There is little doubt that encryption is a very powerful tool whose inclusion in an enterprises security program can significantly improve the security of an organizations information when thoughtfully implemented and managed correctly. Introduced without a full understanding however and the nuances related to key management lifecycles, implications for users and applications or when using resources ill-suited to the task, unintended negative consequences can occur.
Not surprisingly, compliance to internal policy or external regulatory mandates continue to be the primary drivers for the implementation of enterprise encryption solutions and while that will not change in the near-term, there are other situations where file-level encryption represents a suitable control. Among the many other drivers that commonly mentioned are:
- Privacy of personally identifiable information (PII) – regulated and unregulated
- Contractual obligations with customers and 3rd Party service providers
- Best practice implementation
- Data confidentiality with cloud-based storage providers
The addition of a robust encryption solution is significantly more than a complementary capability to other existing or planned solutions but rather a cornerstone component that can assist in addressing regulatory, internal policy, confidentiality and privacy considerations. Used in conjunction with a comprehensive data classification scheme expressing the specific aspects of the entity’s data governance policy, data-level encryption of sensitive information can significantly increase an organizations overall security posture.
By its very nature the successful implementation of any data-level encryption solution involves technical complexity that requires thorough investigation prior to introduction into any enterprise environment. Interoperability with existing applications, storage schemes, network architecture and user workflow considerations must be identified and addressed if acceptable outcomes are to be realized. In addition to the purely technical considerations, consensus on data governance policy, data ownership, identification of inclusion criteria (policy interpretation) and location of data requiring encryption are significant but manageable steps in a sustainable data-level encryption solution.
The widespread adoption of proven encryption solutions that have enjoyed long-term market success will continue to accelerate as familiarity and usability grows. The complexity of key management and ability to integrate encryption into user workflows have matured to the point where widespread successful adoption requires skilled but not dedicated resources typically available in many organizations.
While data classification and encryption are not new to information security practitioners, the capabilities and stability offered by leading vendors has changed significantly. Mature data-level encryption solutions that leverage metadata provide the level of precision necessary to address complex regulatory and business requirements without undue disruption to operations.
There are a handful of technologies and capabilities where vendor focus and dedication to a core competency is vitally important, data classification and encryption are two of those capabilities and when deployed in a complementary manner offer significant benefits to an organizations data governance efforts.