Data volume storage needs are growing exponentially across hybrid multicloud environments. Meanwhile, companies are being faced with a greater number of regulations to follow, as well as increased exposure to data ransomware, theft and misuse.

Many regulations, such as the General Data Protection Regulation, highlight encryption as an example of appropriate technical and organizational measures. While not required, encryption comes highly recommended. According to The Data Security And Privacy Playbook by Forrester Research, many breach notification laws excuse an organization from fines and notification requirements when compromised data was encrypted. 

A well-thought-out data encryption strategy can go a long way to address a swath of data protection issues. Data encryption helps keep your business data safe and compliant and provides extra security against unforeseen mishaps. A good data encryption strategy identifies data needed to manage encryption keys and block unauthorized access to company data. 

Here are five key areas of consideration for implementing a successful data encryption program.

Explore the eBook: “Data encryption: what you need to know.”

1. Develop and Communicate a Data Encryption Plan

Any successful deployment begins with strong collaboration across teams to define a plan for moving forward. Involve relevant executives to get their support in securing a budget and driving plans from the top.

It’s also important to involve database administrators and team members who work with data systems, storage, your network or data security in your data encryption strategy. These stakeholders can help minimize impact to performance and critical timelines during data encryption implementation.

Next, start building a consensus on how encryption aligns with your business goals and priorities to level-set everyone’s understanding and expectations. Look at the teams and systems you have in place. If needed, define any new groups and leaders. Separation of duties is key to proper encryption and key lifecycle management and needs to be defined from the beginning of the process.

2. Identify High Value Data for Encryption Prioritization

It becomes imperative to build a complete view into what data you have, how sensitive it is and where it resides when numerous data sources are deployed on-premises and in the cloud. This stage in the process can be complex and time intensive, but through a data identification and a data mapping process, you will embark on a path to success.

A good understanding of existing policies and access controls will be necessary to understand how your encryption strategy needs to work with established routines and adjacent technologies. If you have a data discovery and classification solution in place, then much of this work can be automated and properly categorized for encryption prioritization. You will want to protect your high value enterprise assets first due to their sensitive nature and for quick wins that can be leveraged for momentum and to build a case around return on investment.

Your definition of critical data depends on your business and industry. According to the International Data Corporation 2020 Data Security Survey, many IT and security professionals view business-critical information and sensitive, regulated data as most in need of protection.

Business-critical information includes information that makes up or exposes an organization’s competitive advantage, such as intellectual property, trade secrets and business plans. Sensitive, regulated data includes customer and employee information, such as personally identifiable information, social security numbers and health records. Encrypting sensitive data often forms a key provision of many regulations.

3. Explore Encryption Techniques

Once you have formulated a strategy and have a good understanding of your organization’s most critical data, you will need to think about what encryption techniques will be required to protect your data at rest and in transit. Data encryption approaches can be categorized by where they’re employed in the technology stack, which consists of four levels in which data encryption is typically implemented: full-disk or media, file system, database and application.

For many companies, file encryption is an optimal approach due to its broad protections that support most use cases. File encryption is also easy to deploy and operate. The higher in the stack that data encryption is employed, the more complicated the implementation will be. This will have a greater potential impact on performance. In exchange, you will have a greater level of data protection. The goal is to strike a balanced approach.

You also should consider how you want to manage your encryption keys. According to industry experts, the best practice is that your business takes control of all encryption keys, even ones used to encrypt cloud data. This proper separation in duties and storage is enforced so the encrypted data is distanced from their encryption keys until access is securely granted.

4. Choose an Encryption Provider

By now, you may have an idea of which encryption providers are available in the market. Now, it’s time to choose the best vendor for your data encryption needs. Be mindful of the criteria you have for product features and functionality and the kind of relationship you want when selecting a vendor. Chances are your interactions with a chosen provider will not stop at the point of purchase. A solution provider with a broad product and services portfolio is better positioned to advise, support and provide integrated solutions as your business grows.

As for the encryption product, choose a vendor who can provide centralized key and policy management, which will simplify operations around data encryption and key lifecycle management and allow you to easily scale in the future.

5. Think Past Deployment

Once you have your solution implemented and running, you will need to continue to monitor for any outliers or violations. You will also need to continue to prove alignment to business and strategic goals and keep an eye on business growth and shifts in order to adapt your encryption strategy as needed.

You should plan on your organization moving more data to the cloud. Check in with your end-users, developers and application owners, who are growing more influential over how companies operate. A strong encryption strategy must be able to adapt to business needs, so develop an approach that considers changes in technology and the requirements of key stakeholders.

These are just a handful of key considerations to have in mind as you start or revive a data encryption strategy. To learn more about the latest in industry practices on data encryption and security, watch IBM leaders explore challenges and potential solutions in the webinar “Next-Generation Data Security Strategies: Exploring Emerging Trends & Best Practices.”

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…