Data volume storage needs are growing exponentially across hybrid multicloud environments. Meanwhile, companies are being faced with a greater number of regulations to follow, as well as increased exposure to data ransomware, theft and misuse.

Many regulations, such as the General Data Protection Regulation, highlight encryption as an example of appropriate technical and organizational measures. While not required, encryption comes highly recommended. According to The Data Security And Privacy Playbook by Forrester Research, many breach notification laws excuse an organization from fines and notification requirements when compromised data was encrypted. 

A well-thought-out data encryption strategy can go a long way to address a swath of data protection issues. Data encryption helps keep your business data safe and compliant and provides extra security against unforeseen mishaps. A good data encryption strategy identifies data needed to manage encryption keys and block unauthorized access to company data. 

Here are five key areas of consideration for implementing a successful data encryption program.

Explore the eBook: “Data encryption: what you need to know.”

1. Develop and Communicate a Data Encryption Plan

Any successful deployment begins with strong collaboration across teams to define a plan for moving forward. Involve relevant executives to get their support in securing a budget and driving plans from the top.

It’s also important to involve database administrators and team members who work with data systems, storage, your network or data security in your data encryption strategy. These stakeholders can help minimize impact to performance and critical timelines during data encryption implementation.

Next, start building a consensus on how encryption aligns with your business goals and priorities to level-set everyone’s understanding and expectations. Look at the teams and systems you have in place. If needed, define any new groups and leaders. Separation of duties is key to proper encryption and key lifecycle management and needs to be defined from the beginning of the process.

2. Identify High Value Data for Encryption Prioritization

It becomes imperative to build a complete view into what data you have, how sensitive it is and where it resides when numerous data sources are deployed on-premises and in the cloud. This stage in the process can be complex and time intensive, but through a data identification and a data mapping process, you will embark on a path to success.

A good understanding of existing policies and access controls will be necessary to understand how your encryption strategy needs to work with established routines and adjacent technologies. If you have a data discovery and classification solution in place, then much of this work can be automated and properly categorized for encryption prioritization. You will want to protect your high value enterprise assets first due to their sensitive nature and for quick wins that can be leveraged for momentum and to build a case around return on investment.

Your definition of critical data depends on your business and industry. According to the International Data Corporation 2020 Data Security Survey, many IT and security professionals view business-critical information and sensitive, regulated data as most in need of protection.

Business-critical information includes information that makes up or exposes an organization’s competitive advantage, such as intellectual property, trade secrets and business plans. Sensitive, regulated data includes customer and employee information, such as personally identifiable information, social security numbers and health records. Encrypting sensitive data often forms a key provision of many regulations.

3. Explore Encryption Techniques

Once you have formulated a strategy and have a good understanding of your organization’s most critical data, you will need to think about what encryption techniques will be required to protect your data at rest and in transit. Data encryption approaches can be categorized by where they’re employed in the technology stack, which consists of four levels in which data encryption is typically implemented: full-disk or media, file system, database and application.

For many companies, file encryption is an optimal approach due to its broad protections that support most use cases. File encryption is also easy to deploy and operate. The higher in the stack that data encryption is employed, the more complicated the implementation will be. This will have a greater potential impact on performance. In exchange, you will have a greater level of data protection. The goal is to strike a balanced approach.

You also should consider how you want to manage your encryption keys. According to industry experts, the best practice is that your business takes control of all encryption keys, even ones used to encrypt cloud data. This proper separation in duties and storage is enforced so the encrypted data is distanced from their encryption keys until access is securely granted.

4. Choose an Encryption Provider

By now, you may have an idea of which encryption providers are available in the market. Now, it’s time to choose the best vendor for your data encryption needs. Be mindful of the criteria you have for product features and functionality and the kind of relationship you want when selecting a vendor. Chances are your interactions with a chosen provider will not stop at the point of purchase. A solution provider with a broad product and services portfolio is better positioned to advise, support and provide integrated solutions as your business grows.

As for the encryption product, choose a vendor who can provide centralized key and policy management, which will simplify operations around data encryption and key lifecycle management and allow you to easily scale in the future.

5. Think Past Deployment

Once you have your solution implemented and running, you will need to continue to monitor for any outliers or violations. You will also need to continue to prove alignment to business and strategic goals and keep an eye on business growth and shifts in order to adapt your encryption strategy as needed.

You should plan on your organization moving more data to the cloud. Check in with your end-users, developers and application owners, who are growing more influential over how companies operate. A strong encryption strategy must be able to adapt to business needs, so develop an approach that considers changes in technology and the requirements of key stakeholders.

These are just a handful of key considerations to have in mind as you start or revive a data encryption strategy. To learn more about the latest in industry practices on data encryption and security, watch IBM leaders explore challenges and potential solutions in the webinar “Next-Generation Data Security Strategies: Exploring Emerging Trends & Best Practices.”

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…