Paul Stamp Senior Analyst Forrester Research

TeleconferenceAdopting An Enterprise Approach To EncryptionPaul Stamp

Senior Analyst

Forrester Research

April 3, 2007. Call in at 12:55 pm Eastern Time

2Entire contents © 2007 Forrester Research, Inc. All rights reserved.

Agenda

• Why encryption?

• What encryption?

• How encryption?


Agenda

• Why encryption?


• How encryption?


Encryption — why we do it

• Because somebody says we should do it

• Because we’ve been burned in the past

Very few people do it “because we think we ought to”


What do we encrypt?

• Typically — not a lot of . . .

» Networks & VPNs

» Laptops & desktops

» File transfers

» Email

» Databases


Email encryption adoption by vertical

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Retail & wholesale trade

Business services

Public sector

Utilities &telecommunications

Manufacturing

Media, entertainment, &leisure

Finance & insurance

Base: 712 technology decision-makers at North American and European enterprises

Source: Business Technographics® September 2006 North American And European Enterprise Software Survey

“Are you likely to invest in email encryption in 2007?”


Why now?

• Contractual obligations

» PCI, partner agreements

• Safe Harbor from mandatory disclosure requirements

» “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” CA SB 1386

• Best practice-based demands

» HIPAA, EU Data Protection Directive etc. . . .


Laptop encryption is the new flavor of the month

0 10 20 30 40

To all computers

To desktops only

To laptops only

To select laptopsonly

No, but plan to inthe next year

No plans to useencryption tools

Don’t know

2006 2005

Source: Forrester Security Panel Survey 2005 and 2006

Base: 149 technology decision-makers at North American SMBs and enterprises (184 in 2006)

“Has your organization deployed full disk or file encryption to desktops and laptops?”


Agenda

• Why encryption?


• How encryption?


When do we encrypt

• Data in motion

» Keys needed to authenticate and initiate connection

» Keys needed at the point in time of the connection

• Data at rest

» Keys needed to encrypt and decrypt stored data

» Keys needed at an unspecified time in the future

» Key escrow often required


Problems with encryption

• Cost

» Licensing costs, development costs

• Administrative overhead

» Key management, support processes

• Visibility

» Network monitoring has little visibility into encrypted traffic


Considerations for laptop encryption

• File level

» More elegant, allows more “follow the data” encryption

» BUT . . . more cumbersome, demands user decision

» Vendors include: Entrust, PGP

• Disk level

» Quicker and easier

» Support processes normally “save the laptop, not the data”

» Still demands user changes in behavior — laptop is “storage of convenience”

» Vendors include: Credant, Pointsec, Guardian Edge, Utimaco, Safeboot


Other areas of encryption not so well defined

• File transfers

» Variety of methods in place — file level, SFTP, FTPS, etc.

» Vendors include: Sterling Commerce, Attachmate, SSH Corporation, IPSwitch, Proatria, PGP . . .

• Email

» Estimated 80% of encrypted email is TLS or Web mail

» Vendors include: PGP, Voltage, Entrust, PostX

• Databases

» Largely PCI-driven

» Biggest advantage is protection from the DBA

» Vendors include: nCipher, Ingrian, Application Security Inc., Protegrity


Point-based approach leads to

• Inconsistent data protection

• Ad hoc key management

• High licensing costs and performance overheads


How do you manage keys?

• Typical answers

» Manage keys? What keys?

» We use embedded product functionality

» We use manual processes


Key management principles

• Key provisioning

» How will the key get to where it needs to go?

• Key escrow and backup

» How do I keep a copy for safekeeping?

• Key recovery

» How do I recover the key when it’s unavailable?


Key management principles (cont.)

• Key exchange and sharing

» How do I make keys available to those who need them?

• Key rollover

» How do I generate and provision new keys when old keys expire?

• Key destruction

» How do I destroy keys when I’ve finished with them?


Things to remember

• Key management complexity is a function of business processes — not number of keys

• Not all key management processes need to be uniform

• Key management technology will be useless without defined goals and processes


Agenda

• Why encryption?


• How encryption?

© 2007, Forrester Research, Inc. Reproduction Prohibited

Different Types Of EncryptionMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”


Enterprise Key ManagementMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”


Vendor OfferingsMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”


Recommendations

• Start with data classification and handling

• Prioritize based on specific requirements and compensating controls

• Keep a wider picture in mind when complying with specific mandates


Paul Stamp

+1 617/613-6263

[email protected]

www.forrester.com

Thank you

Documents

Paul Stamp Senior Analyst Forrester Research