Poor Encryption Key Management Leads to Unrecoverable Data, Survey Finds

Enterprises are having trouble recovering business information because they are not properly managing the data encryption keys, which effectively lock them out of the critical data they sought to protect, Symantec found in a survey.

Enterprises are using encryption in more places than ever, but they are not properly securing the keys or using consistent products, a recent report found.

Despite using encryption, poor key management and lack of control over the technologies being used can cost the organization an average of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey report released by Symantec on Nov. 30.

Most of the costs were related to reduced stock price and brand damage. The cost of improperly securing data does not include the cost of a data breach but reflects the expenses organizations bear because of the time it takes IT to try to find and recover the business data or the key used to secure the data, Tim Matthews, senior director of product marketing at Symantec, told eWEEK.

About 48 percent of the survey participants reported their organization had increased their use of encryption over the past two years, with one third reporting "somewhat to extremely frequent" deployments of "rogue" projects without any centralized management oversight, Matthews said.

Business groups and employees are often independently encrypting the data without involving the IT department, according to Matthews. While the move to encrypt is a good thing, these unauthorized deployments are a challenge for IT because the data is lost and irretrievable if the employee loses the key, forgets the passphrase or leaves the company without passing on custody of the encryption keys. If IT doesn't have the key, it also becomes harder to properly backup the data or to access the information as part of an e-discovery request, he said.

Rogue projects pose a "recovery issue" for organizations since that's data the IT department has no control over and if told by the courts to hand over data, the "enterprise can't really say 'I can't,'" Matthews said.

The costs of improper key management and fragmented encryption deployments result in the organization not being able to meet compliance requests, said 48 percent of the respondents in the survey. Others named the inability to respond to e-Discovery requests and to access important business information.

About 52 percent of the respondents said they have had serious key management problems, with about a third claiming that keys were lost or misplaced keys and another third citing key failure. A little over a quarter, or 26 percent for the participants, said former employees refused to hand over keys when they left the company, according to the survey.

Organizations need to think about the "employee lifecycle" and consider what happens to business data when an employee leaves, Matthews said. It's not enough to just think about the data lifecycle, he said. There needs to be a consistent process for how keys are generated, deployed and managed within the enterprise, according to Matthews.

About 40 percent of the enterprises in the survey were less than somewhat confident they would be able to retrieve keys and 39 percent were less than somewhat confident they would be able to protect data from disgruntled employees, the survey found.

"As the Enterprise Encryption Trends survey demonstrates, encryption needs to evolve from a fragmented protection historically implemented at the line of business level to a capability that is managed as a core component of organizations' IT security operations," said Joe Gow, director of product management at Symantec.

It has become fairly easy to get encryption software online and users are becoming more aware of encryption, according to Matthews. Malicious insiders may encrypt some files to hide their activities.

There may also be a "shadow IT" situation in place where the business has to comply with regulations because of a partner company, Matthews said. For example, regulations may require an insurance company to encrypt certain types of data. The insurance company may in return require partners that handle payments or other business functions to have a system in place to decrypt and encrypt transaction data. With that system from the insurance company in place, the employee at the third-party provider may be encrypting other types of data used internally without IT knowledge, Matthews said.

The survey examined encryption use at 1,575 enterprises around the world. Matthews said this was the "largest sample size" he's ever had for this annual survey. The survey is usually conducted by encryption vendor PGP, which was acquired by Symantec last year.