EncryptionEverywhere

Encryption Everywhere
Join IBM and IDC on this tweet chat to discuss the challenges of security, encryption and compliance
IBM Z
After a #databreach, will having pervasive encryption help a company get back to business?
Dominic Trott
(1/3) Poor key management may give malicious actors not only access to data, but also to encryption keys
Dominic Trott
(2/3) Loss of the keys means not only compromised data, but also genuine users may be locked out
Dominic Trott
(3/3) Pervasive encryption, including centralised key management, helps prevent this
Guillaume H⭕️areau
Sure, better protecting their data, is a like a quality insurance.
Adam Jollans
There's also the challenge of restoring trust in a company following a data breach - pervasive encryption can be part (but not all) of the solution here
Guillaume H⭕️areau
Moreover, #pervasiveEncryption and #GDPR – Controllers may not need to report breach to data subjet if the data was encrypted.
Guillaume H⭕️areau
@adamjollans Absolutly true, this is not the alpha and the omega, but part of the solution. It needs to be completed by others security measures
Dominic Trott
@GuillaumeIBM quite right - in fact reputational damage expected to be far more 'costly' than fines for non-compliance
Dominic Trott
@adamjollans this is why it is so important that boards are making decisions based on a proper understanding of the risk they face!
Adam Jollans
and it's the Board members who will get the blame if there's a signficant data breach
IBM Z
This can't be an overnight project - how can business support the shift culturally?
Dominic Trott
Business support is the critical term – it cannot be a security or IT project, should be a business-wide one
Guillaume Hoareau
#Pervasive Encryption is a journey. Its application requires a step by step approach (Possibly you can adopt one feature a time).
Fotini Stamou
@DominicTrott how do you get right sponsors in the organisations to support such a project?
Dominic Trott
Collaboration & alignment of ALL business areas is key to truly PERVASIVE encryption
Dominic Trott
@f_stamou what is the right sponsor?!?!? Need to find person/team with right profile to drive org-wide change
Guillaume Hoareau
You can also consider a selective approach first (encrypting critical data first) and then extend to all data second once ready.
Fotini Stamou
do you find that companies ''cut corners'' when it comes to security due to budget and resource restrictions?
Dominic Trott
@f_stamou @IDCUKI research shows involvement of COO & non-exec board sponsor adds to security maturity
Dominic Trott
@f_stamou a big challenge! lack of awareness can lead to mistaken prioritisation - see @WannaCry outbreak at UK NHS
Guillaume Hoareau
@f_stamou As data owner or security officers, we should point common interest to protect data without impacting their activities
Dominic Trott
Great opportunity for security professionals to show business understanding/leadership
IBM Z
It’s the topic of the year for #privacy and #governance – how can this help with #GDPR?
Dominic Trott
#GDPR #Article32: encryption an example tech for security of processing personal data
Dominic Trott
#GDPR #Article25: data protection by design and by default … Taking into account the state of the art #SOTA
Guillaume H⭕️areau
#pervasiveEncryption - 2 technical controls mentioned in GDPR text: #Pseudonimisation and #Encryption.
Guillaume H⭕️areau
The practice of #pervasiveEncryption decouples encryption from classification. Protect first, classify second.
Dominic Trott
Also @GuillaumeIBM - if Art32 says encryption is an e.g. of data security, need a good reason not to use it for Art25 compliance!
Fotini Stamou
how would you rate organisations' readiness regarding #GDPR?
Dominic Trott
readiness is patchy - @IDCUKI research shows many European enterprises still at the 'blissfully unaware', or 'dawning recognition' state of readiness. Let alone 'risk-based compliance'
Dominic Trott
@f_stamou currently >50% Western European enterprises not ready for compliance, 25% pragmatic compliance, 18% beyond compliance, 1% compliance exemplar
IBM Z
Wrapping up – final thoughts on who should champion encryption? IT, Management, C-Suite?
Dominic Trott
it should not just be about job titles, but about finding the right champion for YOUR enterprise
Dominic Trott
is it so strategic to make it a CEO issue? Do you hold so much marketing data to make it a CMO issue? Does CIO/CISO have the weight to drive change on a pan-enterprise basis?
Mona sharma
: Not encrypted = exposed!
Guillaume H⭕️areau
#PervasiveEncryption - Requires the alignment of enterprise data owners and security officers (segregation of duties, confidentiality)
Dominic Trott
@GuillaumeIBM agreed! The champion for encryption is the one that can drive consistent, collaborative, enterprise-wide impact
Guillaume H⭕️areau
From Security officer, LOB data consumers, database and storage administrators have a role to play. Applying encryption where it needs to be, they all protect organization against risk.
IBM Z
So what is pervasive encryption, and what has changed to enable it?
Guillaume Hoareau
#pervasiveEncryption simplifies & reduces the costs associated with protecting data & achieving compliance mandates.
Dominic Trott
#PervasiveEncryption is not a product or a solution - it is a state of mind or a ‘journey’
Guillaume Hoareau
#pervasiveEncryption is a transparent and consumable approach to enable extensive encryption of data in-flight and at-rest
Dominic Trott
#PervasiveEncryption means data is encrypted no matter its state – in transit or at rest
Guillaume Hoareau
1) #pervasiveEncryption is a Data Centric Approach. The data is the new perimeter and benefits of tight platform integration of the crypto #z14
Dominic Trott
modern approaches to enable goals include #DataMasking and #FormatPreservingEncryption
Guillaume Hoareau
2) CPACF – Performance improvements of up to 6x (compared to z13) for selective encryption modes of operations. We are talking about more than 12 GB of encryption per second per processor.
Guillaume Hoareau
3) Crypto Express6s – Doubling of asymmetric encryption performance for TLS handshakes (compared with previous generation)
IBM Z
We see #cybersecurity reports saying a tiny % of business data is encrypted – why not more?
Dominic Trott
@IDCUKI research agrees that encryption adoption is ‘patchy’ http://ow.ly/Rww630g...
Guillaume Hoareau
Organizations struggle with questions like: What data should be encrypted? Where should encryption occur? Who is responsible for encryption?
Dominic Trott
@DominicTrott Encryption is hard & not a panacea!
Mona sharma
: due to finite budgets and limited resources
Guillaume Hoareau
Comprehensive data protection requires investment 
to deploy point solutions and/or enable #encryption 
directly in the applications.
Dominic Trott
Encryption no ‘single shot’ solution - must be met with companion tech process & skills (esp key management)
Dominic Trott
Companies tend to struggle with key security and rotation
Dominic Trott
Encryption can have data usability implications, maybe forcing a security vs usability decision