual property

To protect customer personal information

To comply with external privacy or data security regulations and requirement

To limit liability from breachesor inadvertent disclosure

To reduce the scope of compliance audits

To comply with internal policies

To avoid public disclosureafter a data breach occurs

54%

52%

50%

49%

32%

29%

21%

14%

0% 10% 20% 30% 40% 50% 60%

The main driver for encryption is protection of information against identified threats. Eight drivers for deploying encryption are presented in Figure 8. Organizations are using encryption to protect information against specific, identified threats (54 percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of customers, (52 percent and 50 percent of respondents, respectively).

This marks the first year that compliance with regulations has not been the top driver for encryption, indicating that encryption is less of a “checkbox” exercise and is now used to safeguard targeted critical information.


A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Figure 9 provides a list of six aspects that present challenges to the organization’s effective execution of its data encryption strategy in descending order of importance. Sixty-seven percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. In addition, 44 percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.

Deployment choices

No single encryption technology dominates in organizations. We asked respondents to indicate if specific encryption technologies are widely or only partially deployed within their organizations. “Extensive deployment” means that the encryption technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is confined or limited to a specific purpose (a.k.a. point solution).

As shown in Figure 10, no single technology dominates because organizations have very diverse needs. Internet communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases. Encryption extensively used with public cloud services grew significantly year-over-year (11 percent).

For the first time, the study tracked the deployment of encryption on IoT devices and platforms. As shown, 49 percent of respondents say IoT encryption has been at least partially deployed for devices and platforms.

Figure 9. Biggest challenges in planning and executing a data encryption strategyCountry samples are consolidated. More than one choice permitted

67%

44%

34%

29%

13%

13%

Discovering where sensitive data resides in the organization

Initially deploying the encryption technology

Classifying which data to encrypt

Ongoing management of encryption and keys

Training users to use encryption appropriately

Determining which encryption technologies are most effective

0% 10% 20% 30% 40% 50% 60% 70% 80%

Extensively deployed encryption applications Partially deployed encryption applications

Figure 10. Consolidated view on the use of 15 encryption technologiesCountry samples are consolidated

Internet communications (e.g., SSL)

Databases

Laptop hard drives

Backup and archives

Internal networks (e.g., VPN/LPN)

Data center storage

Cloud gateway

Public cloud services

File systems

Email

Private cloud infrastructure

Big data repositories

Internet of Things (IoT) devices

Internet of Things (IoT) platforms

Docker containers

0% 20% 40% 60% 80% 100%

63% 25%

24%

22%

26%

33%

30%

30%

35%

31%

35%

29%

24%

23%

24%

29%

63%

58%

54%

48%

43%

43%

39%

38%

38%

34%

28%

26%

25%

20%


“ENCRYPTION EXTENSIVELY USED WITH PUBLIC CLOUD SERVICES GREW SIGNIFICANTLY YEAR-OVER-YEAR (11%).”

11

Encryption features considered most important

Certain encryption features are considered more critical than others. Figure 11 lists encryption technology features. Each percentage defines the very important response (on a four point scale). Respondents were asked to rate encryption technology features considered most important to their organization’s security posture.

According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and on-premise deployment are the three most important features. The performance finding is not surprising given that encryption in networking is a prominent use case, as well as the often emphasized requirement for transparency of encryption solutions.

Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud computing and look for consistency across computing styles. In fact, the top findings in this area all correspond to features considered important for cloud solutions.

FY16 FY17

Figure 11. Most important features of encryption technology solutions Country samples are consolidated. Very important and Important responses combined

78%74%

71%

69%

66%

68%

64%

65%

56%

54%

55%

55%

43%

72%

71%

68%

68%

64%

59%

56%

54%

52%

50%

44%

System performance and latency

Enforcement of policy

Support for cloud and on-premise deployment

System scalability

Management of keys

Integration with other security tools(e.g., SIEM and ID management)

Support for emerging algorithims (e.g., ECC)

Formal product security certifications (e.g., FIPS 140)

Separation of duties and role-based controls

Support for multiple applications or environments

Tamper resistance by dedicated hardware (e.g., HSM)

Support for regional segregation (e.g., data residency)

0% 10% 20% 30% 40% 50% 60% 70% 80%


Which data types are most often encrypted? Figure 12 provides a list of seven data types that are routinely encrypted by respondents’ organizations. As can be seen, payment related data and human resource data are most likely to be encrypted – the latter of which emphasizes the fact that encryption has now moved into the realm where it needs to be addressed by companies of all types.

The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health information and the recent high profile healthcare data breaches. Healthcare information had the largest increase on this list over last year.

Attitudes about key management

How painful is key management? Using a 10-point scale, respondents were asked to rate the overall “pain” associated with managing keys within their organization, where 1 = minimal impact to 10 = severe impact. Figure 13 shows that 57 (24+33) percent of respondents in FY17 chose ratings at or above 7; thus, suggesting a fairly high pain threshold.

FY16 FY17

Figure 12. Data types routinely encrypted Country samples are consolidated. More than one choice permitted

54%56%

61%

47%

49%

40%

19%

32%

53%

52%

50%

43%

26%

26%

Payment related data

Employee/HR data

Intellectual property

Financial records

Customer information

Healthcare information

Non-financial business information

0% 10% 20% 30% 40% 50% 60% 70%

Figure 13. Rating on the overall impact, risk and cost associated with managing keys Country samples are consolidated

1 or 2 3 or 4 5 or 6

9% 8% 9%

16%13% 12%

22%19%

22%

FY15 FY16 FY17

7 or 8 9 or 10

23% 23% 24%

30%

36%33%


Figure 14 shows the 7+ ratings on a 10-point scale for each country. As can be seen, the average percentage in all country samples is 57 percent, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 65 percent occurs in India. At 33 percent, the lowest pain level occurs in Russia.

US UK DE FR AU JP BZ RF IN MX AB KO

7 to 10 (high) rating Average

33%

0

10%

20%

30%

40%

50%

60%

70%

Figure 14. Percentage “pain threshold” by countryPercentage 7 to 10 rating on a 10-point scale

52%

60%

49%

60%

52%

59%64%

58%63% 65%

55%

Figure 15. What makes the management of keys so painful?Country samples are consolidated. More than one choice permitted

No clear ownership

Lack of skilled personnel

Systems are isolated and fragmented

Key management tools are inadequate

Insufficient resources (time/money)

No clear understanding of requirements

Technology and standards are immature

Manual processes are prone to errors and unreliable

59%

57%

46%

33%

23%

14%

11%

56%

0% 10% 20% 30% 40% 50% 60%

Why is key management painful? Figure 15 shows the reasons why the management of keys is so difficult. The top three reasons are: (1) no clear ownership of the key management function, (2) lack of skilled personnel and (3) isolated or fragmented key management systems.


Which keys are most difficult to manage? Moving into the top position on this list for the first time this year, keys for external cloud or hosted services rank as the most difficult keys to manage. As shown in Figure 16, they are followed by SSH keys, signing keys, and keys for SSL/TLS. The least difficult include: (1) encryption keys for archived data, (2) encryption keys for backups and storage and (3) embedded device keys.

Figure 16. Types of keys most difficult to manageCountry samples are consolidated. Very painful and painful response

Keys for external cloud or hosted servicesincluding Bring Your Own Key (BYOK) keys

SSH keys

Signing keys (e.g., code signing, digital signatures)

Keys associated with SSL/TLS

End user encryption keys (e.g., email, full disk encryption)

Payments-related keys (e.g., ATM, POS, etc.)

Encryption keys for archived data

Encryption keys for backups and storage

Keys to embed into devices (e.g. at the time of manufacture in device production environments, or for IoT devices you use)

59%

55%

51%

46%

39%

38%

33%

21%

17%

0% 10% 20% 30% 40% 50% 60%

Figure 17. What key management systems does your organization presently use?Country samples are consolidated. More than one choice permitted

Manual process (e.g., spreadsheet, paper-based)

Formal key management policy (KMP)

Formal key management infrastructure (KMI)

Central key management system/server

Removable media (e.g., thumb drive, CDROM)

Hardware security modules

Smart cards

Software-based key stores and wallets

49%

49%

36%

33%

32%

26%

24%

17%

0% 10% 20% 30% 40% 50%

As shown in Figure 17, respondents’ companies continue to use a variety of key management systems. The most commonly deployed systems include: (1) manual process, (2) formal key management policy (KMP) and (3) formal key management infrastructure (KMI).


Importance of hardware security modules (HSMs)

Germany, United States and Japan organizations are more likely to deploy HSMs. Figure 18 summarizes the percentage of respondents that deploy HSMs. Germany, United States and Japan are more likely to deploy HSMs than other countries. The overall average deployment rate for HSMs is 41 percent.

US UK DE FR AU JP BZ RF IN MX AB

44%

KO

Does your organization use HSMs? Average

51%45%

56%

43%47%

34%

25% 23%28%

0

10%

20%

30%

40%

50%

60%

Figure 18. Deployment of HSMs

29%

43%

Figure 19. HSM deployment rate over six years Country samples are consolidated

FY12 FY13 FY14

26% 29%33% 34%

38% 41%

FY15 FY16 FY17

Deployment of HSMs increases steadily. Figure 19 shows a six-year trend for HSMs. As can be seen, the rate of global HSM deployment has steadily increased.

Overall HSM use grewto 41% – the highest level ever

41%Germany, the US and Japan report the highest HSM usage rates


How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. As shown in Figure 20, almost half (47 percent of respondents) own and operate HSMs on-premise for cloud-based applications, and 36 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12 months, both figures will increase, by 6 and 5 percent respectively. Interestingly, the use of HSMs with Cloud Access Security Brokers is expected to double in the next 12 months.

Figure 20. Use of HSMs in conjunction with public cloud-based applicationstoday and in the next 12 months

Own and operate HSMs on-premise at the organization, accessed real-time by cloud-hosted applications

Rent/use HSMs from public cloud provider, hosted in the cloud

Own and operate HSMs for the purpose of generatingand managing BYOK (Bring Your Own Key) keysto send to the cloud for use by the cloud provider

Own and operate HSMs that integrate with aCloud Access Security Broker to manage keys and

cryptographic operations (e.g., encrypting data on theway to the cloud, managing keys for cloud applications)

None of the above

47%53%

36%41%

17%24%

12%24%

1%1%

What models do you use today? What models do you planto use in the next 12 months?

0% 10% 20% 30% 40% 50% 60%


How important are HSMs to your encryption or key management strategy? Average

0

10%

20%

30%

40%

50%

60%

70%

Figure 21. Perceived importance of HSMs as part of encryption or key management Very important & important responses combined

48%

64%

51%

71%

63%

44%50%

42%

56%60%

65%

53%

Figure 21 summarizes the percentage of respondents in 12 countries that rate HSMs as either very important or important to their organization’s encryption or key management program or activities. The overall average importance rating in the current year is 57 percent. The pattern of responses suggests Germany, India, the United States and Japan are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.


Figure 22 shows a six-year trend in the importance of HSMs for encryption or key management, which has steadily increased over time.

Figure 22. Perceived importance of HSMs as part of encryption or key management over six years Country samples are consolidated

FY12 FY13 FY14

33%39%

48% 49%55% 57%

FY15 FY16 FY17

Figure 23. Which statement best describes how your organization uses HSMs?

We have a centralized team that provides cryptography as a service (including HSMs)to multiple applications/teams within our organization (i.e., private cloud model)

Each individual application owner/team is responsible for their own cryptographic services (including HSMs) (i.e., traditional siloed, application-specific data center deployment)

61%39%

What best describes an organization’s use of HSMs? As shown in Figure 23, 61 percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach.

17

“61 PERCENT OF RESPONDENTS SAY THEIR ORGANIZATION HAS A CENTRALIZED TEAM THAT PROVIDES CRYPTOGRAPHY AS A SERVICE (INCLUDING HSMs).”


What are the primary purposes or uses for HSMs? Figure 24 summarizes the primary purpose or use cases for deploying HSMs. As can be seen, the two top choices are SSL/TLS and application-level encryption, followed by database encryption. This chart shows a relatively small difference between today’s HSM use and that of 12 months from now.

The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of the organizations represented in this study.

SSL/TLS

Application level encryption

Database encryption

Public cloud encryption including forBring Your Own Key (BYOK)

PKI or credential management

Payment transaction processing including P2PE

Payment credential provisioning (e.g., mobile, IoT)

Private cloud encryption

Payment service provider interface(e.g., TSP, real-time payments, Open API)

Payment credential issuing (e.g., mobile, EMV)

Blockchain applications (e.g., cryptocurrency, financial transfer)

With Cloud Access Security Brokers (CASBs) for encryption key management

Document signing (e.g., electronic invoicing)

Internet of Things (IoT) root of trust

Big data encryption

Code signing

Other

None of the above

Figure 24. How HSMs are deployed or planned to be deployed in the next 12 months Country samples are consolidated. More than one choice permitted

HSMs used today HSMs to be deployed in the next 12 months

0% 10% 20% 30% 40% 50%

43%50%

41%40%

37%44%

32%32%

30%33%

29%35%

26%29%

26%22%

25%28%

25%30%

20%21%

19%21%

12%14%

12%13%

12%7%

7%8%

3%2%

10%12%


Budget allocations

The percentages below are calculated from the responses to survey questions about resource allocations to IT security, data protection, encryption, and key management. These calculated values are estimates of the current state and we do not make any predictions about the future state of budget funding or spending.

Figure 25 reports the average percentage of IT security spending relative to total IT spending over the last 13 years. As shown, the trend appears to be upward sloping, which suggests the proportion of IT spending dedicated to security activities including encryption is increasing over time.

Figure 26 reports the percentage of the IT security budget dedicated to encryption. Spending on encryption has declined since 2014.

Figure 25. Trend in the percent of IT security spending relative to the total IT budgetCountry samples are consolidated

7.5% 7.2% 7.5%7.9%

9.1% 9.1%9.9%

9.2%10.0% 10.2% 10.6%


Percentage of IT security spending relative to the total IT budget Average

0%

2%

4%

6%

8%

10%

12%

8.6% 8.8%

Figure 26. Trend in the percentage of IT security spending dedicated to encryption activities Country samples are consolidated

FY14

15.7%14% 14.4%

12.3%

FY15 FY16 FY17


Cloud encryption

According to Figure 27, 61 percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 21 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.

According to Figure 28, with respect to the transfer of sensitive or confidential data to the cloud, Germany, United States, Japan, India and Korea are more frequently transferring sensitive data to the cloud.


Yes, we are presently doing so Average

0

10%

20%

30%

40%

50%

60%

70%

80%

Figure 28. Organizations that transfer sensitive or confidential data to the cloud by country

69%

54%

70%

61%

68%

46%

67%

52%

65%

58% 58% 58%

Figure 27. Do you currently transfer sensitive or confidential data to the cloud? Country samples are consolidated

Yes, we are presently doing so

No, but we are likely to do soin the next 12 to 24 months

No

61%

21% 17%

Encryption in public cloud services grew from28% to 39% in 2017 – 11% is the highest year-over-year growth of any encryption use case

39%


What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP standard for key management (66 percent of respondents), SIEM integration, visualization and analysis of logs (62 percent of respondents) and granular access controls (60 percent of respondents).

Figure 30. How important are the following features associated with cloud encryption to your organization?Very important and important responses combined

Support for the KMIP standard for key management

SIEM integration, visualization and analysis of logs

Granular access controls

Audit logs identifying key usage

Privileged user access control

Bring Your Own Key (BYOK) management support

Ability to encrypt and rekey datawhile in use without downtime

Audit logs identifying data access attempts

Support for FIPS 140-2 compliant key management 34%

39%

47%

49%

51%

57%

60%

62%

66%

0% 10% 20% 30% 40% 50% 60% 70%

Figure 29. How does your organization protect data at rest in the cloud? Country samples are consolidated. More than one choice permitted

Encryption performed on-premise prior to sending data to the cloud using keys my organization generates and manages

Encryption performed in the cloud using keys generated/managed by the cloud provider

Encryption performed in the cloud using keys my organization generates and manages on-premise

Tokenization performed by the cloud provider

Tokenization performed on-premise priorto sending data to the cloud

None of the above 5%

12%

13%

21%

38%

47%

0% 10% 20% 30% 40% 50%

How do organizations protect data at rest in the cloud? As shown in Figure 29, 47 percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 38 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.


Table 1. Survey response in 12 countries

Sampling frameSurvey response Final sample Response rate

AB

AU

BZ

DE

FR

IN

JP

KO

MX

RF

UK

US

9,466

7,290

13,200

14,505

12,650

16,873

14,013

11,257

11,300

6,319

13,001

21,460

151,334

308

315

507

543

370

582

468

317

468

196

468

710

5,252

3.3%

4.3%

3.8%

3.7%

2.9%

3.4%

3.3%

2.8%

4.1%

3.1%

3.6%

3.3%

3.5%

Arabian Cluster

Australia

Brazil

Germany

France

India

Japan

Korea

Mexico

Russian Federation

United Kingdom

United States

Consolidated

Legend

APPENDIX 1. METHODS & LIMITATIONSTable 1 reports the sample response for 12 separate country samples. The sample response for this study was conducted over a 49-day period ending in January 2018. Our consolidated sampling frame of practitioners in all countries consisted of 151,334 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 5,861 returns of which 609 were rejected for reliability issues. Our final consolidated 2017 sample was 5,252, thus resulting in an overall 3.5% response rate.

The first encryption trends study was conducted in the United States in 2005. Since then we have expanded the scope of the research to include 12 separate country samples. Trend analysis was performed on combined country samples. As noted before, we added Korea to this year’s study.


Table 2. Sample history over 12 years

Legend FY17 FY16 FY15 FY14 FY13 FY12 FY11 FY10 FY09 FY08 FY07 FY06

AB

AU

BZ

DE

FR

IN

JP

KO

MX

RF

UK

US

Total

308

315

507

543

370

582

468

317

468

196

468

710

5,252

316

331

463

531

345

548

450

0

451

206

460

701

4,802

368

334

460

563

344

578

487

0

429

201

487

758

5,009

0

359

472

564

375

532

476

0

445

193

509

789

4,714

0

414

530

602

478

0

521

0

0

201

637

892

4,275

0

938

637

499

584

0

466

0

0

0

550

531

4,205

0

471

525

526

511

0

544

0

0

0

651

912

4,140

0

477

0

465

419

0

0

0

0

0

622

964

2,947

0

482

0

490

414

0

0

0

0

0

615

997

2,998

0

405

0

453

0

0

0

0

0

0

638

975

2,471

0

0

0

449

0

0

0

0

0

0

541

768

1,758

0

0

0

0

0

0

0

0

0

0

489

918

1,407

Table 2 summarizes our survey samples for 12 countries over a 12-year period.

Figure 31 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents are at or above the supervisory levels.

Figure 32 identifies the organizational location of respondents in our study. Over half of respondents (55 percent) are located within IT operations, followed by security at 20 percent of respondents and 12 percent of respondents are located within the lines of business.

41%

34%

3% 2% 3%

17% Senior Executive

Vice President

Director

Manager/Supervisor

Associate/Staff/Technician

Other

Figure 31. Distribution of respondentsaccording to position levelCountry samples are consolidated

20%

3%

55%

12%

7%3%

Figure 32. Distribution of respondentsaccording to organizational locationCountry samples are consolidated

IT operations

Security

Lines of business(LOB)

Compliance

Finance

Other


Figure 33 reports the industry classification of respondents’ organizations. Fifteen percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Twelve percent of respondents are located in manufacturing and industrial organizations and 11 percent of respondents are in service organizations. Another nine percent are located in the public sector, including central and local government.

According to Figure 34, the majority of respondents (63 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees.

15%

12%

11%

9%8%9%

8%

7%

4%

3%

3%3%

2%4%2%

Figure 33. Distribution of respondents according to primary industry classificationCountry samples are consolidated

Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesConsumer productsEducation & researchHospitalityTransportationCommunicationsEntertainment & mediaOther

24%

20%

13%8%4%

31%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000

Figure 34. Distribution of respondents according to organizational headcountCountry samples are consolidated


Part 1. Encryption Posture

Survey response

151,334

5,861

609

5,252

3.5%

Sampling frame

Total returns

Rejected or screened surveys

Final sample

Response rate

Q1. Please select one statement that best describes your organization’s approach to encryption implementation across the enterprise.

43%

44%

13%

100%

We have an overall encryption plan or strategy that is applied consistently across the entire enterprise

We have a limited encryption plan or strategy that is applied tocertain applications and data types

We don’t have an encryption plan or strategy

Total

APPENDIX 2. SURVEY DATA TABLES The following tables provide the consolidated results for 12 country samples.

Limitations

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies.

•Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 12 countries, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.

•Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within the sample of 12 countries selected.

•Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses.


316

331

463

531

345

548

450

0

451

206

460

701

4,802

368

334

460

563

344

578

487

0

429

201

487

758

5,009

Q2. Following are areas where encryption technologies can be deployed. Please check those areas where encryption is extensively deployed, partially deployed or not as yet deployed by your organization.

Q2a-1 Backup and archives

54%

26%

20%

100%

Extensively deployed

Partially deployed

Not deployed

Total

Q2b-1. Big data repositories

28%

24%

48%

100%


Partially deployed

Not deployed

Total

Q2c-1 Cloud gateway

43%

30%

27%

100%


Partially deployed

Not deployed

Total

Q2d-1. Data center storage

43%

30%

27%

100%


Partially deployed

Not deployed

Total

Q2e-1. Databases

63%

24%

13%

100%


Partially deployed

Not deployed

Total

Q2f-1. Docker containers

20%

29%

51%

100%


Partially deployed

Not deployed

Total

Q2g-1. Email

38%

35%

27%

100%


Partially deployed

Not deployed

Total

Q2h-1. Public cloud services

39%

35%

27%

100%


Partially deployed

Not deployed

Total


Q2i-1. File systems

38%

31%

31%

100%


Partially deployed

Not deployed

Total

Q2j-1. Internet communications(e.g., SSL)

63%

25%

12%

100%


Partially deployed

Not deployed

Total

Q2k-1. Internal networks(e.g., VPN/LPN)

48%

33%

19%

100%


Partially deployed

Not deployed

Total

Q2l-1. Laptop hard drives

58%

22%

20%

100%


Partially deployed

Not deployed

Total

Q2m-1 Private cloud infrastructure

34%

29%

36%

100%


Partially deployed

Not deployed

Total

Q2n-1 Internet of things(IoT) devices

26%

23%

51%

100%


Partially deployed

Not deployed

Total

Q2o-1 Internet of things(IoT) platforms

25%

24%

51%

100%


Partially deployed

Not deployed

Total


Q3. Who is most in�uential in directing your organization’sencryption strategy? Please select one best choice.

33%

17%

2%

25%

22%

100%

IT operations

Security

Compliance

Lines of business (LOB) or general management

No single function has responsibility

Total

Q4. What are the reasons why your organization encrypts sensitive and con�dential data? Please select the top three reasons.

52%

50%

32%

14%

54%

21%

49%

29%

300%

To protect enterprise intellectual property

To protect customer personal information

To limit liability from breaches or inadvertent disclosure

To avoid public disclosure after a data breach occurs

To protect information against specific, identified threats

To comply with internal policies

To comply with external privacy or data security regulationsand requirement

To reduce the scope of compliance audits

Total

Q5. What are the biggest challenges in planning and executing a data encryption strategy? Please select the top two reasons.

67%

34%

13%

44%

29%

13%

200%

Discovering where sensitive data resides in the organization

Classifying which data to encrypt

Determining which encryption technologies are most effective

Initially deploying the encryption technology

Ongoing management of encryption and keys

Training users to use encryption appropriately

Total


Q6. How important are the following features associated with encryption solutions that may be used by your organization? Very important and important response combined.

72%

68%

52%

54%

68%

50%

64%

44%

78%

59%

71%

56%

Enforcement of policy

Management of keys

Support for multiple applications or environments

Separation of duties and role-based controls

System scalability

Tamper resistance by dedicated hardware (e.g., HSM)

Integration with other security tools (e.g., SIEM and ID management)

Support for regional segregation (e.g., data residency)

System performance and Latency

Support for emerging algorithms (e.g., ECC)

Support for cloud and on-premise deployment

Formal product security certifications (e.g., FIPS 140)

Q7. What types of data does your organization encrypt? Please select all that apply.

43%

26%

52%

50%

53%

54%

26%

Customer information

Non-financial business information

Intellectual property

Financial records

Employee/HR data

Payment related data

Healthcare information

Q8. What are the main threats that might result in the exposure of sensitiveor con�dential data? Please select the top two choices.

30%

22%

31%

47%

22%

19%

12%

17%

200%

Hackers

Malicious insiders

System or process malfunction

Employee mistakes

Temporary or contract workers

Third party service providers

Lawful data request (e.g. by police)

Government eavesdropping

Total


Part 2. Key Management

Q9. Please rate the overall “pain” associated with managing keys or certi�cates within your organization, where 1 = minimal impact to10 = severe impact?

9%

12%

22%

24%

33%

100%

1 or 2

3 or 4

5 or 6

7 or 8

9 or 10

Total

Q11. Following are a wide variety of keys that may be managed by your organization. Please rate the overall “pain” associated with managing each type of key. Very painful and painful response combined.

21%

33%

46%

55%

39%

51%

38%

17%

59%

Encryption keys for backups and storage

Encryption keys for archived data

Keys associated with SSL/TLS

SSH keys

End user encryption keys (e.g., email, full disk encryption)

Signing keys (e.g., code signing, digital signatures)

Payments-related keys (e.g., ATM, POS, etc.)

Keys to embed into devices (e.g. at the time of manufacture indevice production environments, or for IoT devices you use)

Keys for external cloud or hosted services includingBring Your Own Key (BYOK) keys

Q10. What makes the management of keys so painful?Please select the top three reasons.

59%

33%

57%

23%

46%

56%

14%

11%

300%

No clear ownership

Insufficient resources (time/money)

Lack of skilled personnel

No clear understanding of requirements

Key management tools are inadequate

Systems are isolated and fragmented

Technology and standards are immature

Manual processes are prone to errors and unreliable

Total


Q12a. What key management systems does yourorganization presently use?

49%

36%

49%

33%

26%

32%

17%

24%

267%








Smart cards

Total

Q12b. What key management systems does your organization presently not used or not aware of use?

36%

43%

34%

45%

52%

52%

61%

58%

381%








Smart cards

Total


Part 3. Hardware Security Modules

Q13. What best describes your level of knowledge about HSMs?

29%

30%

20%

21%

100%

Very knowledgeable

Knowledgeable

Somewhat knowledgeable

No knowledge (skip to Q17a)

Total

Q14a. Does your organization use HSMs?

41%

59%

100%

Yes

No (skip to Q17a)

Total

Q14b. For what purpose does your organization presently deploy or plan to use HSMs? Please select all that apply.

Q14b-1. HSMs used today

41%

37%

12%

32%

26%

43%

30%

12%

12%

7%

29%

25%

26%

25%

19%

20%

10%

3%

409%


Database encryption

Big data encryption

Public cloud encryption including for Bring Your Own Key (BYOK)


SSL/TLS



Document signing (e.g. electronic invoicing)

Code signing

Payment transaction processing including P2PE



Payment service provider interface (e.g., TSP, real-time payments, Open API



None of the above

Other

Total


Q14b-2. HSMs planned to be deployed in the next 12 months

40%

44%

7%

32%

22%

50%

33%

13%

14%

8%

35%

30%

29%

28%

21%

21%

12%

2%

441%


Database encryption

Big data encryption

Public cloud encryption including for Bring Your Own Key (BYOK)


SSL/TLS



Document signing (e.g. electronic invoicing)

Code signing

Payment transaction processing



Payment service provider interface (e.g., TSP, real-time payments, Open API



None of the above

Other

Total

Q14c-1. If you use HSMs in conjunction with public cloud based applications, what models do you use today? Please select all that apply.

36%

47%

17%

12%

1%

113%


Own and operate HSMs on-premise at your organization, accessed real-time by cloud-hosted applications

Own and operate HSMs for the purpose of generating and managing BYOK (Bring Your Own Key) keys to send to the cloud for use bythe cloud provider

Own and operate HSMs that integrate with a Cloud Access Security Broker to manage keys and cryptographic operations (e.g., encrypting data on the way to the cloud, managing keys for cloud applications)

None of the above

Total


Part 4. Budget Questions

Q14c-2. If you use HSMs in conjunction with public cloud based applications, what models do you plan to use in the next 12 months.Please select all that apply.

41%

53%

24%

24%

1%

143%


Own and operate HSMs on-premise at your organization, accessed real-time by cloud-hosted applications

Own and operate HSMs for the purpose of generating and managing BYOK (Bring Your Own Key) keys to send to the cloud for use bythe cloud provider

Own and operate HSMs that integrate with a Cloud Access Security Broker to manage keys and cryptographic operations (e.g., encrypting data on the way to the cloud, managing keys for cloud applications)

None of the above

Total

Q15. In your opinion, how important are HSMs to your encryption or key management strategy? Very important and important response combined

57%

65%

Q15a. Importance today

Q15b. Importance in the next 12 months

Q16. Which statement best describes how your organization uses HSMs?

61%

39%

100%

We have a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within our organization (i.e. private cloud model).

Each individual application owner/team is responsible for their own cryptographic services (including HSMs) (i.e. traditional siloed, application-specific data center deployment).

Total

Q17a. Are you responsible for managing all or part of your organization’s IT budget this year?

Yes

No (skip to Q18)

Total

53%

47%

100%


Part 6: Cloud encryption: When responding to the following questions, please assume they refer only to public cloud services

Q17b. Approximately, what percentage of the 2017 IT budget will goto IT security activities?

FY2017

10.6%

Q17c. Approximately, what percentage of the 2017 IT security budget will go to encryption activities?

FY2017

12.3%

Q35a. Does your organization currently use cloud computing services for any class of data or application – both sensitive and non-sensitive?

64%

20%

16%

100%


No, but we are likely to do so in the next 12 to 24 months

No (Go to Part 7 if you do not use cloud services for any class ofdata or application)

Total

Q35b. Do you currently transfer sensitive or con�dential data to the cloud (whether or not it is encrypted or made unreadable via some other mechanism)?

61%

21%

17%

100%


No, but we are likely to do so in the next 12 to 24 months

No (Go to Part 7 if you do not use or plan to use any cloud servicesfor sensitive or confidential data)

Total

Q35c. In your opinion, who is most responsible for protecting sensitive or con�dential data transferred to the cloud?

49%

21%

31%

100%

The cloud provider

The cloud user

Shared responsibility

Total


Q35d. How does your organization protect data at rest in the cloud?

38%

21%

47%

13%

12%

5%

136%

Encryption performed in the cloud using keys generated/managed by the cloud provider

Encryption performed in the cloud using keys my organization generates and manages on-premise

Encryption performed on-premise prior to sending data to the cloud using keys my organization generates and manages

Tokenization performed by the cloud provider

Tokenization performed on-premise prior to sending data to the cloud

None of the above

Total

Q35e. For encryption of data at rest in the cloud, my organization’s strategy is to…

42%

19%

19%

20%

100%

Only use keys controlled by my organization

Only use keys controlled by the cloud provider

Use a combination of keys controlled by my organization and by the cloud provider, with a preference for keys controlled by my organization

Use a combination of keys controlled by my organization and by the cloud provider, with a preference for keys controlled by the cloud provider

Total

Q35f. How important are the following features associated with cloud encryption to your organization?Very important and Important response provided.

49%

51%

60%

57%

39%

62%

34%

66%

47%

Bring Your Own Key (BYOK) management support

Privileged user access control

Granular access controls

Audit logs identifying key usage

Audit logs identifying data access attempts

SIEM integration, visualization and analysis of logs

Support for FIPS 140-2 compliant key management

Support for the KMIP standard for key management

Ability to encrypt and rekey data while in use without downtime


Q35g-2. How many public cloud providers does your organization plan to use in the next 12 to 24 months?

29%

21%

15%

35%

100%

1

2

3

4 or more

Total

Q35g-1. How many public cloud providers does your organization in use today?

39%

21%

14%

26%

100%

1

2

3

4 or more

Total

D1. What organizational level best describes your current position?

2%

3%

17%

34%

41%

3%

100%

Senior Executive

Vice President

Director

Manager/Supervisor

Associate/Staff/Technician

Other

Total

Part 7: Role and organizational characteristics


D2. Select the functional area that best describes your organizational location.

55%

20%

7%

3%

12%

3%

100%

IT operations

Security

Compliance

Finance

Lines of business (LOB)

Other

Total

D3. What industry best describes your organization’s industry focus?

1%

2%

4%

0%

3%

7%

2%

15%

8%

3%

12%

9%

8%

11%

9%

3%

3%

100%

Agriculture & food services

Communications

Consumer products

Defense & aerospace

Education & research

Energy & utilities

Entertainment & media

Financial services

Health & pharmaceutical

Hospitality

Manufacturing & industrial

Public sector

Retail

Services

Technology & software

Transportation

Other

Total

D4. What is the worldwide headcount of your organization?

13%

24%

31%

20%

8%

4%

100%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000

Total


About Ponemon Institute The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About nCipher SecurityToday’s fast-moving digital environment enables enterprises to operate more efficiently, gain competitive advantage and serve customers better than ever before. It also multiplies the security risks.

nCipher Security empowers world-leading organizations by delivering trust, integrity and control to their business critical information and applications.

Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments – and help meet new compliance mandates. Using the same proven technology that our customers depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical information and applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, and at all times.

To find out more how nCipher Security can deliver trust, integrity and control to your business critical information and applications, visit www.ncipher.com.

Platinum partner – GeobridgeEstablished in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that provides Cryptography and Key Management, Payment Security, Compliance, and HSM Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.

Platinum partner – VenafiVenafi is the cyber security market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With 31 patents currently in its portfolio, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 2000 organizations. Venafi is backed by top-tier investors, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, Mercato Partners and NextEquity. For more information, visit: www.venafi.com.

GEOBRIDGE

http://www.ncipher.com

http://www.venafi.com

40©2018 nCipher

Documents

GLOBAL ENCRYPTION TRENDS STUDY - nCipher Security · respondents, are SSL/TLS, database encryption and payment transaction processing. It is significant to note that HSM use for SSL/TLS