How to eliminate encryption silos

Jason Hart, GemaltoWorking in the encryption business, you’ll quickly learn that there are a number of problems that organizations can run into while deploying the technology. The often-fragmented nature of IT across an entire enterprise can make encryption immensely complicated to deploy and even end up causing headaches rather than curing them. So when we encounter a trend that offers a chance to overcome some of those complexities, it’s worth taking notice. Just such a trend has been emerging lately among some of the larger, security-minded enterprises, and it involves the IT departments looking to act as encryption service providers within their own companies.

Typically, we think of IT as customers of these services, but in a growing number of cases, they are modelling their internal operations after those of the service providers, and hopping on the as-a-service bandwagon. In this model, the IT department centrally operates data encryption and key management and scales it to support any department that needs it. That department can then enforce granular controls over who can and can’t access certain data and applications, while IT maintains central control over security policies for the entire company.

The “IT department as encryption service provider” trend arose from the sometimes-disjointed nature of encryption and tokenization deployments. Different departments, each dealing separately and on an ad-hoc basis with new threats and mandates, end up leaving organizations with security “islands”—disparate, isolated encryption approaches. According to a recent Ponemon survey, the average enterprise has more than 24,000 keys and certificates, 11 applications that require encryption, and seven different key management or encryption platforms! Not only do they have numerous unrelated, sometimes overlapping, encryption platforms deployed across the enterprise, their data is stored in a variety of locations, on-premises and in the cloud. This is simply not sustainable long term.

Security administration is time-consuming, costly and complex, especially when implemented and administered for specific siloed systems and business units rather than across the enterprise on a single platform. As more isolated systems are deployed, it becomes even more difficult to enforce uniform security policies across the organization, and the security organization and the rest of the business must essentially start over – investing time and effort in defining, architecting, and building a new encryption/tokenization system from scratch for each instance. The process of tracking compliance status, preparing for audits and being audited also grows more time consuming as siloed information needs to be sifted through, aggregated and analyzed.

When IT serves as the internal service provider, encryption and key management can be centralized but distributed. This means that consistent security policies can be set and enforced for groups across the organization with varying encryption needs and can be updated as needed automatically.

Standards can be maintained throughout. The “service provider” provides high-level APIs between their encryption platform and the technologies being deployed with consistent security parameters across the organization. The encryption service “consumers,” whether they are the business units and developers or the actual applications, databases, or file servers registered to the “service,” can benefit from the economies of scale and security provided. This allows “build once” solutions to be replicated effectively, which simplifies auditing and compliance tracking.

The enterprise is growing increasingly connected, but when sensitive data gets shared across multiple departments, it can introduce security gaps, complexity and latency into critical business processes. By leveraging a cohesive, centrally managed platform, and rolling encryption out as an internal IT service, savvy IT and security teams are becoming more nimble in adapting to changing requirements and challenges. Rather than being stuck in isolated islands, data becomes free to move securely throughout the enterprise to support business objectives, without compromising security.

According to the Ponemon survey, 56 percent of IT professionals say it is “painful” to manage encryption keys. This emerging new approach by IT departments to offer encryption as an internal IT service can alleviate that pain, letting business units operate freely and securely, and without requiring their team members to become experts in cryptography.