6 min Security

A lot of companies apply encryption for the wrong reason

A lot of companies apply encryption for the wrong reason

If you ask enterprise organizations about their encryption policies, you can conclude that they are applying it more often than before. Encryption has become a vital part of their IT strategy. However, the motivation behind it is not always the right one. Often, compliance with laws and regulations is an important motivation while something like securing customer data is not necessarily the primary motivation.

nCipher is a security company that offers solutions for encrypting data and has been researching the use of encryption within companies since 2005. We spoke with John Grimm, VP of Strategy & Business Development at nCipher.

In recent years, compliance with laws and regulations has been the main reason for encrypting data. This year, that’s not the case. The security of customer data is now at the top of the list. On average, companies have a healthier encryption policy as a result.

Encryption policy is the main issue

We talked to Grimm and studied the research report. Based on this, we concluded that the entire problem is undoubtedly a difficult one. Especially with large companies, many hours are spent working on encryption, but it remains to be seen exactly how effective the workflow actually is.

The positive aspect of the research is the fact that more companies are progressing and are coming up with good encryption policies. 48 percent of the companies state that they have an encryption plan for all solutions within the organisation. On the other hand, 39 percent of companies only have a limited encryption plan for specific applications and 13 percent of companies don’t have any plans at all.

The reason that encryption is a crucial issue is that there is no one-size-fits-all solution that can handle everything. If you run everything on-premise, you can achieve a lot with a local hardware security model (HSM), but companies also want to head to the cloud. The public cloud parties all run their own version of an HSM solution with their own simplified interface and configuration models. As a result, encryption and security work differently in each cloud and it is difficult to create uniform policies.

Encryption is not sexy enough

In the end, encryption just isn’t sexy enough. It’s a necessity no one really seems to care about. Unless things go seriously wrong, of course. Both developers and people on the operations side don’t feel compelled to set up encryption policies for different datacenter applications and public clouds all day long.

There is clearly an opportunity in the market to regulate these things centrally and simplify them. The million-dollar question is who will take it upon him/her to set these things up. But even if when appropriately done, data leaks cannot be prevented. The research shows that the highest risk to security is still the user, who will accidentally share the unencrypted data anyways.

Key management is no easy task

According to the people who participated in the study, key management is ultimately the most challenging part. It is never entirely clear who owns the data. Proper key management also requires suitable personnel to set it up. It’s very hard to find skilled people that can do the job. Because of this, people tasked with the job often do not know what the exact requirements are for a proper key management strategy: what is required and what needs to be taken into account.

It doesn’t help that there are still no standards set up, which means that all kinds of different methods are used, both on-premise and in the cloud. These methods are not instantly compatible with each other, and as a result, a lot of work has to be done to make them function in a decent manner.

Encryption has a negative performance-image

One of the reasons why IT professionals sometimes avoid encryption is because it hurts the performance of an application. The developers want to develop the best possible application that also operates fast. The same applies to operations, where they don’t want to hear complaints about slow applications from users. Despite the fact that there are plenty of alternatives for encryption that operate very fast and have a very minimal effect on performance. For example, Elliptic Curve Crypto (ECC) has emerged, a technology that is a lot faster than the more familiar RSA.

The difference between ECC and RSA is the length of the encryption keys; ECC keys are about half the size of RSA keys. ECC also requires less processing power to apply the encryption, and less processing power also means it’s generally faster. In many cases, RSA is still the standard choice for many companies, but the use of ECC is on the rise. In the world of SSL certificates for encrypting web traffic and securing websites, ECC is becoming more popular. ECC certificates are also popular for IoT purposes where there is little computing power and storage capacity.

The future of encryption

Society does not entrust data to cybercriminals and governments and expects companies to encrypt and securely store everything. However, this is by no means always the case, although it has improved in recent years. The most significant disadvantage is that there is not yet a generic solution that combats this problem. There is still a real possibility, to build a solution that can work with the configurations on-premise and in the cloud and which can apply a general policy in all these environments. However, that will most likely not happen for the time being.


We also asked how nCipher responds to this. nCipher indicated that they have a customer base that is not looking for a simple interface or easy to activate encryption. At nCipher they mainly want to choose the most comprehensive solution with a plenty of options and configuration possibilities. According to Grimm, that is what nCipher customers are looking for.

We continue to believe that automation and simplifying complex technical applications and solutions always contributes to more innovation. In this case, it might also be useful to define a security standard that is used worldwide. However, it remains to be seen whether that will happen, it does not seem very likely.