Despite high profile cases of unencrypted backup tapes going missing, more than a third of organizations still do not know if they will encrypt their backup tapes and half do not know where they would store their tape backup encryption keys. This is one of the alarming findings in the new 2008 Encryption and Key Management Benchmark Survey conducted by research firm Trust Catalyst on behalf of Thales.
The survey indicates that the long list of data loss headlines, coupled with compliance pressures, is driving organizations to encrypt more applications than ever before. Web sever and SSL encryption come top the list with 94% being encrypted, closely followed by desktop file and email encryption along with full disk encryption. Yet tape backup encryption only featured 11th in the list, below USB and mobile device encryption, potentially leaving a major hole in enterprise data protection strategies. This is illustrated by the many recent data losses, including 15,000 patient records stolen after a thief took unencrypted computer tapes from a doctor’s surgery in the UK and 650,000 J.C. Penney customers in the US were put at risk when an unencrypted backup tape was lost.
The survey shows that the difficulty of key storage and management remains a major barrier across all encryption applications. When asked where encryption keys would be stored, more than 40% of respondents answered ‘don’t know’ for seven out of 13 encryption applications. When respondents did know where they would store their keys, the most popular answer was in software on disk.
As well as encryption applications and key storage, the survey also addressed the ways encryption keys are managed. Good key management is essential to make encrypted data accessible to avoid disruption and business costs; while compromising a key can put data at risk and losing a key completely can mean that the information is lost forever.
The cost of data recovery and lost business were at the top of respondents’ lists when it comes to concerns over lost or compromised encryption keys, with compliance only in third place. With real concerns about issues such as backing up and revoking or terminating keys to prevent unauthorized access to data, 69.3% of respondents said that they would chose to use automated and centralized key management systems as opposed to manual processes.