Data volume storage needs are growing exponentially across hybrid multicloud environments. Meanwhile, companies are being faced with a greater number of regulations to follow, as well as increased exposure to data ransomware, theft and misuse.

Many regulations, such as the General Data Protection Regulation, highlight encryption as an example of appropriate technical and organizational measures. While not required, encryption comes highly recommended. According to The Data Security And Privacy Playbook by Forrester Research, many breach notification laws excuse an organization from fines and notification requirements when compromised data was encrypted. 

A well-thought-out data encryption strategy can go a long way to address a swath of data protection issues. Data encryption helps keep your business data safe and compliant and provides extra security against unforeseen mishaps. A good data encryption strategy identifies data needed to manage encryption keys and block unauthorized access to company data. 

Here are five key areas of consideration for implementing a successful data encryption program.

Explore the eBook: “Data encryption: what you need to know.”

1. Develop and Communicate a Data Encryption Plan

Any successful deployment begins with strong collaboration across teams to define a plan for moving forward. Involve relevant executives to get their support in securing a budget and driving plans from the top.

It’s also important to involve database administrators and team members who work with data systems, storage, your network or data security in your data encryption strategy. These stakeholders can help minimize impact to performance and critical timelines during data encryption implementation.

Next, start building a consensus on how encryption aligns with your business goals and priorities to level-set everyone’s understanding and expectations. Look at the teams and systems you have in place. If needed, define any new groups and leaders. Separation of duties is key to proper encryption and key lifecycle management and needs to be defined from the beginning of the process.

2. Identify High Value Data for Encryption Prioritization

It becomes imperative to build a complete view into what data you have, how sensitive it is and where it resides when numerous data sources are deployed on-premises and in the cloud. This stage in the process can be complex and time intensive, but through a data identification and a data mapping process, you will embark on a path to success.

A good understanding of existing policies and access controls will be necessary to understand how your encryption strategy needs to work with established routines and adjacent technologies. If you have a data discovery and classification solution in place, then much of this work can be automated and properly categorized for encryption prioritization. You will want to protect your high value enterprise assets first due to their sensitive nature and for quick wins that can be leveraged for momentum and to build a case around return on investment.

Your definition of critical data depends on your business and industry. According to the International Data Corporation 2020 Data Security Survey, many IT and security professionals view business-critical information and sensitive, regulated data as most in need of protection.

Business-critical information includes information that makes up or exposes an organization’s competitive advantage, such as intellectual property, trade secrets and business plans. Sensitive, regulated data includes customer and employee information, such as personally identifiable information, social security numbers and health records. Encrypting sensitive data often forms a key provision of many regulations.

3. Explore Encryption Techniques

Once you have formulated a strategy and have a good understanding of your organization’s most critical data, you will need to think about what encryption techniques will be required to protect your data at rest and in transit. Data encryption approaches can be categorized by where they’re employed in the technology stack, which consists of four levels in which data encryption is typically implemented: full-disk or media, file system, database and application.

For many companies, file encryption is an optimal approach due to its broad protections that support most use cases. File encryption is also easy to deploy and operate. The higher in the stack that data encryption is employed, the more complicated the implementation will be. This will have a greater potential impact on performance. In exchange, you will have a greater level of data protection. The goal is to strike a balanced approach.

You also should consider how you want to manage your encryption keys. According to industry experts, the best practice is that your business takes control of all encryption keys, even ones used to encrypt cloud data. This proper separation in duties and storage is enforced so the encrypted data is distanced from their encryption keys until access is securely granted.

4. Choose an Encryption Provider

By now, you may have an idea of which encryption providers are available in the market. Now, it’s time to choose the best vendor for your data encryption needs. Be mindful of the criteria you have for product features and functionality and the kind of relationship you want when selecting a vendor. Chances are your interactions with a chosen provider will not stop at the point of purchase. A solution provider with a broad product and services portfolio is better positioned to advise, support and provide integrated solutions as your business grows.

As for the encryption product, choose a vendor who can provide centralized key and policy management, which will simplify operations around data encryption and key lifecycle management and allow you to easily scale in the future.

5. Think Past Deployment

Once you have your solution implemented and running, you will need to continue to monitor for any outliers or violations. You will also need to continue to prove alignment to business and strategic goals and keep an eye on business growth and shifts in order to adapt your encryption strategy as needed.

You should plan on your organization moving more data to the cloud. Check in with your end-users, developers and application owners, who are growing more influential over how companies operate. A strong encryption strategy must be able to adapt to business needs, so develop an approach that considers changes in technology and the requirements of key stakeholders.

These are just a handful of key considerations to have in mind as you start or revive a data encryption strategy. To learn more about the latest in industry practices on data encryption and security, watch IBM leaders explore challenges and potential solutions in the webinar “Next-Generation Data Security Strategies: Exploring Emerging Trends & Best Practices.”

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read