Move over tokenization vendors: auditors prefer encryption.
A new survey of more than 500 auditors found encryption the top choice over data tokenization or other cryptographic techniques to mask sensitive information.
In general auditors in our study still favor encryption in all the different use cases that we examined.
chairman and founderPonemon Institute
The survey, "What auditors think of crypto technologies", was conducted by the Ponemon Institute. It was commissioned by Thales, a firm that specializes in encryption software and Host Security Modules (HSMs), embedded devices commonly used by banks to encrypt financial data. Forty-three percent of auditors select encryption for protecting data at the point of capture such as point-of-sale (POS), website, email gateway and call center. The second highest rated in these circumstances is tokenization, the survey found.
Encryption has always been a coveted technology to auditors, but organizations that have problems with key management may view tokenization as a good alternative, said Larry Ponemon, chairman and founder of the Ponemon Institute.
"In general auditors in our study still favor encryption in all the different use cases that we examined," Ponemon said. "Tokenization is an up and coming technology; we think PCI DSS and some other compliance requirements will allow tokenization as a solid alternative to encryption."
In addition, the survey found auditors prefer encryption over tokenization to secure confidential data in a database (54% encryption, 15% tokenization). Auditors prefer masking (36%) over truncation (28%) to protect data residing outside a database in applications. When it comes to securing confidential data in storage, 55% recommend encryption followed by 17% who favor tokenization
The debate over the use of new tokenization technologies, so called end-to-end encryption or a mixture of both, has been continuing in special interest groups hosted by the Payment Card Industry Security Standards Council (PCI SSC). Those SIGs include vendors touting their own technologies, hopeful that the Payment Card Industry Data Security Standards (PCI DSS) would someday identify tokenization or a mixture of cryptographic technologies to protect credit card data.
In addition, more than 80% of auditors believe sensitive or confidential information should be encrypted as a best practice, the Ponemon survey found. But the survey also supported the notion that encryption is being driven by compliance initiatives. Fifty-four percent of auditors said the organizations they assess use crypto security tools only as required to achieve compliance. The auditors indicated that PCI and the Health Insurance Portability and Accountability Act (HIPAA) were the biggest drivers of encryption, followed by state data protection and data breach notification rules.
Ponemon said there is an opportunity for companies to more broadly apply encryption to protect intellectual property. Companies, particularly those based in the U.S., have been focusing encryption technologies on credit card data, Social Security numbers and health care information to achieve PCI or HIPAA compliance.
"More and more companies are recognizing the value of their intellectual property and how devastating its loss would be," Ponemon said. "There are still a lot of companies not using the technology as broadly as they should."