Leveraging Encryption to Secure Data in Storage 1

Executive SummaryTo better safeguard their sensitive data, organizations are increasingly looking to leverage encryption. How pervasive has encryption of assets in storage become, and how are organizations approaching their storage encryption initiatives? To provide a current look at storage encryption deployments in organizations today, SafeNet undertook an extensive survey of IT executives in North America and EMEA. This paper provides an in-depth look at the survey findings.

IntroductionBreaches continue to make headlines, not just because of the damage they inflict, but because of the sophistication and resources being brought to bear in these attacks. Given the efficacy and severity of these attacks, IT organizations are increasingly looking to strengthen existing defenses and add new safeguards. Consequently, encryption of sensitive assets and systems represents a key charter for many security teams today. Encryption is an increasingly vital means to ensure that, even if an external attacker bypasses perimeter defenses, or an unauthorized internal user looks to leak or steal data, sensitive assets can remain protected.

When it comes to implementing encryption, one of the most critical areas to address is the storage environment. Given the central nature of these repositories, and the fact they hold vast amounts of information, including large volumes of sensitive and regulated assets, storage systems represent a critical vulnerability, and a highly prized target for cyber criminal organizations, nation-states, and malicious insiders.

What do storage implementations look like today, and how much has encryption pervaded these environments? To examine the status of storage encryption in today’s organizations, SafeNet conducted an extensive survey of enterprise IT professionals across North America and EMEA. This paper reveals the results of the survey, outlining how IT organizations are managing their storage environments and security approaches.

Summary of Top FindingsFollowing are a few of the most important findings the survey uncovered:

• Encryption a priority. 75% of respondents either agreed or strongly agreed with the statement, “Encryption of data at rest is a high priority for my organization.”

• Encryption drivers. For those that have made encryption a priority, achieving compliance and protecting sensitive organizational data are the two biggest business drivers.

• Gaps remain. In spite of the drivers and requirements in place, 65% indicated that less than half of regulated and sensitive data is encrypted currently.

Leveraging Encryption to Secure Data in Storage Current Market Deployments and TrendswhITEpapEr

Leveraging Encryption to Secure Data in Storage 2

Storage EnvironmentsRespondents were asked to describe the different types of storage systems that have been employed, and the responses make clear how pervasive various technologies have become. Over 70% indicated that they were using file shares accessed by CIFS or NAS. More than 45% of respondents indicated that they have employed direct attached storage, and about the same amount have fiber channel SAN block storage. Even the lowest-rated category, application server integrated storage, had over a 34% response.

What types of storage are deployed in your environment?

There were some contrasting results for respondents in EMEA versus those in North America. EMEA-based respondents reported higher percentages of CIFS/NIFS, as well as tape, fiber channel SAN block storage, and iSCSI SAN block storage. On the other hand, the percentage of respondents with direct attached storage was much higher in North America (50%) than EMEA (35%).

When polled about the storage vendors chosen, respondents most frequently cited EMC, which received a response of 54%. NetApp was next on the list, with 49%, followed by IBM, with almost 35%. While NetApp adoption was fairly consistent across both North America and EMEA, 48% and 51% respectively, adoption of EMC was substantially higher in North America, 59%, compared with 44% in EMEA. On the other hand, IBM usage was almost twice as high in EMEA, 50%, compared to 27% in North America.

Which vendors’ file data storage do you currently use?

Top Findings•75%: Say data-at-rest-

encryption a priority

•Two key drivers: Compliance and protecting sensitive organizational data

•65%: Have encrypted less than half of regulated and sensitive data

%

%

Leveraging Encryption to Secure Data in Storage 3

Storage Encryption: Importance and DriversRespondents were asked to rate the statement, “encryption of data at rest is a high priority for my organization.” The vast majority, approximately 75%, agreed or strongly agreed. Only 2.5% strongly disagreed with the statement. In North America, a higher percentage, 34%, strongly agreed, compared to EMEA, where 21% expressed that sentiment.

Rate the statement: “Encryption of data at rest is a high priority for my organization”

Why is encryption such a high priority in so many organizations? While the answers vary, the two most common drivers reported were achieving or sustaining regulatory compliance and protecting sensitive data.

If a priority, what is the business driver to encrypt data?

Across the board, responses in North America were substantially higher, at least 7% or more, than EMEA. Only a very small percentage (7%) cite state-sponsored cyber crime, but, given how prominently the topic has been featured in the news in recent months, that encryption driver may start to gain more prominence in the months ahead.

Makeup of Data and EncryptionRespondents made clear that a significant proportion of data is sensitive or subject to regulatory requirements. The largest portion, more than one-third, said 1-10% of data is subject to regulatory requirements. The remainder of categories received fairly consistent responses. A significant percentage, 13%, say between 76 and 100% of data is subject to regulatory requirements.

Combined, almost 29% said more than half of their organizations’ data is subject to regulatory requirements, and 26% said more than half is sensitive organizational data.

In spite of all the drivers for encryption, and all the sensitive data held in storage environments, to date, a big percentage of sensitive and regulated data remains unencrypted. In fact, only about 17% said more than three-quarters of regulated or sensitive data is encrypted. In EMEA that number is even lower: 6.3%. Further, almost half, 48%, of respondents say less than 25% of sensitive or regulated data is encrypted, and almost two-thirds say less than half of this data is encrypted.

%

%

Leveraging Encryption to Secure Data in Storage 4

Encryption approachesWhen it comes to the types of at-rest encryption employed, respondents were fairly evenly split among full disk encryption and server or application-based encryption approaches. 28% encrypt more than half of their data using full disk encryption, which is the same percentage that use server or application-based encryption to secure more than half of their sensitive data. 41% say they encrypt between 1-10% of sensitive or regulated data using full disk encryption. 32% say they use server or application-based encryption for 1-10% of this data.

Respondents were also polled about in-flight encryption of data being sent between users and storage. Responses were evenly split, with 50% employing in flight encryption, and 50% not doing so.

Does your organization encrypt data in flight between users and storage?

If an organization does in-flight encryption, the majority, over 56%, do both VPN and IPsec. Of those respondents that reported using just one approach, a higher percentage use VPN than IPsec.

If the answer to the last question is yes, which of the following do you encrypt data in flight with?

ConclusionAs the survey results clearly indicate, many organizations have some work to do when it comes to securing their sensitive assets. For example, in EMEA, only about 6% of organizations encrypt more than 75% of their sensitive or regulated data. As they look to broaden their encryption deployments, organizations will have several approaches to choose from, including server based, application level, and full disk encryption.

Full disk encryption in storage arrays is an important underlying technology, offering a way to protect against physical disk drives being removed and accessed by unauthorized users. However, CSOs and industry analysts are increasingly pointing to a significant limitation of full disk encryption: This approach simply doesn’t offer protection against insider threats. When full disk encryption is employed, every access to data—no matter when, why, or by whom—is in clear text. Given the fact that, by some estimates, about 66% of incidents relating to corporate fraud stem from malicious insiders1, this is clearly a significant limitation.

1 Kroll Advisory Solutions, “Global Fraud Report”, 2012/2013, http://www.kroll.com/library/KRL_FraudReport2012-13.pdf

%

%

Leveraging Encryption to Secure Data in Storage

Contact Us: For all office locations and contact information, please visit www.safenet-inc.comFollow Us: www.safenet-inc.com/connected

©2013 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) A4-31Oct2013

5

By contrast, the use of distributed, application-based approaches or centralized, network-based technologies can provide much finer granularity in applying encryption and access controls. Centralized, network-based technologies generally prove easier to manage than application-based technologies and provide the highest levels of access control and authentication, which is essential in protecting sensitive assets from rogue administrators.

Finally, it is important to underscore that encryption alone is only part of the solution. Encryption keys, regardless of which technology creates them, must themselves be preserved in a secure and highly reliable manner. Toward this end, a standards-based enterprise key management platform that can be used to control keys over their entire life cycle is essential. These platforms are critical in ensuring that authorized people and applications can always access encrypted data.

about the SurveyFollowing are more details on the survey scope and the makeup of survey respondents:

• Geographic breakdown. The survey polled respondents across North America and EMEA. Approximately two-thirds of respondents were from North America, and while most individuals were based in the United States, a significant number were from Canada. Respondents also came from a number of countries in Western Europe, including France, Germany, Greece, Italy, Netherlands, Sweden, Switzerland, and the U.K.; Eastern Europe, including Estonia, Poland, Romania, and Ukraine; and the Middle East, Including Saudi Arabia, Turkey, and UAE.

• Organization size. Respondents represented a broad range of organization sizes, with respondents evenly split across the spectrum. Almost 22% represented companies with less than 50 employees. Over 29% were employed by companies with over 5,000 employees.

• Industries. Survey respondents came from a range of industries, with the highest number, 35%, coming from financial services. 33% were from the manufacturing sector. 24% worked in government agencies and 12% came from healthcare organizations.

What is your primary industry?

about SafeNetFounded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet’s data-centric approach focuses on the protection of high value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.

%