igor - Fotolia
- Peter Loshin, Technology Editor
With RSA's departure from the encryption business last year, many companies have been left wondering where to buy enterprise encryption tools, and it shows in the lack of any clear leaders in the encryption tools market space.
TechTarget polled 1,435 IT and security professionals in North America about their plans to evaluate encryption tools for data protection, and two-thirds indicated that centralized policy management was critical to their encryption projects. Just over half said that application and database transparency, without the need to modify existing applications, was essential; almost the same number said that low latency was critical.
Other "critical" features cited by survey respondents for enterprise encryption tools included key management interoperability (42%), support for hardware-based cryptographic acceleration (32%), support for compliance regulations (26%) and monitoring capabilities for encryption status (25%).
"Data is exposed and leaking everywhere," said John Girard, vice president and distinguished analyst at Gartner. "To comprehensively avoid accidental and deliberate breaches, companies should cover many avenues of storage and transmission, including primary drives, removable media, cloud-based file sync and share, directed file transfers such as FTP, and data in motion over networks, typically via virtual private networks."
Yet, as enterprises continue to move more of their data to the cloud, the majority of respondents were still focused on their on-premises data protection. Only 32% said they were evaluating cloud-based or managed security service providers; 28% were seeking to protect data stored in a public cloud.
Readers, on average, reported that they planned to encrypt three different types of targets with their encryption efforts. Endpoint drives were most frequently cited, at 62%, but 61% also said they would encrypt servers and 59% said they would encrypt email. Enterprise databases and endpoint files were specified by 55% and 54%, respectively.
The top enterprise encryption vendors shortlisted by readers include Symantec, at 6%, followed by McAfee (Intel Security), at 5%, and Check Point Software Technologies, at 4%. Of the 14 encryption vendors selected by respondents -- five were chosen by fewer than 1% of readers and another 20% picked "other."
Symantec's encryption offering includes endpoint encryption and removable media encryption with centralized management, as well as email, file share and command-line tools. More importantly, Symantec's enterprise encryption products integrate with its data loss prevention (DLP) technologies.
McAfee's Complete Data Protection provides its own encryption tools and supports OS X and Windows OS-native encryption, system encryption drives, removable media, file shares and cloud data. It also integrates with McAfee's other enterprise security tools for centralized management of policies.
So where are all the enterprise encryption tools vendors?
"The markets for disk encryption and media encryption management products are mature," Girard said. Vendors in the endpoint protection and the mobile data protection markets offer data encryption for workstation devices (like desktops and laptops), but many are starting to provide protection controls for smaller devices. "There are also encryption products that originate in the DLP and EDRM [enterprise digital rights management] markets," he said. "Many encryption policies can be managed by enterprise mobility management tools as well."
The traditional encryption tools market is giving way to a world where encryption is folded into other security products, according to Brett Hansen, executive director for data security solutions at Dell.
"Too many companies currently have to employ a piecemeal approach to their encryption and data security infrastructure, implementing completely different solutions for data leakage protection, data rights management and data in motion security," he said. "This places an incredible burden on IT departments -- especially among mid-market and smaller sized businesses -- and is leading to many companies having unknown security gaps in their data protection platforms."
Enterprise encryption tools now need to be integrated across boundaries: data at rest and data in motion; laptop, mobile and desktops; as well as on-premises and cloud deployments. And these protections should also leverage the encryption capabilities that ship with OS X and Windows.
"Modern encryption needs to reflect the needs of today's employees," Hansen said, meaning that data should be able to move "between devices, public clouds and different operating systems." A goal, he said, which can "only be achieved through the adoption of data-centric encryption tools."
"The widespread adoption of mobility solutions means that data no longer resides in a single place or on a single device," Hansen added. "[D]ata is moving across different public cloud platforms, onto USB sticks and across different OS environments on different devices, and employees now demand that data travel between these seamlessly while remaining encrypted. To achieve this, businesses need to adopt a truly heterogeneous encryption solution that protects critical data wherever it travels."
Gartner recommends a checklist for enterprise encryption tools that includes looking for products that provide similar -- if not identical -- encryption policies on all devices, so management can be consistent not just for Windows and OS X systems, but also for smaller mobile devices. It also suggests looking for products that offer a single console for viewing policies in place across multiple device populations and backup features so that when devices become unavailable it is possible to determine what data is lost -- and then recover that data.
Other features Girard said are worth seeking out include protection for data at rest and in motion, support for self-encrypting drives (SEDs) and support for selective encryption of removable media and individual files. "It is also wise to consider vendors who can manage basic native crypto -- BitLocker, FileVault 2 -- [so] these are stable as OSes are patched and upgraded."
Most of the vendors Gartner tracks implement their own copy of cryptographic cipher suites, such as the Advanced Encryption Standard, and then get their product certification through the National Institute of Standards and Technology (NIST). "There is a new trend to use the NIST-approved, FIPS-certified (Federal Information Processing Standards) crypto provided via OpenSSL," Girard said. "It's only certified to FIPS-140 Level 1, but for most products and many use cases, that is good enough."
Looking ahead, Gartner expects to see more management vendors offering support for native encryption, such as BitLocker and FileVault 2, as well as increasing use of SEDs, which don't sacrifice performance because they use their own built-in encryption processes -- and the market researcher expects to see SED technology migrating into increasingly small devices.
"The next big leap in, say, three years will be the return to using rights-managed encryption, which is asserted any time that users create or modify files. In other words, driving encryption to the bottom so that any file that moves intentionally or accidentally is automatically protected by policy," Girard said. "In the mobile world, there are too many ways to move files to be able to protect everything by conventional means of perimeter defenses."
About the author:
Peter Loshin is a site editor for SearchSecurity. Previously, he was a technical editor for software reviews at BYTE magazine, as well as a TCP/IP network engineer at a research laboratory in Cambridge, Mass. He has written several books, including TCP/IP Clearly Explained and Simple Steps to Data Encryption: A Practical Guide to Secure Computing.
How homomorphic encryption can help enterprises encrypt data
Why DLP and encryption are complicated in the cloud
Can enterprises benefit from elliptic curve cryptography?