Professional Documents
Culture Documents
TRENDS STUDY
April 2018
INDEPENDENTLY CONDUCTED
Sponsored by nCipher Security BY PONEMON INSTITUTE LLC
2 PONEMON INSTITUTE© RESEARCH REPORT
PART 1. EXECUTIVE SUMMARY
Ponemon Institute is pleased to present the findings of the 2018 Global Encryption
Trends Study,1 sponsored by nCipher Security. We surveyed 5,252 individuals
across multiple industry sectors in 12 countries: Arabia (which is a combination of
respondents located in Saudi Arabia and the United Arab Emirates)2, Australia,
Brazil, France, Germany, India, Japan, Mexico, the Russian Federation, the
United Kingdom, the United States and, for the first time, South Korea (hereafter
referred to as Korea).
The purpose of this research is to examine how the use of As shown in Figure 1, more organizations represented in this
encryption has evolved over the past 13 years and the impact research continue to recognize the importance of having an
of this technology on the security posture of organizations. The encryption strategy, either an enterprise-wide (43 percent of
first encryption trends study was conducted in 2005 for a US respondents) strategy or a limited plan that targets certain
sample of respondents.3 Since then we have expanded the applications and data types (44 percent of respondents).
scope of the research to include respondents in all regions of
the world. Presented below are the 2018 findings.
1 This year’s data collection was completed in January 2018. Throughout the report we present trend data based on the fiscal year (FY) the survey commenced rather than
the year the report is finalized. Hence, our most current findings are presented as FY17. The same dating convention is used in prior years.
2 Country-level results are abbreviated as follows: Arabian cluster (AB), Australia (AU), Brazil (BZ), France (FR), Germany (DE), India (IN), Japan (JP), Korea (KO), Mexico
(MX), Russia (RF), United Kingdom (UK), and United States (US).
3 The trend analysis shown in this study was performed on combined country samples spanning 13 years (since 2005).
enterprise-wide
100110010101001110100100101011
Employee mistakes are the most significant threat to Encryption features considered most important
sensitive data. In contrast, the least significant threats to the
exposure of sensitive or confidential data include government Certain encryption features are considered more critical
eavesdropping and lawful data requests. Concerns over than others. According to consolidated findings, system
inadvertent exposure (employee mistakes and system performance and latency, enforcement of policy and support
malfunction) significantly outweigh concerns over actual for both cloud and on-premise deployment are the three
attacks by temporary workers and malicious insiders. It is most important features. Support for both cloud and on-
interesting to note that the employee mistake threat is almost premise deployment has risen in importance as organizations
equal to the combined threat by both hackers and insiders. have increasingly embraced cloud computing and look for
consistency across computing styles.
The main driver for encryption is protection of information
against identified threats. Organizations are using encryption Which data types are most often encrypted? Payment
to protect information against specific, identified threats (54 related data and human resource data are most likely to be
percent of respondents). The most critical information is the encrypted – which emphasizes the fact that encryption has
enterprise’s intellectual property and the personal information now moved into the realm where it needs to be addressed
of customers (52 percent and 50 percent of respondents, by companies of all types. The least likely data type to be
respectively). Compliance with regulations remains a encrypted is health-related information, which is a surprising
significant driver for encryption, according to 49 percent result given the sensitivity of health information and recent high
of respondents. profile healthcare data breaches. Healthcare information did,
however, have the largest increase on this list over last year.
A barrier to a successful encryption strategy is the ability to
discover where sensitive data resides in the organization. Attitudes about key management
Sixty-seven percent of respondents say discovering where
sensitive data resides in the organization is the number one How painful is key management? Fifty-seven percent of
challenge. This challenge has come into focus as compliance respondents rate key management as very painful. The
activities driven by GDPR and other privacy regulations have average percentage in all country samples is 57 percent,
increased. In addition, 44 percent of all respondents cite which suggests respondents view managing keys as a very
initially deploying encryption technology as a significant challenging activity. The highest percentage pain threshold
challenge. Thirty-four percent cite classifying which data to of 65 percent occurs in India. At 33 percent, the lowest pain
encrypt as difficult. level occurs in Russia.
Germany, US and Japan organizations are more likely The proportion of IT spending dedicated to security
to deploy HSMs. Germany, US and Japan are more likely activities, including encryption, is increasing over time.
to deploy HSMs for their organization’s key management According to the findings, 10.6 percent of the IT budget goes
activities than other countries. The overall average deployment to IT security activities and 12.3 percent of the IT security
rate for HSMs is 41 percent. budget goes to encryption activities.
61%
respondents, are SSL/TLS, database encryption and payment
transaction processing. It is significant to note that HSM
use for SSL/TLS will soon be deployed in 50 percent of the
organizations represented in this study. of respondents are
using more than one
public cloud provider
Enterprise-wide encryption strategies increase. Since first conducting this study 13 years ago, there has been a steady
increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a
steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of
the study. Figure 2 shows these changes over time.
50%
43%
38%
40%
30%
20%
15%
13%
10%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Company has an encryption strategy applied consistently across the entire enterprise
Company does not have an encryption strategy
4 HSMs are devices specifically built to create a tamper-resistant environment in which to perform cryptographic processes (e.g., encryption or digital signing) and to
manage the keys associated with those processes. These devices are used to protect critical data processing activities and can be used to strongly enforce security
policies and access controls. HSMs are typically validated to formal security standards such as FIPS 140-2.
80%
70% 67%
60% 56%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
Figure 4 shows that the IT operations function is the most influential in framing an organization’s encryption strategy over the past
13 years. However, in some countries lines of business are more influential. These are the United States, Australia and Mexico.
IT security and IT operations have a similar level of influence in the United States, Australia and Mexico.
A possible reason why the lines of business are more influential than IT security is because of the growing adoption of Internet of
Things (IoT) devices in the workplace, proliferation of employee-owned devices or BYOD and the general consumerization of IT.
A consequence is that lines of business are required to be more accountable for the security of these technologies.
50%
43%
40%
32%
30%
22%
22%
20%
21%
12%
10%
0%
US UK DE FR AU JP BZ RF IN MX AB KO
The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in
2005, there has been a steady increase in the encryption solutions extensively used by organizations.5
Figure 5 summarizes enterprise-wide usage consolidated for various encryption technologies over 13 years. This continuous
growth in enterprise deployment suggests encryption is important to an organization’s security posture. Figure 6 also shows the
percentage of the overall IT security budget dedicated to encryption-related activities.
The pattern for deployment and budget show a positive correlation through FY13 and inverse relationship through FY17. We
postulate three reasons for this downward trend: (1) price pressure resulting from increased competition among vendors, (2)
shifting priorities to other IT security solution areas and (3) more efficient use of presently available encryption tools.
50%
43%
40%
30%
20% 16%
12%
10%
10%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
The use of encryption increases in all industries. Figure 6 shows the current year and the six-year average in the use of
encryption solutions for 10 industry sectors. Results suggest a steady increase in all industry sectors. The most significant
increases in extensive encryption usage occur in healthcare & pharmaceutical, retail and financial services.
Figure 6. The extensive use of encryption by industry: current year versus 6-year average
Country samples are consolidated. Average of 13 encryption categories
50%
Financial services 60%
42%
Healthcare & pharma 55%
44%
Services 50%
42%
Tech & software 49%
31%
Retail 42%
39%
Transportation 41%
30%
Public sector 39%
29%
Hospitality 35%
24%
Manufacturing 33%
26%
Consumer products
27%
Employee mistakes are the most significant threats to sensitive data. Figure 7 shows that the most significant threats to the
exposure of sensitive or confidential data are employee mistakes.
In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and
lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh
concerns over actual attacks by temporary or contract workers and malicious insiders. It is interesting to note that the employee
mistake threat is almost equal to the combined threat by both hackers and insiders.
Hackers 30%
The main driver for encryption is protection of information against identified threats. Eight drivers for deploying encryption
are presented in Figure 8. Organizations are using encryption to protect information against specific, identified threats (54
percent of respondents). The most critical information is the enterprise’s intellectual property and the personal information of
customers, (52 percent and 50 percent of respondents, respectively).
This marks the first year that compliance with regulations has not been the top driver for encryption, indicating that encryption is
less of a “checkbox” exercise and is now used to safeguard targeted critical information.
Deployment choices
No single encryption technology dominates in organizations. We asked respondents to indicate if specific encryption
technologies are widely or only partially deployed within their organizations. “Extensive deployment” means that the encryption
technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is confined or limited to a
specific purpose (a.k.a. point solution).
As shown in Figure 10, no single technology dominates because organizations have very diverse needs. Internet
communications, databases and laptop hard drives are the most likely to be encrypted and correspond to mature use cases.
Encryption extensively used with public cloud services grew significantly year-over-year (11 percent).
For the first time, the study tracked the deployment of encryption on IoT devices and platforms. As shown, 49 percent of
respondents say IoT encryption has been at least partially deployed for devices and platforms.
Certain encryption features are considered more critical than others. Figure 11 lists encryption technology features. Each
percentage defines the very important response (on a four point scale). Respondents were asked to rate encryption technology
features considered most important to their organization’s security posture.
According to consolidated findings, system performance and latency, enforcement of policy and support for both cloud and
on-premise deployment are the three most important features. The performance finding is not surprising given that encryption in
networking is a prominent use case, as well as the often emphasized requirement for transparency of encryption solutions.
Support for both cloud and on-premise deployment has risen in importance as organizations have increasingly embraced cloud
computing and look for consistency across computing styles. In fact, the top findings in this area all correspond to features
considered important for cloud solutions.
74%
System performance and latency 78%
71%
Enforcement of policy 72%
69%
Support for cloud and on-premise deployment
71%
66%
System scalability
68%
FY16 FY17
The least likely data type to be encrypted is health-related information, which is a surprising result given the sensitivity of health
information and the recent high profile healthcare data breaches. Healthcare information had the largest increase on this list
over last year.
56%
Payment related data 54%
61%
Employee/HR data 53%
47%
Intellectual property 52%
49%
Financial records 50%
40%
Customer information 43%
19%
Healthcare information 26%
32%
Non-financial business information 26%
FY16 FY17
How painful is key management? Using a 10-point scale, respondents were asked to rate the overall “pain” associated with
managing keys within their organization, where 1 = minimal impact to 10 = severe impact. Figure 13 shows that 57 (24+33)
percent of respondents in FY17 chose ratings at or above 7; thus, suggesting a fairly high pain threshold.
Figure 13. Rating on the overall impact, risk and cost associated with managing keys
Country samples are consolidated
36%
33%
30%
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
70% 65%
63% 64%
60% 60% 59%
60% 58%
55%
52% 52%
50% 49%
40%
33%
30%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
Why is key management painful? Figure 15 shows the reasons why the management of keys is so difficult. The top three
reasons are: (1) no clear ownership of the key management function, (2) lack of skilled personnel and (3) isolated or fragmented
key management systems.
End user encryption keys (e.g., email, full disk encryption) 39%
As shown in Figure 17, respondents’ companies continue to use a variety of key management systems. The most commonly
deployed systems include: (1) manual process, (2) formal key management policy (KMP) and (3) formal key management
infrastructure (KMI).
Figure 17. What key management systems does your organization presently use?
Country samples are consolidated. More than one choice permitted
Germany, United States and Japan organizations are more likely to deploy HSMs. Figure 18 summarizes the percentage of
respondents that deploy HSMs. Germany, United States and Japan are more likely to deploy HSMs than other countries. The
overall average deployment rate for HSMs is 41 percent.
60% 56%
51%
50% 45% 47%
43% 43% 44%
40%
34%
29% 28%
30% 25%
23%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
Deployment of HSMs increases steadily. Figure 19 shows a six-year trend for HSMs. As can be seen, the rate of global HSM
deployment has steadily increased.
41%
Overall HSM use grew Germany, the US and
to 41% – the highest Japan report the highest
level ever HSM usage rates
36%
Rent/use HSMs from public cloud provider, hosted in the cloud
41%
Own and operate HSMs for the purpose of generating
and managing BYOK (Bring Your Own Key) keys 17%
to send to the cloud for use by the cloud provider 24%
Own and operate HSMs that integrate with a
Cloud Access Security Broker to manage keys and 12%
cryptographic operations (e.g., encrypting data on the 24%
way to the cloud, managing keys for cloud applications)
1%
None of the above 1%
Figure 21 summarizes the percentage of respondents in 12 countries that rate HSMs as either very important or important
to their organization’s encryption or key management program or activities. The overall average importance rating in the
current year is 57 percent. The pattern of responses suggests Germany, India, the United States and Japan are most likely to
assign importance to HSMs as part of their organization’s encryption or key management activities.
71%
70%
64% 63% 65%
60%
60% 56%
53%
51% 50%
50% 48%
44% 42%
40%
30%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
How important are HSMs to your encryption or key management strategy? Average
What best describes an organization’s use of HSMs? As shown in Figure 23, 61 percent of respondents say their organization
has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their
organization (i.e., private cloud model). Thirty-nine percent say each individual application owner/team is responsible for
their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center
deployment approach.
Figure 23. Which statement best describes how your organization uses HSMs?
39%
to multiple applications/teams within our
organization (i.e., private cloud model)
61%
Each individual application owner/team is
responsible for their own cryptographic services
(including HSMs) (i.e., traditional siloed,
application-specific data center deployment)
The most significant increases predicted for the next 12 months, according to respondents, are SSL/TLS, database encryption
and payment transaction processing. It is significant to note that HSM use for SSL/TLS will soon be deployed in 50 percent of
the organizations represented in this study.
Figure 24. How HSMs are deployed or planned to be deployed in the next 12 months
Country samples are consolidated. More than one choice permitted
43%
SSL/TLS 50%
41%
Application level encryption 40%
29%
Payment transaction processing including P2PE 35%
The percentages below are calculated from the responses to survey questions about resource allocations to IT security, data
protection, encryption, and key management. These calculated values are estimates of the current state and we do not make
any predictions about the future state of budget funding or spending.
Figure 25 reports the average percentage of IT security spending relative to total IT spending over the last 13 years. As shown,
the trend appears to be upward sloping, which suggests the proportion of IT spending dedicated to security activities including
encryption is increasing over time.
Figure 25. Trend in the percent of IT security spending relative to the total IT budget
Country samples are consolidated
12%
10.6%
9.9% 10.0% 10.2%
10%
9.1% 9.1% 9.2%
8.6% 8.8%
8% 7.9%
7.5% 7.5%
7.2%
6%
4%
2%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16 FY17
Figure 26 reports the percentage of the IT security budget dedicated to encryption. Spending on encryption has declined
since 2014.
Figure 26. Trend in the percentage of IT security spending dedicated to encryption activities
Country samples are consolidated
15.7%
14% 14.4%
12.3%
Figure 27. Do you currently transfer sensitive or confidential data to the cloud?
Country samples are consolidated
61%
21% 17%
According to Figure 28, with respect to the transfer of sensitive or confidential data to the cloud, Germany, United States,
Japan, India and Korea are more frequently transferring sensitive data to the cloud.
Figure 28. Organizations that transfer sensitive or confidential data to the cloud by country
80%
69% 70%
70% 68% 67%
65%
61%
58% 58% 58%
60%
54%
52%
50% 46%
40%
30%
20%
10%
0
US UK DE FR AU JP BZ RF IN MX AB KO
39%
Encryption in public cloud services grew from
28% to 39% in 2017 – 11% is the highest
year-over-year growth of any encryption use case
Figure 29. How does your organization protect data at rest in the cloud?
Country samples are consolidated. More than one choice permitted
What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP
standard for key management (66 percent of respondents), SIEM integration, visualization and analysis of logs (62 percent of
respondents) and granular access controls (60 percent of respondents).
Figure 30. How important are the following features associated with cloud encryption to your organization?
Very important and important responses combined
The first encryption trends study was conducted in the United States in 2005. Since then we have expanded the scope of
the research to include 12 separate country samples. Trend analysis was performed on combined country samples. As noted
before, we added Korea to this year’s study.
Legend FY17 FY16 FY15 FY14 FY13 FY12 FY11 FY10 FY09 FY08 FY07 FY06
AU 315 331 334 359 414 938 471 477 482 405 0 0
BZ 507 463 460 472 530 637 525 0 0 0 0 0
DE 543 531 563 564 602 499 526 465 490 453 449 0
FR 370 345 344 375 478 584 511 419 414 0 0 0
KO 317 0 0 0 0 0 0 0 0 0 0 0
MX 468 451 429 445 0 0 0 0 0 0 0 0
US 710 701 758 789 892 531 912 964 997 975 768 918
Total 5,252 4,802 5,009 4,714 4,275 4,205 4,140 2,947 2,998 2,471 1,758 1,407
Figure 31 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents
are at or above the supervisory levels.
Figure 32 identifies the organizational location of respondents in our study. Over half of respondents (55 percent) are located
within IT operations, followed by security at 20 percent of respondents and 12 percent of respondents are located within the
lines of business.
3% 2% 3% 3% 3%
7%
17% Senior Executive IT operations
2% 4% Financial services
2% 15%
3% Manufacturing & industrial
3% Services
3% Public sector
4% Technology & software
12% Health & pharmaceutical
7% Retail
Energy & utilities
Consumer products
8% Education & research
11% Hospitality
Transportation
8% Communications
9%
9% Entertainment & media
Other
According to Figure 34, the majority of respondents (63 percent) are located in larger-sized organizations with a global
headcount of more than 1,000 employees.
4%
13%
8%
500 to 1,000
25,001 to 75,000
31%
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the
presented findings. The following items are specific limitations that are germane to most survey-based research studies.
•Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample
of IT and IT security practitioners in 12 countries, resulting in a large number of usable returned responses. Despite non-
response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying
beliefs from those who completed the survey.
•Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are
representative of individuals who are IT or IT security practitioners within the sample of 12 countries selected.
•Self-reported results: The quality of survey research is based on the integrity of confidential responses received from
respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity
checks, there is always the possibility that some respondents did not provide truthful responses.
Survey response
Q1. Please select one statement that best describes your organization’s
approach to encryption implementation across the enterprise.
Total 100%
4,802 5,009
Q2. Following are areas where encryption technologies can be deployed. Please check those areas where
encryption is extensively deployed, partially deployed or not as yet deployed by your organization.
Total 100%
IT operations 33%
Security 17%
Compliance 2%
Total 100%
Q4. What are the reasons why your organization encrypts sensitive
and confidential data? Please select the top three reasons.
Total 300%
Q5. What are the biggest challenges in planning and executing a data
encryption strategy? Please select the top two reasons.
Total 200%
Integration with other security tools (e.g., SIEM and ID management) 64%
Q8. What are the main threats that might result in the exposure of sensitive
or confidential data? Please select the top two choices.
Hackers 30%
Total 200%
Q9. Please rate the overall “pain” associated with managing keys or
certificates within your organization, where 1 = minimal impact to
10 = severe impact?
1 or 2 9%
3 or 4 12%
5 or 6 22%
7 or 8 24%
9 or 10 33%
Total 100%
Total 300%
Q11. Following are a wide variety of keys that may be managed by your
organization. Please rate the overall “pain” associated with managing
each type of key. Very painful and painful response combined.
End user encryption keys (e.g., email, full disk encryption) 39%
Total 267%
Total 381%
Knowledgeable 30%
Total 100%
Yes 41%
Total 100%
Public cloud encryption including for Bring Your Own Key (BYOK) 32%
SSL/TLS 43%
Code signing 7%
Payment service provider interface (e.g., TSP, real-time payments, Open API 25%
With Cloud Access Security Brokers (CASBs) for encryption key management 19%
Other 3%
Total 409%
Public cloud encryption including for Bring Your Own Key (BYOK) 32%
SSL/TLS 50%
Code signing 8%
Payment service provider interface (e.g., TSP, real-time payments, Open API 28%
With Cloud Access Security Brokers (CASBs) for encryption key management 21%
Other 2%
Total 441%
Rent/use HSMs from public cloud provider, hosted in the cloud 36%
Own and operate HSMs on-premise at your organization, accessed 47%
real-time by cloud-hosted applications
Own and operate HSMs for the purpose of generating and managing
BYOK (Bring Your Own Key) keys to send to the cloud for use by 17%
the cloud provider
Own and operate HSMs that integrate with a Cloud Access Security
Broker to manage keys and cryptographic operations (e.g., encrypting 12%
data on the way to the cloud, managing keys for cloud applications)
Total 113%
Rent/use HSMs from public cloud provider, hosted in the cloud 41%
Own and operate HSMs for the purpose of generating and managing
BYOK (Bring Your Own Key) keys to send to the cloud for use by 24%
the cloud provider
Own and operate HSMs that integrate with a Cloud Access Security
Broker to manage keys and cryptographic operations (e.g., encrypting 24%
data on the way to the cloud, managing keys for cloud applications)
Total 143%
Q15. In your opinion, how important are HSMs to your encryption or key
management strategy? Very important and important response combined
Q16. Which statement best describes how your organization uses HSMs?
Total 100%
Q17a. Are you responsible for managing all or part of your organization’s
IT budget this year?
Yes 53%
Total 100%
FY2017
Q35a. Does your organization currently use cloud computing services for
any class of data or application – both sensitive and non-sensitive?
No (Go to Part 7 if you do not use cloud services for any class of 16%
data or application)
Total 100%
No (Go to Part 7 if you do not use or plan to use any cloud services 17%
for sensitive or confidential data)
Total 100%
Total 100%
Encryption performed on-premise prior to sending data to the cloud using 47%
keys my organization generates and manages
Total 136%
Total 100%
Ability to encrypt and rekey data while in use without downtime 47%
1 39%
2 21%
3 14%
4 or more 26%
Total 100%
1 29%
2 21%
3 15%
4 or more 35%
Total 100%
Senior Executive 2%
Vice President 3%
Director 17%
Manager/Supervisor 34%
Associate/Staff/Technician 41%
Other 3%
Total 100%
IT operations 55%
Security 20%
Compliance 7%
Finance 3%
Other 3%
Total 100%
Communications 2%
Consumer products 4%
Hospitality 3%
Public sector 9%
Retail 8%
Services 11%
Transportation 3%
Other 3%
Total 100%
25,001 to 75,000 8%
Total 100%