Mais conteúdo relacionado
Semelhante a 2013 global encryption trends study (20)
2013 global encryption trends study
- 1. 2013 Global Encryption Trends Study
Encryption continues along its path to mainstream adoption
but key management concerns highlight potential barriers to
deployment.
Sponsored by Thales e-Security
Independently conducted by Ponemon Institute LLC
Publication Date: February 2014
Ponemon Institute© Research Report
- 2. 2013 Global Encryption Trends Study
Table of Contents
From
Page
To
Page
Part 1. Executive Summary
2
4
Part 2. Key Findings
5
36
Strategy and adoption of encryption
5
7
Trends in encryption adoption
8
10
Encryption and security effectiveness (SES)
11
13
Threats, main drivers and priorities
14
19
Deployment choices and decision criteria
20
22
Encryption features considered most important
23
23
Attitudes about key management
24
27
Importance of the key management interoperability protocol (KMIP)
28
29
Importance of hardware security modules (HSM)
30
32
Budget allocations
33
35
Part 3. Methods & Limitations
37
39
Appendix: Consolidated Findings
40
47
Thales e-Security & Ponemon Institute© Research Report
Page 1
- 3. 2013 Global Encryption Trends Study1
Ponemon Institute, February 2014
Part 1. Executive Summary
Ponemon Institute is pleased to present the findings of the 2013 Global Encryption Trends Study,
sponsored by Thales e-Security. We surveyed 4,802 individuals across multiple industry sectors
in eight countries - the United States, United Kingdom, Germany, France, Australia, Japan, Brazil
2
and, for the first time, the Russian Federation. The purpose of this research is to examine how
the use of encryption has evolved over the past nine years and the impact of this technology on
the security posture of organizations. The first encryption trends study was conducted in 2005 for
3
a US sample of respondents. Since then we have expanded the scope of the research to include
respondents in all regions of the world. This year, for the first time, the survey included respondents
in the Russian Federation.
In our research we consider the threats
organizations face and how encryption is
being used to reduce these risks. As in
prior years, we asked questions about the
types of encryption technologies deployed,
the most salient threats to sensitive and
confidential information, data protection
priorities, and budgeted expenditures for
encryption and key management activities.
Following is a summary of our most salient
findings. More details are provided for
each key finding listed below in the next
section of this paper. We believe the
findings are important because they
demonstrate the relationship between
encryption and a strong security posture.
As shown in this research, organizations
with a strong security posture are more
likely to invest in encryption and key
management to meet their security missions.
Following are big encryption trends over nine years:
Steady improvement in the security posture
of participating companies.
Increase in the use of encryption as part of an
enterprise strategy rather than a point
solution.
More influence at the business unit level in
choosing and deploying encryption
technologies.
Decrease in the importance of compliance as
a main driver to encryption adoption as focus
shifts to honoring privacy obligations.
Continued awareness of the key
management interoperability protocol (KMIP)
and adoption hardware security modules
(HSM).
Increase in spending on encryption and key
management as a percentage of the IT budget.
Summary of key findings:
More organizations are adopting an enterprise encryption plan or strategy rather than relying
on ad hoc requirements or informal policies. Since the first study, the number of respondents
reporting that their organizations have a comprehensive encryption strategy versus those who say their
organizations do not have such a strategy has increased. Today, organizations that have a
comprehensive strategy outnumber those that do not have such a strategy by more than two to one.
Business unit leaders are gaining influence over their company’s use of encryption
solutions. IT leaders are still most influential in determining the use of encryption. However, nonIT business managers are becoming more influential. This indicates that business unit leaders
are taking a greater role in determining the encryption technologies their organizations need to
ensure data security and privacy.
1
This year’s study was completed in December 2013 for eight country samples.
In the figures, countries are abbreviated as follows: Germany (DE), Japan (JP), United States (US), United
Kingdom (UK), Australia (AU), France (FR), Brazil (BZ) and Russia (RF).
3
The trend analysis shown in this study was performed on combined country samples spanning nine years
(since 2005).
2
Thales e-Security & Ponemon Institute© Research Report
Page 2
- 4. Encryption usage is an indicator of a strong security posture. Organizations that deploy
encryption extensively throughout the enterprise as opposed to limiting its use to a specific purpose
(i.e., point solutions) appear to be more aware of threats to sensitive and confidential information
and spend more on IT security. In other words, encryption use makes a strong contribution to an
organization’s overall security posture. Furthermore, organizations with a strong security posture
are three times more likely to have an encryption strategy than those with a lower security posture.
Employee mishap is considered the main threat to sensitive and confidential data.
Concerns over accidental data leakage outweigh fears about attacks by malicious insiders or
hackers by almost a factor of two.
The main driver for using encryption is lessening the impact of data breaches. This
represents a shift in priorities. In previous years, the primary driver was protecting brand or
reputation. In Australia and France the main reason for encryption is to comply with privacy or
data security regulations and requirements.
Encryption has a major impact on the perceived need to disclose data breaches. There is a
wide range in attitudes regarding the perceived need to disclose a breach. However, the findings
indicate that respondents in all countries recognize that data encryption minimizes notification
requirements to breach victims.
The discovery of data at risk and the actual deployment of encryption are the top two
challenges. Of least concern are allocating budget, selecting the right encryption solution and
options and measuring effectiveness.
The use of encryption is steadily growing in all categories. The encryption of external public
networks, databases and backup files are most likely to be extensively deployed throughout the
enterprise. Deployment of encryption in cloud environments remains low. Seventy percent of
respondents report they are deploying five or more different types of encryption.
Financial service companies are most likely to use encryption technologies throughout
the enterprise. In contrast, manufacturing and retail organizations are less likely to extensively
deploy encryption. The strongest growth in adoption of encryption is seen in the financial services
and hospitality sectors.
German, US and Russian companies are most likely to use encryption technologies
throughout the enterprise. Australian, French and Japanese companies are the least likely to
extensively use encryption technologies.
Most important features of encryption technology solutions are system performance and
latency, automated management of keys and automated enforcement of policies. The least
important features are support for longer encryption keys and support for formal preserving
encryption. The importance of all aspects of functionality has increased as more organizations
deploy encryption. The issue of whether the encryption solution conforms to security standards
has become more significant.
Key management is painful for most organizations. More than half of all respondents rated
the “pain” associated with key management to be 7 or higher (based on a scale of 1 = minor to 10
= severe). Even though more than 75 percent of respondents report that key management is a
well-defined discipline in their organizations, only 23 percent say that the task of managing keys
has dedicated resources or tools.
Key management standards and hardware security modules (HSM) are increasing in
importance for participating companies. Key management interoperable protocol (KMIP) and
HSMs provide mechanisms for unifying and automating key management activities and reducing
the risk of key management processes being subverted as a way to gain illicit access to
encrypted data.
Thales e-Security & Ponemon Institute© Research Report
Page 3
- 5. Part 2. Key Findings
Strategy and adoption of encryption
Since conducting this study, there has been a steady increase in organizations with an encryption
strategy applied consistently across the entire enterprise. In turn, there has been a steady decline
in organizations not having an encryption plan or strategy. Figure 1 shows these changes over
the past nine years.
Figure 1. Trends in encryption strategy
40%
38%
33%
35%
32%
33%
28%
28%
25%
26%
FY2009
FY2010
30%
22%
25%
20%
15%
10%
35%
26%
15%
18%
20%
FY2008
15%
19%
FY2007
26%
5%
0%
FY2005
FY2006
FY2011
FY2012
FY2013
Company has an encryption strategy applied consistently across the entire enterprise
Company does not have an encryption strategy.
According to Figure 2, the prevalence of an enterprise encryption strategy varies among the
countries represented in this research. The highest prevalence of an enterprise encryption
strategy is reported in Germany followed by the US and Japan. Respondents in Australia and
Brazil report the lowest adoption of an enterprise encryption strategy.
Figure 2. Differences in enterprise encryption strategies by country
60%
53%
50%
40%
40%
36%
33%
31%
30%
34%
24%
22%
20%
10%
0%
US
UK
DE
FR
AU
JP
BZ
RF
Company has an encryption strategy applied consistently across the entire enterprise
Average
Thales e-Security & Ponemon Institute© Research Report
Page 4
- 6. Figure 3 shows the most influential functional areas for defining the company’s encryption
strategy. The figure shows that IT operations are deemed most influential in determining the
organization’s enterprise encryption strategy. In this study, “lines of business” are defined as
those with commercial or executive responsibility within the organization.
Figure 3. Most influential for determining the company’s encryption strategy
IT operations
35%
Lines of business or general management
26%
No single function has responsibility
19%
15%
Security
3%
Finance
Compliance
1%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Figure 4 shows that the IT operations function has consistently been most influential in framing
the organization’s encryption strategy over nine years. However, that picture is steadily changing
with business unit leaders gaining influence over their company’s encryption strategy.
We posit that the rising influence of business leaders reflects a general increase in consumer
concerns over data privacy and the importance of demonstrating compliance to privacy and data
protection mandates. It is also probable that the rise of employee owned devices or BYOD and
the general consumerization of IT has had an effect. It is interesting to note that the influence of
the security function on encryption strategy has been relatively constant (flat line) over the past
year years.
Figure 4. Influence of IT operations, lines of business and security
60%
53%
51%
50%
48%
45%
42%
45%
39%
40%
37%
26%
30%
19%
20%
10%
10%
35%
13%
12%
FY2006
22%
15%
11%
13%
14%
13%
14%
14%
15%
FY2008
FY2009
FY2010
FY2011
FY2012
FY2013
13%
FY2005
19%
21%
0%
FY2007
IT Operations
Lines of business
Thales e-Security & Ponemon Institute© Research Report
Security
Page 5
- 7. Figure 5 shows the distribution of respondents who rate IT operations, LOB and security as most
influential in determining their organization’s encryption strategy. This chart shows IT operations
as most influential followed by business managers in six of eight countries. Japanese, German
and Australian respondents see the influence of IT at a much higher level than business
managers and security. In contrast, the US and UK see business managers as more influential
than IT operations. In addition, respondents in US and Australia rate security as having a higher
level of influence on setting their organization’s encryption strategy than in other countries.
Figure 5. Influence of IT operations, LOB and security by country
9%
JP
17%
54%
12%
DE
27%
19%
13%
AU
44%
38%
13%
FR
34%
34%
16%
RF
25%
14%
UK
33%
33%
15%
BZ
26%
20%
US
20%
0%
10%
33%
20%
Security
31%
27%
30%
Lines of business
Thales e-Security & Ponemon Institute© Research Report
40%
50%
60%
IT operations
Page 6
- 8. Trends in adoption of encryption
Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady
4
increase in the encryption solutions used by organizations. Figure 6 summarizes enterprisewide usage consolidated for various encryption technologies over nine years. This continuous
growth in enterprise deployment suggests encryption is important to an organization’s security
posture. Figure 6 also shows the percentage of the overall IT security budget dedicated to
encryption-related activities. As expected, the patterns for deployment and budget show a strong
correlation.
Figure 6. Trend on the extensive use of encryption technologies
35%
30%
30%
25%
20%
20%
22%
23%
25%
23%
19%
16%
15%
16%
14%
10%
10%
FY2006
13%
FY2007
FY2008
14%
15%
FY2010
FY2011
18%
18%
FY2012
FY2013
10%
FY2005
5%
27%
0%
FY2009
Extensive deployment of encryption
Percent of the IT budget earmarked for encryption
4
The combined sample used to analyze trends is explained in Part 3. Methods.
Thales e-Security & Ponemon Institute© Research Report
Page 7
- 9. Figure 7 shows a positive relationship between encryption strategy and the deployment of
encryption. German organizations have the highest percentage of companies with an enterprise
encryption strategy and they are the most extensive users of encryption technologies. In contrast,
Australia has the lowest percentage of companies with an enterprise strategy for encryption.
Figure 7. Extensive use and prevalence of an enterprise encryption strategy by country
60%
53%
50%
40%
40%
34%
30%
39%
36%
33%
31%
28%
24%
23%22%
32%
24%
34%34%
24%
20%
10%
0%
US
UK
DE
FR
AU
JP
BZ
RF
Extensive deployment of encryption (average of 13 categories)
Encryption strategy applied consistently across the entire enterprise
Thales e-Security & Ponemon Institute© Research Report
Page 8
- 10. Figure 8 shows the extensive usage of encryption solutions for 10 industry sectors over two
years. With one exception (retailing), results suggest a steady increase in all industry sections
between 2012 and 2013. The most significant increases in encryption usage occur in financial
services and hospitality.
Figure 8. The extensive use and availability of an enterprise strategy by industry
38%
Financial services
43%
37%
39%
Services
33%
35%
Transportation
31%
33%
Technology & software
29%
31%
Health & pharma
21%
Hospitality
26%
24%
25%
Consumer products
23%
24%
Public sector
21%
21%
Retailing
17%
19%
Manufacturing
0%
5%
10%
15%
20%
Extensive use for FY2012
Thales e-Security & Ponemon Institute© Research Report
25%
30%
35%
40%
45%
50%
Extensive use for FY2013
Page 9
- 11. Encryption and Security Effectiveness (SES)
To estimate the security posture of organizations, we used the Security Effectiveness Score or
5
SES as part of the survey process. The SES range of possible scores is +2 (most favorable) to 2 (least favorable). We define an organization’s security effectiveness as being able to achieve
the right balance between efficiency and effectiveness across a wide variety of security issues
and technologies.
A favorable score indicates that the organization’s investment in people and technologies is both
effective in achieving its security mission and is also efficient. In other words, they are not
squandering resources and are still being effective in achieving their security goals.
Following is a summary of the average SES for each country sample for two years. Germany
achieves the highest score, while Brazil has the lowest score over the past three years.
Figure 9. Average security effectiveness score (SES) in ascending order by country
*2011 and 2012 data is not available for the RF sample
1.19
1.27
1.25
DE
0.77
JP
0.66
0.74
0.8
US
0.45
UK
RF*
0.56
0.61
0.47
0.25
0.25
0.33
AU
-0.02
FR
BZ
0.98
1.02
-0.48
-0.6
0.03
0.12
-0.25
-0.21
-0.4
-0.2
0
SES FY2011
0.2
0.4
SES FY2012
0.6
0.8
1
1.2
1.4
SES FY2013
5
The Security Effectiveness Score was developed by Ponemon Institute in its annual encryption trends
survey to define the security posture of responding organizations. The SES is derived from the rating of 24
security features or practices. This method has been validated from more than 45 independent studies
conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). Hence,
a result greater than zero is viewed as net favorable.
Thales e-Security & Ponemon Institute© Research Report
Page 10
- 12. Figure 10 reports the SES results compiled from encryption trend studies conducted over nine
years. The trend line shown below is increasing, which suggests the security posture of
participating companies has increased over this time period.
Figure 10. Trend in average Security Effectiveness Score (SES)
0.60
0.54
0.50
0.55
0.40
0.40
0.31
0.26
0.30
0.20
0.10
0.51
0.13
0.12
FY2006
FY2007
0.04
FY2005
FY2008
FY2009
SES
FY2010
FY2011
FY2012
FY2013
Average
Figure 11 summarizes a cross-tab analysis of SES and the percentage of organizations that have
an enterprise-wide encryption strategy and the percentage that have an extensive deployment of
encryption. We divide the overall sample into four quartiles based on SES. We see that
organizations in the highest SES quartile sub-sample are nearly three times more likely to deploy
a holistic encryption strategy than companies in the lowest SES quartile sub-sample (41 percent
versus 16 percent).
This figure also shows organizations in the highest SES quartile sub-sample are more than two
times more likely to be extensive users of encryption technologies than companies in the lowest
SES quartile sub-sample (38 percent versus 15 percent). The pattern of quartile averages in
Figure 11 provides strong evidence that both encryption strategy and the use of encryption make
an important contribution to organizations’ security posture.
Figure 11. Analysis of encryption strategy and use by SES quartile (security posture)
0.50
0.45
0.40
0.35
0.30
0.25
0.20
0.15
0.10
0.05
-
0.45
0.41
0.38
0.33
0.32
0.28
0.26
0.19
First quartile
(SES=1.29)
Second quartile
(SES=.81)
Third quartile
(SES=.23)
Fourth quartile
(SES=.01)
Extensive deployment pf encryption (average of 13 categories)
Encryption strategy applied consistently across the entire enterprise
Thales e-Security & Ponemon Institute© Research Report
Page 11
- 13. Figure 12 reports a scattergram showing the interrelationship between the respondents’
encryption use profile and SES. The encryption use profile is a ratio variable between +1 and -1
6
compiled from the extensive use of 11 encryption technologies. This diagram clearly shows a
clustering of data points that form a positive (upward sloping) relationship, which suggest that
encryption use and a strong security posture (high SES) are inextricably linked.
Figure 12. Scattergram depicting the relationship between encryption use ratio and
security posture
1
0.8
Encryption use profile
0.6
-2
0.4
0.2
0
-1.5
-1
-0.5
0
0.5
1
1.5
2
-0.2
-0.4
-0.6
-0.8
Low
-1
SES
High
6
Each respondent was assigned a profile score based on their organizations’ extensive use of encryption
technologies. Those respondents who said their organizations extensively deployed all 11 encryption
technologies were rated +1. Those respondents who said they did not extensively deploy any one of the 11
encryption technologies were rated -1. Hence, most respondents earned a rating between these two limits.
Thales e-Security & Ponemon Institute© Research Report
Page 12
- 14. Threats, main drivers and priorities
Figure 13 shows for the past two years the most significant threats to the exposure of sensitive or
confidential data is employee mistakes, legal and law enforcement requirements and system
process malfunctions. In contrast, the least significant threats to the exposure of sensitive or
confidential data include temporary or contract workers and third-party service providers.
Concerns over inadvertent exposure (employee mistakes and system malfunction) outweigh
concerns over actual attacks by hackers and malicious insiders.
Figure 13. The most salient threats to sensitive or confidential data
26%
27%
Employee mistakes
16%
15%
Legal & law enforcement
15%
15%
System malfunction
14%
13%
Hackers
11%
10%
Malicious insiders
9%
9%
Temporary or contract workers
8%
8%
Third party service providers
1%
1%
Other
0%
5%
10%
Main threats FY2012
Thales e-Security & Ponemon Institute© Research Report
15%
20%
25%
30%
Main threats FY2013
Page 13
- 15. 7
Figure 14 lists in ascending order the top five perceived data threats by country. It shows
marked differences among country samples. Accordingly, respondents in Japan, Australia and
the UK rate employee mistakes at a much higher level than respondents in other country
samples. In contrast, Japanese respondents are least likely to rate system malfunction as a top
security threat.
Figure 14. Top five perceived threats by country
24%
17%
39%
38%
Employee mistakes
21%
20%
33%
26%
13%
22%
17%
21%
Legal & law enforcement
10%
18%
8%
15%
17%
12%
3%
10%
System malfunction
21%
22%
16%
17%
13%
12%
17%
12%
Hackers
15%
13%
13%
13%
11%
9%
9%
9%
Malicious insiders
12%
10%
11%
11%
0%
5%
RF
7
10%
BZ
JP
15%
AU
20%
FR
DE
25%
UK
30%
35%
40%
45%
US
The consolidated average percentage for each threat category is presented in Figure 13.
Thales e-Security & Ponemon Institute© Research Report
Page 14
- 16. The main driver for using encryption is reducing the impact of data breaches. Six drivers for
deploying encryption are presented in Figure 15. Respondents report lessening the impact of
data breach (46 percent) and protecting the organization’s brand or reputation (44 percent) are
the two top reasons for using encryption technologies. Other top drivers for encryption usage
include honoring the organization’s privacy commitments (42 percent) and complying with privacy
and data security regulations (40 percent).
Figure 15. The main drivers for using encryption technology solutions
More than one choice permitted
To lessen the impact of data breaches
46%
To protect our organization’s brand or reputation
44%
To ensure that our organization’s privacy
commitments are honored
42%
To comply with privacy or data security
regulations and requirements
40%
To reduce the scope of compliance audits
22%
To avoid having to notify customers or
employees after a data breach occurs
6%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Thales e-Security & Ponemon Institute© Research Report
Page 15
- 17. 8
Figure 16 illustrates marked country differences. As shown, US respondents provide their top
rating to lessening the impact of data breaches. Japanese respondents provide their highest
rating to protecting the organization’s brand or reputation. Australian and French respondents
provide their highest rating to compliance with privacy or data protection regulations.
Figure 16. The top five drivers for using encryption
43%
42%
49%
40%
35%
47%
46%
To lessen the impact of data breaches
44%
47%
35%
33%
To protect our organization’s brand or reputation
To ensure that our organization’s privacy
commitments are honored
32%
60%
42%
47%
45%
39%
45%
48%
39%
44%
48%
42%
35%
21%
To comply with privacy or data security
regulations and requirements
59%
43%
63%
58%
30%
40%
36%
25%
25%
17%
20%
25%
31%
20%
17%
To reduce the scope of compliance audits
0%
RF
8
BZ
JP
10%
AU
FR
20%
DE
30%
UK
40%
50%
60%
70%
US
The consolidated average percentage for each driver is presented in Figure 15.
Thales e-Security & Ponemon Institute© Research Report
Page 16
- 18. Respondents believe data encryption reduces their organization’s obligation to notify
individuals in the event data loss or theft. Figure 17 shows the results of a question asking
respondents “Would your organization be required to notify customers after the data breach
involving the loss or theft of their personal information?”
This question presented two separate conditions: (1) breached data is encrypted and (2) breach
data is not encrypted. As can be seen, respondents in all countries recognize that data
encryption minimizes notification requirements to breach victims. US respondents appear to be
most sensitive to this data breach notification requirement than those in all other countries. The
overall average response to notification in the case of unencrypted data loss or theft is 37
percent. In contrast, the average response to notification in the case of encrypted data loss or
theft is only 20 percent.
Figure 17. Would a data breach of customers’ personal data require notification?
70%
61%
60%
46%
50%
40%
35%
33%
30%
33%
31%
30%
25%
24%
20%
20%
13%
15%
16%
16%
11%10%
10%
0%
US
UK
DE
FR
Customer data was not encrypted
Thales e-Security & Ponemon Institute© Research Report
AU
JP
BZ
RF
Customer data was encrypted
Page 17
- 19. Discovering where sensitive data resides in the organization is the biggest challenge.
Figure 18 provides a list of six aspects that present challenges to the organization’s effective
execution of its data encryption strategy in descending order of importance. Sixty one percent of
respondents say discovering where sensitive data resides in the organization is the number one
challenge. In addition, 50 percent of all respondents cite deploying encryption technology as a
significant challenge.
Figure 18. Biggest challenges in planning and executing a data encryption strategy
Two choices permitted
Discovering where sensitive data resides in the
organization
61%
Deploying the encryption technology effectively
50%
37%
Classifying which data to encrypt
Obtaining the budget to deploy
24%
Determining which encryption technologies are
most effective
18%
Measuring the effectiveness of the data
encryption technologies deployed
11%
0%
10%
Thales e-Security & Ponemon Institute© Research Report
20%
30%
40%
50%
60%
70%
Page 18
- 20. Deployment choices and decision criteria
We asked respondents to indicate if specific encryption technologies are widely or only partially
deployed within their organizations. “Extensive deployment” means that the encryption
technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is
confined or limited to a specific purpose (a.k.a. point solution).
As shown in Figure 19, no single technology dominates because organizations have very diverse
deployments. Encryption of external public networks, databases and data backup are the most
likely to be deployed. In contrast, encryption for smart phone and tablets and external cloud
services are the least likely to be deployed.
Figure 19. Consolidated view on the use of encryption technologies
External public networks
35%
Databases
47%
33%
Backup files
48%
43%
38%
Data center storage
33%
47%
Software applications
32%
47%
Desktop & workstation
31%
47%
Internal networks
32%
46%
Laptop
32%
45%
Email
25%
File server
27%
Cloud encryption gateways
52%
27%
Smart phone & tablet
48%
44%
24%
External cloud services
40%
18%
0%
10%
19%
20%
30%
Extensive deployment
Thales e-Security & Ponemon Institute© Research Report
40%
50%
60%
70%
80%
90%
Partial deployment
Page 19
- 21. Figure 20 provides a histogram showing the percentage frequency of 13 encryption technologies
deployed by respondents in all country samples combined. As can be seen, 70 percent of the
consolidated sample says their organizations use five or more separate encryption technologies
with 44 percent of organizations deploying between four and six different types of encryption
technology.
Figure 20. Histogram of 13 encryption technologies deployed
19%
20%
18%
15%
16%
13%
14%
12%
10%
10%
8%
8%
6%
8%
8%
5%
4%
4%
3%
4%
2%
2%
1%
0%
1
2
3
4
5
6
7
8
9
10
11
12
13
Number of seperate encryption technologies deployed
The use of encryption varies among countries. Figure 21 reports the extensive and partial
deployment data of encryption technologies for eight countries. As shown, respondents in
Germany US and Russia have the highest encryption deployment rates than other countries.
Figure 21. Extensive and partial deployment of data encryption technologies consolidated
for 13 encryption technologies
100%
90%
80%
70%
60%
47%
49%
47%
50%
44%
41%
40%
40%
40%
39%
30%
20%
39%
34%
34%
32%
28%
24%
24%
23%
US
RF
BZ
UK
JP
FR
AU
10%
0%
DE
Extensive deployment
Thales e-Security & Ponemon Institute© Research Report
Partial deployment
Page 20
- 22. Figure 22 presents a proportional analysis of 13 encryption technologies extensively deployed
within eight country samples. Specifically, Germany and the US are the most extensive users of
the encryption technologies listed in the figure. In contrast, France, Japan and Australia seem to
be the least extensive users of encryption.
Please note that the percentage shown in each cell represents the extensive usage rate only.
Because organizations are using multiple encryption tools as indicated in the histogram in Figure
20, the sum of these cells across encryption categories and countries exceed 100 percent.
Figure 22. The extensive use of 13 encryption technologies by country
Backup files
39%
41%
62%
External public networks
44%
Databases
37%
34%
41%
28%
Data center storage
36%
33%
40%
25%
Internal networks
30%
Laptop
33%
29% 34%
23%
42%
Software applications
34%
46%
28%
29%
40%
Desktop & workstation
45%
28%
22%
39%
40%
30%
31%
25%
File server
29%
25%
34%
Email
25%
Smart phone & tablet
22%
29%
External cloud services
22%
28%
0%
US
10%
UK
28%
18%
32%
36%
29%
35%
43%
25%
30%
40%
50%
21%
DE
FR
AU
JP
60%
BZ
38%
33%
34%
29%
31%
12%
37%
36%
30%
35%
26%
31%
33%
31%
25%
32%
29%
28%
14% 9%
19%
12% 16%
17%
20%
Thales e-Security & Ponemon Institute© Research Report
40%
21% 15% 15%
28%
17%
33%
20% 19%
19% 19%
41%
22%
26%
31%
26%
51%
31%
28%
22% 17%
36%
57%
25%
30%
19% 21%
36%
Cloud encryption gateways
32%
29%
26%
35%
70%
80%
90% 100%
RF
Page 21
- 23. Encryption features considered most important
Respondents were asked to rate encryption technology features considered most important to
their organization’s security posture. According to consolidated findings, system performance and
latency, automated management of encryption keys and automated enforcement of policy are the
three most important features. The ratings of encryption technology features are listed in
descending order of importance in Figure 23. In comparing this year to last year’s results, it is
interesting to see 10 of 12 encryption technology features receiving a higher rating. The most
significant difference concerns conformance with security standards (Diff = 12 percent).
Figure 23. Most important features of encryption technology solutions
Very important response
51%
System performance and latency
47%
Automated management of keys
56%
52%
43%
47%
Automated enforcement of policy
40%
44%
System scalability
38%
41%
Tamper resistance by dedicated hardware
27%
Conformance with security standards
39%
35%
39%
Centralized management interface
33%
30%
Support for the widest range of applications
25%
28%
Formal product security certifications
29%
28%
Support for emerging algorithms
19%
Support for format preserving encryption
26%
16%
19%
Supports longer encryption keys
0%
10%
Very important response FY2012
Thales e-Security & Ponemon Institute© Research Report
20%
30%
40%
50%
60%
Very important response FY2013
Page 22
- 24. Attitudes about key management
Using a 10-point scale, respondents were asked to rate the overall “pain” associated with
managing keys or certificates within their organization (where 1 = minimal impact, risk and cost to
10 = severe impact, risk and cost). Figure 24 clearly shows that 53 percent of respondents chose
ratings at or above seven – suggesting a fairly high pain point.
Figure 24. The overall impact, risk and cost associated with managing keys or certificates
35%
29%
30%
24%
25%
21%
20%
15%
16%
11%
10%
5%
0%
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Rating of the overall impact, risk and cost associated with managing keys or certificates where
1 = nominal to 10 = severe
Figure 25 shows the so-called “pain index” for respondents in eight countries. As can be seen,
the extrapolated average in all country samples is above the scale median of 5.5, which suggests
that most respondents view managing keys and certificates as a challenging activity. The highest
value is 6.94 in Brazil and the lowest value is 5.60 in Japan.
Figure 25. The average overall impact, risk and cost associated with managing keys or
certificates
10.00
9.00
8.00
7.00
6.40
6.74
6.00
6.52
6.94
6.44
6.74
BZ
RF
5.60
6.00
5.00
4.00
3.00
2.00
1.00
US
UK
DE
FR
Average rating on impact, risk and cost
Thales e-Security & Ponemon Institute© Research Report
AU
JP
Average
Median
Page 23
- 25. Figure 26 lists what respondents view as the primary drivers for developing a key management
strategy. Increased business efficiency and reduced operational cost are the top two issues for
the past two years. The largest difference between 2013 and 2012 is an eight percent increase in
operating cost as a primary driver for building a key management strategy. In other words, cost
reduction is a higher priority in 2013 than 2012.
Figure 26. Primary drivers for developing a key management strategy
50%
52%
Increase business efficiency
42%
Reduce operational cost
50%
33%
36%
Improve security
30%
30%
Demonstrate compliance
31%
28%
Reduce complexity
4%
4%
None of the above
0%
10%
20%
Primary drivers FY2012
Thales e-Security & Ponemon Institute© Research Report
30%
40%
50%
60%
Primary drivers FY2013
Page 24
- 26. Figure 27 reports how key management tasks are viewed within respondents’ organizations.
More than half (52 percent) of respondents believe their key management tasks are constrained
because their organizations do not have dedicated staff or tools to perform key management
tasks. Only 23 percent of respondents say their organizations are performing key management
with a dedicated expert staff and specialized tools according to well defined practices.
Figure 27. Key management deployment models
Key management tasks are well defined but the
organization does not have dedicated staff or
tools to perform key management tasks
52%
Key management activities are ad-hoc with
minimal or no formal definition
25%
Key management is viewed as a distinct
discipline that is defined or performed by
dedicated or specialist staff and associated tools
according to well defined practices
23%
0%
10%
20%
30%
40%
50%
60%
Figure 28 compares country samples for one of the conditions indicated in the above chart.
Accordingly, following are the yes responses to the selection that key management is a distinct
discipline performed by dedicated staff and specialized tools according to well-defined practices
(a.k.a. the nirvana state). While all responses are fairly low, respondents in Germany have the
highest percentage yes response while respondents in Japan have the lowest percentage yes
response.
Figure 28. Perceptions about the key management nirvana state
Percentage Yes response
28%
30%
25%
23%
23%
26%
24%
22%
20%
25%
BZ
RF
17%
15%
10%
5%
0%
US
UK
DE
FR
AU
JP
Key management is viewed as a distinct discipline that is defined or performed by
dedicated or specialist staff and associated tools according to well defined practices
Average
Thales e-Security & Ponemon Institute© Research Report
Page 25
- 27. Figure 29 reports the percentage of respondents that report their organizations operate an
internal public key infrastructure (PKI). US organizations appear to have the highest percentage
rate at 35 percent, while organizations in France has the lowest percentage rate at 15 percent.
Figure 29. Percentage of respondents’ organizations that operate an internal PKI
40%
35%
35%
31%
30%
26%
24%
25%
20%
15%
18%
17%
19%
BZ
RF
15%
10%
5%
0%
US
UK
DE
FR
AU
JP
Percentage of organizations that operate their own internal PKI
Thales e-Security & Ponemon Institute© Research Report
Average
Page 26
- 28. Importance of the key management Interoperability protocol (KMIP)
Figure 30 summarizes the response to the question,” Does your organization deploy encryption
or key management products that support the KMIP key management standard?” As can be
seen, 35 percent of respondents say they plan to make KMIP support a future requirement. Only
13 percent of respondents say KMIP support is a primary requirement today.
Figure 30. Is KMIP supported as a primary or secondary requirement?
No, but we plan to make KMIP support a future
requirement
35%
Yes, KMIP support is a secondary requirement
19%
No, we have not considered KMIP support
19%
No, KMIP support is not relevant
14%
Yes, KMIP support is a primary requirement
13%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Does your organization deploy encryption or key management products that support the KMIP key
management standard?
Figure 31 summarizes the yes responses in the above chart for eight country samples. As
shown, 47 percent of German respondents say their organizations presently support KMIP as
either a primary or secondary requirement. Only 28 percent of respondents in Australia, Brazil
and Russia say their organizations support KMIP as a primary or secondary requirement.
Figure 31. KMIP support as a primary or secondary requirement by country
47%
50%
45%
40%
35%
34%
30%
30%
US
UK
30%
30%
28%
28%
28%
BZ
RF
25%
20%
15%
10%
5%
0%
DE
FR
AU
JP
Yes, KMIP support is either a primary or secondary requirement
Thales e-Security & Ponemon Institute© Research Report
Average
Page 27
- 29. According to 54 percent of respondents, KMIP is most important for cloud based applications and
storage. This represents a 12 percent increase between 2013 and 2012. As shown in Figure 32,
KMIP appears to be least important for end user devices such as laptops, tablets and smart
phones or remote applications such as retail locations.
Figure 32. Where KMIP is most important
Two choices permitted
42%
Cloud based applications and storage
54%
36%
37%
Storage systems
35%
35%
Application infrastructure in the data center
35%
34%
Network infrastructure
16%
16%
Remote applications
12%
13%
End user devices
11%
9%
None
0%
10%
Where is KMIP most important, FY2012
Thales e-Security & Ponemon Institute© Research Report
20%
30%
40%
50%
60%
Where is KMIP most important, FY2013
Page 28
- 30. Importance of hardware security modules (HSM)
9
Figure 33 summarizes the percentage of respondents in eight countries that deploy HSMs as part
of their organization’s key management program or activities. As can be seen, the rate of HSM
deployment increased in the US, UK, Germany, Australia, Japan and Brazil between 2012 and
2013. Similar to last year, the pattern of responses suggests Japanese and German respondents
are more likely to deploy HSMs to their organization’s key management activities than other
countries. The overall average deployment rate for HSMs as part of key management activities
this year is 28 percent – representing six percent growth from last year’s average deployment
rate.
Figure 33. Deployment HSMs as part of key management activities
*2012 data is not available for the RF sample
40%
35%
30%
38%
35%
35%34%
30%
27%
25%
26%
23%
24%25%
25%24%
23%
20%19%
20%
15%
10%
5%
0%
US
UK
DE
FR
HSM deployment rate in FY2013
AU
JP
BZ
RF*
HSM deployment rate in FY2012
9
HSMs are devices specifically built to create a tamper-resistant environment in which to perform
cryptographic processes (e.g. encryption or digital signing) and to manage the keys associated with those
processes. These devices are used to protect critical data processing activities associated with server based
applications and can be used to strongly enforce security policies and access controls. HSMs are typically
validated to formal security standards such as FIPS 140-2.
Thales e-Security & Ponemon Institute© Research Report
Page 29
- 31. Figure 34 summarizes the percentage of respondents in eight countries that rate HSM as either
very important or important to their organization’s key management program or activities. It is
interesting to note that the importance level appears to be increasing between 2012 and 2013 for
eight country samples. Similar to last year, the pattern of responses suggests Japanese and
German respondents are most likely to assign importance to HSMs to their organization’s key
management activities. The overall average importance rating in the current year is 46 percent.
Last year’s average importance rating was 39 percent.
Figure 34. Perceived importance of HSM as part of key management activities
*2012 data is not available for the RF sample
60%
50%
56%
51%
55%
49%
45%
51%
48%
43%
45%
40%
40%
33%
36%
29%
30%
29%
26%
20%
10%
0%
US
UK
DE
FR
Important or very important FY2013
Thales e-Security & Ponemon Institute© Research Report
AU
JP
BZ
RF*
Important or very important FY2012
Page 30
- 32. Figure 35 summarizes the primary purpose or use cases for deploying HSMs. As can be seen,
the number one purpose is authentication followed by SSL and database encryption. This chart
also shows differences between today’s HSM use and deployment in 12 months. The most
significant increases predicted for the next 12 months, according to respondents, are code
signing, document signing and database encryption.
Figure 35. How HSMs are deployed or planned to be deployed in the next 12 months
More than one choice permitted
56%
54%
Authentication
49%
48%
SSL
Database encryption
47%
Application level encryption
37%
Payments processing
35%
PKI or credential management
26%
Document signing
15%
Code signing
10%
42%
41%
30%
23%
21%
8%
0%
54%
20%
30%
HSMs planned to be deployed in the next 12 months
Thales e-Security & Ponemon Institute© Research Report
40%
50%
60%
HSMs deployed today
Page 31
- 33. Budget allocations
The percentages below are calculated from the responses to survey questions about resource
allocations to IT security, data protection, encryption, and key management. These calculated
values are estimates of the current state and we do not make any predictions about the future
state of budget funding or spending.
Figure 36 reports the average percentage of IT security spending relative to total IT spending
over the last nine years. As shown, the trend appears to be upper sloping, which suggests the
proportion of IT spending dedicated to security activities including encryption is increasing over
time.
Figure 36. Trend in the percent of IT security spending relative to the total IT budget
12.0%
9.1%
10.0%
FY2005
8.0%
7.5%
7.2%
7.5%
7.9%
FY2006
FY2007
FY2008
9.9%
8.6%
8.8%
9.1%
FY2010
FY2011
FY2012
6.0%
4.0%
2.0%
0.0%
FY2009
Percentage of IT security spending relative to the total IT budget
FY2013
Average
Figure 37 shows the percent of current IT security spending relative to the total IT budget for
individual countries. As shown, Germany and Japan report the highest proportional ratings and
UK and Brazil report the lowest proportional ratings.
Figure 37. Percent of current IT security spending relative to the total IT budget by
country
16.0%
13.7%
14.0%
12.0%
12.2%
10.1%
10.0%
9.9%
8.0%
9.3%
8.6%
7.8%
7.4%
6.0%
4.0%
2.0%
0.0%
US
UK
DE
FR
AU
JP
Percentage of IT security spending relative to the total IT budget
Thales e-Security & Ponemon Institute© Research Report
BZ
RF
Average
Page 32
- 34. Budget allocated to data protection. Figure 38 reports the percentage of data protection
spending relative to the total IT security budget over nine years. This trend appears to be slightly
upward sloping, which suggests data protection spending as a proportion of total IT security is on
the rise.
Figure 38. Trend in the percent of IT security spending dedicated to data protection
activities
40.0%
34.5%
35.0%
30.0%
25.0%
22.7%
24.9%
23.6%
FY2006
FY2007
26.1%
FY2009
29.7%
32.4%
25.9%
FY2008
32.7%
20.0%
15.0%
10.0%
5.0%
0.0%
FY2005
FY2010
FY2011
FY2012
Percentage of IT security spending dedicated to data protection activities
FY2013
Average
Figure 39 shows the average percent of current IT security spending dedicated to data protection
spending by country sample. As shown, the percentage of data protection spending relative to
total IT security is highest in the UK and Germany and lowest in Brazil and Australia. Perhaps
more important is the consistency in percentage values observed across most countries.
Figure 39. Percent of current IT security spending dedicated to data protection activities
by country
45.0%
38.3%
40.0%
35.0%
38.2%
31.4%
31.2%
30.0%
28.4%
31.1%
32.3%
28.4%
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
US
UK
DE
FR
AU
JP
Percentage of IT security spending dedicated to data protection activities
Thales e-Security & Ponemon Institute© Research Report
BZ
RF
Average
Page 33
- 35. Budget allocated to encryption. Figure 40 reports the nine-year trend in the percentage of
encryption spending relative to the total IT security budget. Again, the trend appears to be
increasing from a low of 9.7 percent in 2005 to 18.2 percent in the present year’s encryption
trends study.
Figure 40. Trend in the percent of IT security budget dedicated to encryption
17.6%
20.0%
18.0%
15.7%
16.0%
13.8%
14.0%
9.7%
FY2006
FY2010
FY2011
FY2012
FY2013
15.1%
13.1%
10.3%
FY2005
12.0%
14.6%
18.2%
10.0%
8.0%
6.0%
4.0%
2.0%
0.0%
FY2007
FY2008
FY2009
Percentage of IT security spending dedicated to encryption
Average
10
Figure 41 reports the percentage of IT security spending dedicated to encryption. Again, the
country comparisons are very consistent. Respondents in Germany show the highest average
percentage of encryption spending, while those in the UK show the lowest average percentage
spending levels.
Figure 41. Percent of the IT security budget dedicated to encryption by country
25.0%
20.0%
21.7%
16.6%
17.4%
15.8%
18.1%
FR
AU
19.7%
19.1%
16.9%
15.0%
10.0%
5.0%
0.0%
US
UK
DE
JP
Percentage of IT security spending dedicated to encryption
BZ
RF
Average
10
The figures in this graph suggest that encryption spending represents nearly 60 percent of the total data
protection budget (which is a subset of the total IT security budget). However, debriefing interviews with a
subset of respondents revealed that encryption spending might not be contained solely in the data protection
category, but rather other earmark categories such as security technologies.
Thales e-Security & Ponemon Institute© Research Report
Page 34
- 36. Budget allocated to key management. Figure 42 reports the three-year comparison in the
percentage of encryption key management spending as a proportion of the overall encryption
11
spend, showing a six percent increase.
Figure 42. Budget allocation to key management
35.0%
31.9%
29.5%
30.0%
23.5%
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
FY2011
FY2012
FY2013
Percentage of encryption spending dedicated to key management
Average
Figure 43 reports the proportion of spending on key management relative to the total spending on
encryption solutions for country samples. Perhaps the most interesting finding is the consistency
in spending on key management across all eight countries, with the exception of Australia and
Brazil.
Figure 43. Percent of encryption spending dedicated to key management activities by
country
40.0%
35.0%
37.0%
33.6%
34.9%
32.7%
31.1%
31.3%
27.5%
27.2%
30.0%
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
US
UK
DE
FR
AU
JP
Percentage of encryption spending dedicated to key management
BZ
RF
Average
11
The analysis of key management spending was first conducted in 2011 and, hence, we don’t have the
ability to conduct a full trend analysis.
Thales e-Security & Ponemon Institute© Research Report
Page 35
- 37. Part 3. Methods & Limitations
Table 1 reports the sample response for eight separate country samples. The sample response
for this study was conducted over a 49-day period ending in December 2013. Our consolidated
sampling frame of practitioners in all countries consisted of 118,423 individuals who have bona
fide credentials in IT or security fields. From this sampling frame, we captured 4,802 returns of
which 547 were rejected for reliability issues. Our final consolidated 2013 sample was 4,275, thus
resulting in a 3.6% response rate. The first encryption trends study was conducted in the US in
12
2005. Since then we have expanded the scope of the research to include eight separate
country samples. Trend analysis was performed on combined country samples. As noted
before, we added the Russian Federation in this year’s study.
Table 1. Sample response in eight countries
Countries
Sampling frame
Total returns
Rejected surveys
Final sample
United States
26,553
1,001
109
892
United Kingdom
15,995
688
71
637
Germany
16,030
650
48
602
France
15,916
558
80
478
Australia
9,503
456
42
414
Japan
14,020
569
48
521
Brazil
14,371
603
73
530
6,035
277
76
201
118,423
4,802
547
4,275
Russian Federation
Total
As noted in Table 2, the respondents’ average (mean) experience in IT, IT security or related
fields is 10.25 years. Approximately 25 percent of respondents are female and 75 percent
13
male.
Experience levels
Overall experience
IT or security experience
Table 2. Other characteristics of respondents
Mean years
Gender
11.02
Female
10.25
Male
Combined%
25%
75%
12
The following matrix summarizes the samples and sample sizes used in all figures showing trends.
Country/year
2013
2012
2011
2010
2009
2008
2007
2006
2005
Australia
414
938
471
477
482
405
0
0
0
Brazil
530
637
525
0
0
0
0
0
0
France
478
584
511
419
414
0
0
0
0
Germany
602
499
526
465
490
453
449
0
0
Japan
Russian
Federation
521
466
544
0
0
0
0
0
0
201
0
0
0
0
0
0
0
0
United Kingdom
637
550
651
622
615
638
541
489
0
United States
892
531
912
964
997
975
768
918
791
4,275
4,205
4,140
2,947
2,998
2,471
1,758
1,407
791
Total
13
This skewed response showing a much lower frequency of female respondents in our study is consistent
with earlier studies – all showing that males outnumber females in the IT and IT security professions within
the seven countries sampled.
Thales e-Security & Ponemon Institute© Research Report
Page 36
- 38. Figure 43 summarizes the approximate position levels of respondents in our study. As can be
seen, the majority (52 percent) of respondents are at or above the supervisory level.
Figure 43. Distribution of respondents according to position level
Consolidated from eight separate country samples
3%
3%
18%
Executive/VP
Director
Manager/Supervisor
44%
Associate/Staff/Technician
Other
32%
Figure 44 reports the respondents’ organizations primary industry segments. As shown, 16
percent of respondents are located in the financial services industry, which includes banking,
investment management, insurance, brokerage, payments and credit cards. Another 11 percent
are located in public sector organizations, including central and local government.
Figure 44. Distribution of respondents according to primary industry classification
Consolidated from eight separate country samples
3% 2%
2%
16%
4%
4%
5%
11%
5%
5%
10%
5%
7%
7%
7%
7%
Thales e-Security & Ponemon Institute© Research Report
Financial services
Public sector
Manufacturing
Healthcare & pharma
Retailing
Services
Technology & software
Hospitality & leisure
Consumer products
Transportation
Communications
Entertainment & Media
Energy
Education & research
Defense
Other
Page 37
- 39. According to Figure 45, the majority of respondents (70 percent) are located in larger-sized
organizations with a global headcount of more than 1,000 employees.
Figure 45. Distribution of respondents according to organizational headcount
Consolidated for eight separate country samples
4%
11%
12%
Less than 500
500 to 1,000
18%
1,001 to 5,000
5,001 to 25,000
26%
25,001 to 75,000
More than 75,000
29%
Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from the presented findings. The following items are specific limitations that
are germane to most survey-based research studies.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of IT and IT security practitioners in eight countries,
resulting in a large number of usable returned responses. Despite non-response tests, it is
always possible that individuals who did not participate are substantially different in terms of
underlying beliefs from those who completed the survey.
Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which
our sampling frames are representative of individuals who are IT or IT security practitioners
within the sample of eight countries selected.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from respondents. While certain checks and balances were incorporated
into our survey evaluation process including sanity checks, there is always the possibility that
some respondents did not provide truthful responses.
Thales e-Security & Ponemon Institute© Research Report
Page 38
- 40. Appendix 1: Consolidated Findings
The following tables provide the percentage frequencies for all survey questions combined for
eight country samples (weighted by sample size). All survey responses were gathered over a 49day period ending in December 2013. Please note that certain survey questions were omitted if
not utilized in the report.
Part 1: Your organization’s encryption posture
Q1. Please select one statement that best describes your organization’s approach to
encryption implementation across the enterprise.
We have an overall encryption plan or strategy that is applied consistently across the entire
enterprise
We have an overall encryption plan or strategy that is adjusted to fit different applications
and data types
For certain types of sensitive or confidential data such as Social Security numbers or credit
card accounts we have a limited encryption plan or strategy
We don’t have an encryption plan or strategy
Total
.
Q2a. Does your organization encrypt sensitive and confidential data when sending it by
email?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
35%
26%
24%
15%
100%
Consolidated
25%
52%
23%
100%
Q2b. Does your organization encrypt sensitive and confidential data stored on shared file
servers?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
27%
48%
25%
100%
Q2c. Does your organization encrypt sensitive and confidential data stored on a laptop
computers?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
32%
45%
23%
100%
Q2d. Does your organization encrypt sensitive and confidential data stored on a desktop
PCs or workstations?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
31%
47%
22%
100%
Q2e. Does your organization encrypt sensitive and confidential data stored on a mobile
data-bearing device such as a smart phones or tablets?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
24%
40%
36%
100%
Thales e-Security & Ponemon Institute© Research Report
Page 39
- 41. Q2f. Does your organization encrypt sensitive and confidential data stored on backup files
or tapes before sending it to off site storage locations?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
43%
38%
19%
100%
Q2g. Does your organization encrypt sensitive and confidential data when sending it by
external public networks such as the Internet or VPN (for example using SSL or IPSec)?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
35%
47%
17%
100%
Q2h. Does your organization encrypt sensitive and confidential data when sending it by
internal networks (i.e., within your own private network)?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
32%
46%
22%
100%
Q2i. Does your organization encrypt sensitive and confidential data located in databases?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
33%
48%
18%
100%
Q2j. Does your organization encrypt sensitive and confidential data within business
software applications that are exposed to it?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
32%
47%
21%
100%
Q2k. Does your organization encrypt sensitive and confidential data that is passed to
external cloud based services using cloud encryption gateways?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
27%
44%
29%
100%
Q2l. Does your organization encrypt sensitive and confidential data using encryption
capabilities within external cloud based services?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
18%
19%
63%
100%
Q2m. Does your organization encrypt sensitive and confidential data stored within your
datacenter storage environment?
Yes, most of the time
Yes, some of the time
No
Total
Consolidated
33%
47%
20%
100%
Thales e-Security & Ponemon Institute© Research Report
Page 40
- 42. Q3. Please rate the following list of 13 encryption technologies based on the importance of
each technology in protecting your organization’s sensitive or confidential data. Percentage
very important and important responses combined.
Email encryption
File server encryption
Laptop encryption
Desktop or workstation encryption
Smart phone or tablet encryption
Data center storage encryption
Back-up or tape encryption
Encryption of external public networks
Encryption on internal networks
Database encryption
Application level encryption
Cloud encryption gateways
Encryption within cloud based services
Average
Consolidated
42%
49%
52%
42%
35%
27%
66%
62%
57%
65%
39%
27%
24%
45%
Q4. In your organization, who has responsibility or is most influential in directing your
organization’s strategy for using encryption? Please select one best choice.
No single function has responsibility
IT operations
Finance
Lines of business (LOB) or general management
Security
Compliance
Other
Total
Consolidated
19%
35%
3%
26%
15%
1%
0%
100%
Q5. What are the reasons why your organization encrypts sensitive and confidential data?
Please select the top two reasons.
To lessen the impact of data breaches
To avoid having to notify customers or employees after a data breach occurs
To ensure that our organization’s privacy commitments are honored
To protect our organization’s brand or reputation
To comply with privacy or data security regulations and requirements
To reduce the scope of compliance audits
Total
Consolidated
46%
6%
42%
44%
40%
22%
200%
Q6. In your opinion, would your organization be required to notify customers after the data
breach involving the loss or theft of their personal information?
Q6a. If the data that was lost or stolen was not encrypted (in clear text)
Yes
No
Unsure
Total
Consolidated
37%
54%
9%
100%
Q6b. If the data that was lost or stolen was encrypted
Yes
No
Unsure
Total
Consolidated
20%
71%
9%
100%
Thales e-Security & Ponemon Institute© Research Report
Page 41
- 43. Q7. What are your organization’s biggest challenges in planning and/or executing its data
encryption strategy? Please select the top two challenges.
Classifying which data to encrypt
Discovering where sensitive data resides in the organization
Determining which encryption technologies are most effective
Deploying the encryption technology effectively
Obtaining the budget to deploy
Measuring the effectiveness of the data encryption technologies deployed
Total
Consolidated
37%
61%
18%
50%
24%
11%
200%
Q8. What are the main threats that might result in the exposure of sensitive or confidential
data? Please select the top two choices.
Hackers
Malicious insiders
System or process malfunction
Employee mistakes
Temporary or contract workers
Third party service providers
Legal and law enforcement (e.g., e-discovery)
Other (please specify)
Total
Consolidated
13%
10%
15%
27%
9%
8%
15%
1%
100%
Q9. How important are the following features associated with encryption solutions that may
be used by your organization? Most important and Important response combined.
Automated enforcement of policy
Automated management of keys
Support for the widest range of applications
Centralized management interface
System scalability
Tamper resistance by dedicated hardware (e.g. HSM)
Conformance with security standards
Support for format preserving encryption (FPE)
System performance and latency
Support for emerging algorithms (e.g. ECC)
Supports longer encryption keys
Formal product security certifications (e.g. FIPS 140)
Average
Consolidated
69%
71%
52%
69%
63%
57%
65%
52%
71%
66%
49%
55%
62%
Part 3. Encryption key management
Q11a. In general, how does your organization view key management tasks? Please select
only one choice.
Key management is viewed as a distinct discipline that is defined or performed by
dedicated or specialist staff and associated tools according to well defined practices
Key management tasks are well defined but the organization does not have dedicated staff
or tools to perform key management tasks
Key management activities are ad-hoc with minimal or no formal definition
Total
Thales e-Security & Ponemon Institute© Research Report
Consolidated
23%
52%
25%
100%
Page 42
- 44. Q11b. What are, or would be, the primary drivers for developing a key management
strategy? Please select the top two choices?
Increase business efficiency
Reduce operational cost
Reduce complexity
Demonstrate compliance
Improve security
Other (please specify)
None of the above
Total
Consolidated
52%
50%
28%
30%
36%
0%
4%
200%
Q13. Please rate the overall “pain” associated with managing keys or certificates within
your organization, where 1 = minimal impact, risk and cost to 10 = severe impact, risk and
cost
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Total
Consolidated
11%
16%
21%
24%
29%
100%
Q14. Does your organization operate its own internal PKI?
Yes
No
Total
Consolidated
25%
75%
100%
Q15. What best describes your level of knowledge about KMIP?
Very knowledgeable
Knowledgeable
Not knowledgeable (Go to Q18)
Total
Consolidated
20%
30%
49%
100%
Q16. Does your organization deploy encryption or key management products that support
the KMIP key management standard?
Yes – KMIP support is a primary requirement
Yes – KMIP support is a secondary requirement
No, but we plan to make KMIP support a future requirement
No - KMIP support is not relevant
No – we have not considered KMIP support
Total
Consolidated
13%
19%
35%
14%
19%
100%
Q17. In what areas of your encryption and key management strategy is KMIP most
important? Please select you top two choices.
Storage systems
Application infrastructure within the datacenter
End user devices e.g. laptops, tablets or smart phones
Remote applications e.g. retail locations
Cloud based applications and storage
Network infrastructure
Other (please specific)
None
Total
Consolidated
37%
35%
13%
16%
54%
34%
1%
9%
200%
Thales e-Security & Ponemon Institute© Research Report
Page 43
- 45. Q18. What best describes your level of knowledge about HSMs?
Very knowledgeable
Knowledgeable
Not knowledgeable (Go to Part 5)
Total
Consolidated
26%
43%
30%
100%
Q19a. Does your organization deploy HSMs?
Yes
No (go to Part 5)
Total
Consolidated
28%
72%
100%
Q19b. For what purpose does your organization presently deploy or plan to deploy HSMs?
Please select all that apply.
Q19b-1. HSMs deployed today
Application level encryption
Database encryption
SSL
PKI or credential management
Document signing (e.g. electronic invoicing)
Code signing
Authentication
Payments processing
Not used
Other (please specify)
Total
Consolidated
37%
47%
48%
26%
15%
8%
54%
35%
7%
0%
279%
Q19b-2. HSMs planned to be deployed in the next 12 months
Application level encryption
Database encryption
SSL
PKI or credential management
Document signing (e.g. electronic invoicing)
Code signing
Authentication
Payments processing
Not planning to use
Other (please specify)
Total
Consolidated
42%
54%
49%
30%
23%
21%
56%
41%
2%
0%
319%
Q20. In your opinion, how important is HSM to your encryption or key management
strategy? Very important and Important responses combined.
Q20a. Importance today
Q20b. Importance in the next 12 months
Consolidated
46%
53%
Q21. Who are your primary vendors for HSM products and services? Please select all that
apply.
Thales/nCipher
SafeNet/Eracom
IBM
Utimaco
HP/Atalla
FutureX
Bull
None of the above
Not using HSM
Total
Consolidated
17%
23%
27%
7%
15%
4%
7%
24%
7%
131%
Thales e-Security & Ponemon Institute© Research Report
Page 44
- 46. Part 4: IT security & encryption budget
Q22a. Are you responsible for managing all or part of your organization’s IT budget in
2013?
Yes
No (Go to Part 5)
Total
Q22b. Approximately, what is the dollar range that best describes your organization’s IT
budget for 2013?
Extrapolated average value in millions (billions for JPY & RUB)
Extrapolated values computed from scaled responses
Q22c. Approximately, what percentage of the 2013 IT budget will go to IT security
activities?
Q22d. Approximately, what percentage of the 2013 IT security budget will go to data
protection activities?
Q22e. Approximately, what percentage of the 2013 IT security budget will go to encryption
activities?
Q22f. Approximately, what percentage of the 2013 encryption budget will go to key
management activities?
Q23b. Approximately, what percentage of the 2014 IT security budget will go to encryption
activities?
Q23c. Approximately, what percentage of the 2014 encryption budget will go to encryption
key management activities?
Consolidated
58%
42%
100%
NA
Consolidated
10%
33%
18%
32%
35%
29%
Q23a. Please check the security initiatives that will be earmarked in the 2013 budget?
Select all that apply.
Identity & access management
Intrusion detection and prevention systems
Data loss prevention
Encryption solutions
Key and certificate management
Security intelligence (e.g., SIEM)
Tokenization
Public key encryption (PKI)
Database monitoring & behavior analysis
Endpoint security
Average
Consolidated
52%
83%
19%
57%
38%
29%
19%
36%
53%
49%
44%
Part 5: Security effectiveness
Computed value based on 48 items
Consolidated
0.60
Part 6: Role and organizational characteristics
D1. What organizational level best describes your current position?
Senior Executive
Vice President
Director
Manager/Supervisor
Associate/Staff/Technician
Other
Total
Consolidated
1%
2%
18%
31%
44%
3%
100%
Thales e-Security & Ponemon Institute© Research Report
Page 45
- 47. D2. Check the functional area that best describes your organizational location.
IT operations
Security
Compliance
Finance
Lines of business (LOB)
Other
Total
Consolidated
60%
14%
8%
3%
13%
3%
100%
D3. What industry best describes your organization’s industry focus?
Financial services
Public sector
Technology & software
Health & pharmaceuticals
Manufacturing
Communications
Consumer products
Hospitality & leisure
Transportation
Retailing
Services
Defense
Education & research
Energy
Entertainment & Media
Other
Total
Consolidated
16%
11%
7%
7%
10%
5%
5%
5%
5%
7%
7%
2%
3%
4%
4%
2%
100%
D4. What is the worldwide headcount of your organization?
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Total
Consolidated
12%
18%
30%
26%
11%
4%
100%
Thales e-Security & Ponemon Institute© Research Report
Page 46
- 48. About Thales e-Security
Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial
services, high technology manufacturing, government and technology sectors. With a 40-year track record
of protecting corporate and government information, Thales solutions are used by four of the five largest
energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide
payment transactions. Thales e-Security has offices in France, Hong Kong, Norway, United States and the
United Kingdom. www.thales-esecurity.com.
About Thales
Thales is a global technology leader for the Defense & Security and the Aerospace & Transport markets. In
2011, the company generated revenues of €13 billion with 68,000 employees in more than 50 countries.
With its 22,500 engineers and researchers, Thales has a unique capability to design, develop and deploy
equipment, systems and services that meet the most complex security requirements. Thales has an
exceptional international footprint, with operations around the world working with customers as local
partners. www.thalesgroup.com.
About Ponemon Institute
Ponemon Institute is dedicated to independent research and education that advances information security,
data protection and privacy management practices within businesses and governments. Our mission is to
conduct high quality, empirical studies on critical issues affecting the security of information assets and the
IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we
uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.
Thales e-Security & Ponemon Institute© Research Report
Page 47