The ever-growing mobile workforce with its head in the cloud has created what seems like an endless list of IT challenges to overcome, and with anywhere, anytime access to information a necessity for many enterprises, the new IT world is having an impact on the kind of encryption enterprises need to protect their sensitive and proprietary data.
InformationWeek's "Data Encryption: Ushering In a New Era" report found that cloud and mobility are adding new challenges to security, but only 47% of 506 IT professionals that responded to a survey on data encryption stated that have mobile-device encryption has been made a priority.
Another InformationWeek survey, "Research: 2012 State of Cloud Computing," of 511 IT professionals regarding cloud computing found that 64% of enterprises using cloud services are dealing with between two and five different providers. As the number of servers and applications move into the cloud, the more the use of encryption drops off.
"The problem of mobility and cloud is it forces policies, processes and encryption technologies to have to scale to an outside device, organization, and too many more use cases," says Michael Davis, CEO of Savid Technologies and author of the report. "This usually means the governance/audit team isn't ready, the security team gets bogged down in details related to deployment, but in the end we don't see users impacted too much by encryption in these spaces as the technology is usually transparent."
All of the encryption technologies require keys, but in the case of mobile devices, the keys are usually controlled by end users when they turn on their phones, Davis explains. In that case, the user must have a lock/password screen or encryption isn't able to do its job. IT can create policies around using lock/password screens, but end users frequently ignore policies. In the case of mobile devices, it leaves potentially sensitive data open to anyone who comes into physical contact with the phone.
Of the 506 respondents to the data encryption survey, 38% said their organizations have comprehensive formal policies in place that expressly require encryption of personally identifiable information (PII) or confidential data on certain devices within their networks. They said the policies are strictly enforced. Another 38% noted that although they have policies, enforcement is limited or done on an application-by-application basis.