Paul Stamp Senior Analyst Forrester Research
-
Upload
technical-dude -
Category
Documents
-
view
368 -
download
2
Transcript of Paul Stamp Senior Analyst Forrester Research
TeleconferenceAdopting An Enterprise Approach To EncryptionPaul Stamp
Senior Analyst
Forrester Research
April 3, 2007. Call in at 12:55 pm Eastern Time
2Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Agenda
• Why encryption?
• What encryption?
• How encryption?
3Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Agenda
• Why encryption?
• What encryption?
• How encryption?
4Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Encryption — why we do it
• Because somebody says we should do it
• Because we’ve been burned in the past
Very few people do it “because we think we ought to”
5Entire contents © 2007 Forrester Research, Inc. All rights reserved.
What do we encrypt?
• Typically — not a lot of . . .
» Networks & VPNs
» Laptops & desktops
» File transfers
» Databases
6Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Email encryption adoption by vertical
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Retail & wholesale trade
Business services
Public sector
Utilities &telecommunications
Manufacturing
Media, entertainment, &leisure
Finance & insurance
Base: 712 technology decision-makers at North American and European enterprises
Source: Business Technographics® September 2006 North American And European Enterprise Software Survey
“Are you likely to invest in email encryption in 2007?”
7Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Why now?
• Contractual obligations
» PCI, partner agreements
• Safe Harbor from mandatory disclosure requirements
» “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” CA SB 1386
• Best practice-based demands
» HIPAA, EU Data Protection Directive etc. . . .
8Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Laptop encryption is the new flavor of the month
0 10 20 30 40
To all computers
To desktops only
To laptops only
To select laptopsonly
No, but plan to inthe next year
No plans to useencryption tools
Don’t know
2006 2005
Source: Forrester Security Panel Survey 2005 and 2006
Base: 149 technology decision-makers at North American SMBs and enterprises (184 in 2006)
“Has your organization deployed full disk or file encryption to desktops and laptops?”
9Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Agenda
• Why encryption?
• What encryption?
• How encryption?
10Entire contents © 2007 Forrester Research, Inc. All rights reserved.
When do we encrypt
• Data in motion
» Keys needed to authenticate and initiate connection
» Keys needed at the point in time of the connection
• Data at rest
» Keys needed to encrypt and decrypt stored data
» Keys needed at an unspecified time in the future
» Key escrow often required
11Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Problems with encryption
• Cost
» Licensing costs, development costs
• Administrative overhead
» Key management, support processes
• Visibility
» Network monitoring has little visibility into encrypted traffic
12Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Considerations for laptop encryption
• File level
» More elegant, allows more “follow the data” encryption
» BUT . . . more cumbersome, demands user decision
» Vendors include: Entrust, PGP
• Disk level
» Quicker and easier
» Support processes normally “save the laptop, not the data”
» Still demands user changes in behavior — laptop is “storage of convenience”
» Vendors include: Credant, Pointsec, Guardian Edge, Utimaco, Safeboot
13Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Other areas of encryption not so well defined
• File transfers
» Variety of methods in place — file level, SFTP, FTPS, etc.
» Vendors include: Sterling Commerce, Attachmate, SSH Corporation, IPSwitch, Proatria, PGP . . .
» Estimated 80% of encrypted email is TLS or Web mail
» Vendors include: PGP, Voltage, Entrust, PostX
• Databases
» Largely PCI-driven
» Biggest advantage is protection from the DBA
» Vendors include: nCipher, Ingrian, Application Security Inc., Protegrity
14Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Point-based approach leads to
• Inconsistent data protection
• Ad hoc key management
• High licensing costs and performance overheads
15Entire contents © 2007 Forrester Research, Inc. All rights reserved.
How do you manage keys?
• Typical answers
» Manage keys? What keys?
» We use embedded product functionality
» We use manual processes
16Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Key management principles
• Key provisioning
» How will the key get to where it needs to go?
• Key escrow and backup
» How do I keep a copy for safekeeping?
• Key recovery
» How do I recover the key when it’s unavailable?
17Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Key management principles (cont.)
• Key exchange and sharing
» How do I make keys available to those who need them?
• Key rollover
» How do I generate and provision new keys when old keys expire?
• Key destruction
» How do I destroy keys when I’ve finished with them?
18Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Things to remember
• Key management complexity is a function of business processes — not number of keys
• Not all key management processes need to be uniform
• Key management technology will be useless without defined goals and processes
19Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Agenda
• Why encryption?
• What encryption?
• How encryption?
© 2007, Forrester Research, Inc. Reproduction Prohibited
Different Types Of EncryptionMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”
© 2007, Forrester Research, Inc. Reproduction Prohibited
Enterprise Key ManagementMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”
© 2007, Forrester Research, Inc. Reproduction Prohibited
Vendor OfferingsMarch 2007, Trends “Adopting An Enterprise Approach To Encryption”
23Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Recommendations
• Start with data classification and handling
• Prioritize based on specific requirements and compensating controls
• Keep a wider picture in mind when complying with specific mandates
24Entire contents © 2007 Forrester Research, Inc. All rights reserved.
Paul Stamp
+1 617/613-6263
www.forrester.com
Thank you