adrian_ilie825 - Fotolia
The uptick in the adoption of encryption has been driven by various factors, with the fact that organisations are now using up to four or more public cloud providers combined with the desire by organisations to protect against specific identified threats topping the list.
Security in a multi-cloud environment replaces compliance for the first time, which remains a top driver for encryption along with protecting intellectual property and customer information, according to the study report.
The report is based on a poll of 5,000 in 12 countries, including the UK, conducted by the Ponemon Institute and commissioned by Thales. The report is aimed at reflecting some of the changes and challenges organisations are experiencing as they engage multiple public cloud providers in the face of new data protection regulations.
The study reveals 43% of respondents report that their organisation has an encryption strategy applied consistently across their enterprise to protect sensitive data against cyber criminals, help organisations address complex compliance requirements, and guard against human error.
Encryption, which is achieved with software or hardware tools such as hardware security modules (HSMs), is often coupled with best practice-based key management. Encryption is also playing an increasingly large role in protecting the organisations deploying to the cloud.
The study shows that 39% encrypt in public cloud services, such as Amazon Web Services, up 11% compared with the previous year. At the same time, HSM use grew to the highest level to date of 41%, with the most common use cases for HSMs being SSL/TLS and application-level encryption, while 20% of respondents reported that they use HSMs with blockchain applications.
Other findings include the fact 49% of enterprises are either partially or extensively deploying encryption of data on internet of things (IoT) devices and platforms, that 84% of respondents either use or plan to use the cloud for sensitive/non-sensitive applications and data in the next 12-24 months, and that 61% of respondents are using more than one public cloud provider and 71% plan to do so in the next two years.
Although the report said the survey findings are encouraging, it also identifies area of challenge. These include the fact data discovery rates are named as the top data encryption planning/execution challenge by 67% of respondents, up 8% on the previous year.
Respondents from the UK, Germany, the US and France have the most challenges, which likely points to activities associated with preparation for compliance with data privacy regulations such as EU’s General Data Protection Regulation (GDPR), the report said.
When considering the majority of organisations polled are using more than one public cloud provider, the report also raises questions about how organisations are enforcing consistent encryption and key management policies across multiple cloud suppliers.
“Securing data in a multi-cloud environment can be especially problematic for organisations seeking compliance, particularly if they are attempting to instantiate a single organisational policy using different native tools from multiple cloud providers. Not surprisingly, policy enforcement is second only to performance as a most valued feature of encryption solutions in this year’s study,” the report said.
Larry Ponemon, chairman and founder of The Ponemon Institute, said that while enterprises are rightfully encrypting cloud-based data, 42% of organisations indicate they will only use keys for cloud-based data-at-rest encryption they control themselves.
“Similarly, organisations that use HSMs in conjunction with public cloud-based applications prefer to own and operate those HSMs on-premise. These findings tell us control over the cloud is highly important to companies increasingly under pressure from data security threats and compliance requirements,” he said.
John Grimm, senior director of security strategy at Thales eSecurity said companies are understandably seeking out fast, scalable encryption tools that encompass enterprise and cloud use cases, and enforce policy consistently across both models.
“Fortunately, enterprises have more data protection choices today than when the race to the cloud began. These options include bring your own key and bring your own encryption solutions, which allow enterprises to apply the same encryption and key management solution across multiple platforms,” he said.