Report: Firms avoid encrypting backup tapes, databases

By Ron Condon, U.K. Bureau Chief 26 Oct 2009 | SearchSecurity.co.UK

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The figures come from a study, which was commissioned by the information systems company Thales Group and carried out by California-based market research company Trust Catalyst. The research took feedback from 655 companies around the world, 45% of them in Europe.

It found that the top types of encryption being used were Web server encryption (77% of respondents), server-based file encryption (57%), desktop file encryption (56%), FTP file encryption (54%) and network link encryption (53%).

Database encryption, however, was used in only 43% of companies, and just 41% of respondents said they were encrypting backup tapes.

The main reasons for not introducing encryption were cost and complexity. The cost of the encryption tool was the prime cause in 26% of cases, followed by the cost of managing the encryption product.

Database security in a tough economy A new report from Forrester Research Inc. highlights eight valuable database and server data security technologies.

Some companies had bad experiences with encryption. Eight percent of respondents admitted they had lost keys in the past, resulting in many being unable to recover data. The complexity of key management was cited by 17% of companies as a reason for not encrypting databases, especially since they needed to be able to recover quickly from any database outage. Nearly half (49%) of those surveyed said they would need to recover their database within one hour.

Key management complexity also discouraged 24% from encrypting backup tapes. Some were worried about losing keys and not being able to access backup data, especially data that had been archived for a longer period. One in five respondents said it would take an actual data breach to trigger tape encryption in their organisations.

Commenting on this aspect, the report stated: "The likelihood of breaches and the costs to the business are only increasing. In our opinion, organisations that ship tapes must encrypt tapes."

One explanation for the uncertainty concerning key management lies in the answer the respondents gave to the question: "Where are your encryption keys stored?" Some said they stored keys in a high security module (HSM), others in a database, on a disk or on a USB device. But the majority of respondents -- in practically every category apart from Web server keys, full disk encryption keys and desktop file encryption -- admitted they had no idea where keys were kept.

The report's author is Kimberley Getgen, who before founding Trust Catalyst, worked for RSA, the security division of EMC, and then founded Reconnex Corp., a data leakage prevention company she sold to McAfee Inc. last year.

She concluded that "given the new regulatory climate, many organisations will need to ask themselves what will be worse -- paying for automated key management to overcome data availability fears, or losing customers in a [data] breach."

Getgen added that given the high potential cost of a data breach -- in term of fines, loss of reputation and the cost of informing those affected -- it was "no longer a sustainable risk management strategy" to postpone encryption decisions, especially for backup tapes.

Tags: Database Security Tools and Techniques,  Data Protection Solutions and Strategy,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Cryptography for the rest of us Recent breaches show data theft prevention basics lacking Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis SQL injection continues to trouble firms, lead to breaches Monitoring program data and internal controls for risk management Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary