Report: Firms avoid encrypting backup tapes, databases

According to a recent survey, cost and complexity have caused many companies to ignore database and tape encryption.

A global survey has shown that most organisations still avoid encrypting tapes and databases because they fear it will affect performance and make data recovery more difficult.

The figures come from a study, which was commissioned by the information systems company Thales Group and carried out by California-based market research company Trust Catalyst. The research took feedback from 655 companies around the world, 45% of them in Europe.

It found that the top types of encryption being used were Web server encryption (77% of respondents), server-based file encryption (57%), desktop file encryption (56%), FTP file encryption (54%) and network link encryption (53%).

Database encryption, however, was used in only 43% of companies, and just 41% of respondents said they were encrypting backup tapes.

The main reasons for not introducing encryption were cost and complexity. The cost of the encryption tool was the prime cause in 26% of cases, followed by the cost of managing the encryption product.

Database security in a tough economy

A new report from Forrester Research Inc. highlights eight valuable database and server data security technologies.
Some companies had bad experiences with encryption. Eight percent of respondents admitted they had lost keys in the past, resulting in many being unable to recover data. The complexity of key management was cited by 17% of companies as a reason for not encrypting databases, especially since they needed to be able to recover quickly from any database outage. Nearly half (49%) of those surveyed said they would need to recover their database within one hour.

Key management complexity also discouraged 24% from encrypting backup tapes. Some were worried about losing keys and not being able to access backup data, especially data that had been archived for a longer period. One in five respondents said it would take an actual data breach to trigger tape encryption in their organisations.

Commenting on this aspect, the report stated: "The likelihood of breaches and the costs to the business are only increasing. In our opinion, organisations that ship tapes must encrypt tapes."

One explanation for the uncertainty concerning key management lies in the answer the respondents gave to the question: "Where are your encryption keys stored?" Some said they stored keys in a high security module (HSM), others in a database, on a disk or on a USB device. But the majority of respondents -- in practically every category apart from Web server keys, full disk encryption keys and desktop file encryption -- admitted they had no idea where keys were kept.

The report's author is Kimberley Getgen, who before founding Trust Catalyst, worked for RSA, the security division of EMC, and then founded Reconnex Corp., a data leakage prevention company she sold to McAfee Inc. last year.

She concluded that "given the new regulatory climate, many organisations will need to ask themselves what will be worse -- paying for automated key management to overcome data availability fears, or losing customers in a [data] breach."

Getgen added that given the high potential cost of a data breach -- in term of fines, loss of reputation and the cost of informing those affected -- it was "no longer a sustainable risk management strategy" to postpone encryption decisions, especially for backup tapes.

Read more on Application security and coding requirements