Data volume storage needs are growing exponentially across hybrid multicloud environments. Meanwhile, companies are being faced with a greater number of regulations to follow, as well as increased exposure to data ransomware, theft and misuse.
Many regulations, such as the General Data Protection Regulation, highlight encryption as an example of appropriate technical and organizational measures. While not required, encryption comes highly recommended. According to The Data Security And Privacy Playbook by Forrester Research, many breach notification laws excuse an organization from fines and notification requirements when compromised data was encrypted.
A well-thought-out data encryption strategy can go a long way to address a swath of data protection issues. Data encryption helps keep your business data safe and compliant and provides extra security against unforeseen mishaps. A good data encryption strategy identifies data needed to manage encryption keys and block unauthorized access to company data.
Here are five key areas of consideration for implementing a successful data encryption program.
Explore the eBook: “Data encryption: what you need to know.”
1. Develop and Communicate a Data Encryption Plan
Any successful deployment begins with strong collaboration across teams to define a plan for moving forward. Involve relevant executives to get their support in securing a budget and driving plans from the top.
It’s also important to involve database administrators and team members who work with data systems, storage, your network or data security in your data encryption strategy. These stakeholders can help minimize impact to performance and critical timelines during data encryption implementation.
Next, start building a consensus on how encryption aligns with your business goals and priorities to level-set everyone’s understanding and expectations. Look at the teams and systems you have in place. If needed, define any new groups and leaders. Separation of duties is key to proper encryption and key lifecycle management and needs to be defined from the beginning of the process.
2. Identify High Value Data for Encryption Prioritization
It becomes imperative to build a complete view into what data you have, how sensitive it is and where it resides when numerous data sources are deployed on-premises and in the cloud. This stage in the process can be complex and time intensive, but through a data identification and a data mapping process, you will embark on a path to success.
A good understanding of existing policies and access controls will be necessary to understand how your encryption strategy needs to work with established routines and adjacent technologies. If you have a data discovery and classification solution in place, then much of this work can be automated and properly categorized for encryption prioritization. You will want to protect your high value enterprise assets first due to their sensitive nature and for quick wins that can be leveraged for momentum and to build a case around return on investment.
Your definition of critical data depends on your business and industry. According to the International Data Corporation 2020 Data Security Survey, many IT and security professionals view business-critical information and sensitive, regulated data as most in need of protection.
Business-critical information includes information that makes up or exposes an organization’s competitive advantage, such as intellectual property, trade secrets and business plans. Sensitive, regulated data includes customer and employee information, such as personally identifiable information, social security numbers and health records. Encrypting sensitive data often forms a key provision of many regulations.
3. Explore Encryption Techniques
Once you have formulated a strategy and have a good understanding of your organization’s most critical data, you will need to think about what encryption techniques will be required to protect your data at rest and in transit. Data encryption approaches can be categorized by where they’re employed in the technology stack, which consists of four levels in which data encryption is typically implemented: full-disk or media, file system, database and application.
For many companies, file encryption is an optimal approach due to its broad protections that support most use cases. File encryption is also easy to deploy and operate. The higher in the stack that data encryption is employed, the more complicated the implementation will be. This will have a greater potential impact on performance. In exchange, you will have a greater level of data protection. The goal is to strike a balanced approach.
You also should consider how you want to manage your encryption keys. According to industry experts, the best practice is that your business takes control of all encryption keys, even ones used to encrypt cloud data. This proper separation in duties and storage is enforced so the encrypted data is distanced from their encryption keys until access is securely granted.
4. Choose an Encryption Provider
By now, you may have an idea of which encryption providers are available in the market. Now, it’s time to choose the best vendor for your data encryption needs. Be mindful of the criteria you have for product features and functionality and the kind of relationship you want when selecting a vendor. Chances are your interactions with a chosen provider will not stop at the point of purchase. A solution provider with a broad product and services portfolio is better positioned to advise, support and provide integrated solutions as your business grows.
As for the encryption product, choose a vendor who can provide centralized key and policy management, which will simplify operations around data encryption and key lifecycle management and allow you to easily scale in the future.
5. Think Past Deployment
Once you have your solution implemented and running, you will need to continue to monitor for any outliers or violations. You will also need to continue to prove alignment to business and strategic goals and keep an eye on business growth and shifts in order to adapt your encryption strategy as needed.
You should plan on your organization moving more data to the cloud. Check in with your end-users, developers and application owners, who are growing more influential over how companies operate. A strong encryption strategy must be able to adapt to business needs, so develop an approach that considers changes in technology and the requirements of key stakeholders.
These are just a handful of key considerations to have in mind as you start or revive a data encryption strategy. To learn more about the latest in industry practices on data encryption and security, watch IBM leaders explore challenges and potential solutions in the webinar “Next-Generation Data Security Strategies: Exploring Emerging Trends & Best Practices.”
IBM Security Guardium Product Marketing Manager