Interview: Has Gemalto found a flaw in your data encryption strategy?
Gemalto is on the front line when it comes to security encryption. Unfortunately, it seems security managers in IT far falling behind in the backblocks.
As Gemalto’s ANZ regional director, Pyper is responsible for expanding Gemalto’s data protection portfolio with its Australian business partners and customers. Takeup in the region has been strong, and he says the market is encouraging.
“Australia and New Zealand are often seen as being quite innovative in terms of technology, and I think it’s recognised over here now. We take the lead in a lot of places. What I’ve seen is definitely an increase in security awareness, which is great for everything that we stand for.”
At a recent Australian Information Security Association (AISA) event, Gemalto surveyed 50 attendees to discover what the mood of the market was like. The event included both large vendors and customers, which was the perfect place for a wide range of perspectives.
Pyper says that despite the fact that 78.8% of respondents said they have a data encryption strategy, it may be a case of talk and no action, as those organisations haven’t actually put anything into practise – a serious mismatch.
“Out of all the respondents, only 21.7% encrypt customer information. As a consumer myself, it’s a little bit concerning. We did another survey earlier in the year where one of the biggest fears that consumers are actually saying ‘we expect to have some kind of data breach ourselves, but the companies that we deal with to be responsible for that’.”
“The three main areas that I would focus on would always be protecting customer information; payment data and anything that is intellectually private. It’s the type of thing where if it made its way into the public domain, somebody else could make a financial benefit from it.”
When it comes to key management in encryption, Pyper says there are two approaches. A software-based approach, hardware approach and cloud service providers.
The software approach has its benefits and is relevant in certain areas, but overall, he says that the hardware approach is the best option because it’s retained only in your control.
“The moment you give the key to the kingdom to somebody else to manage, you’re defeating the objective. Many organisations also want to switch service providers. If you’re using a proprietary service in one cloud ecosystem, is that going to be compatible with a different cloud ecosystem in three or four years’ time?”
He says Gemalto has been educating customers on the benefits of keeping keys on-premise and in their own systems and own security policies. Organisations can still leverage the cloud, but they’re not compromising security.
Moving into the space of mandatory data breach notifications, he cites the US as an example of how they are put in place. More organisations are becoming security-aware and thinking about data encryption and key management as their starting point.
“We can’t really spend any more on the perimeter because it won’t give us enough bang for our buck. Where can we repurpose that money and actually have some benefit?”
This question is the tipping point for looking at encryption and key management. In Australia and New Zealand, the legislation is starting to come out. Organisations should not be scared of it, but they should be prepared for it, Pyper says.
How do organisations prepare themselves? It’s about reviewing what they have and what’s most important in their environment, he says. It's about people, policies and process.
“How are your security policies set up? Do you actually fall in line with the notification rules? How are you going to communicate that to your internal people; how do you set out a policy for if it does happen, these are the people that we need to inform.”
He says that notifications laws will really help if its drives home the message of the fear that the consumer will no longer buy from that organisation.
“If there’s a big data breach, then the brand is hurt considerably and most people will move to a competitor’s solution. There’s nothing to say that the competitor is no more secure than the one that’s just been breached, it’s just that they were unlucky.”
But with laws as the be-and-end all of policy, is there room for organisations to be self-policing? Pyper says that every organisation has a duty of trust to its network and its data, so in this respect every organising should be self-policing.
“I believe there is a need to have more rigid legislation and the only way for that is to have it written into the rule books and enforced by a state by state basis.”
He says that even data privacy laws that have come out of the European Union can have a dramatic effect on how every organisation worldwide conducts its business.
“If have a data breach and you have European citizen data in your database, you are liable for that information. It’s not just about considering the local laws; people have to correlate all the different laws around the world and see which ones actually applying to them and which bits of data they need to protect.”
“Do they have to put something in a different server, or a different environment so they’ve got this air gap so they’re not subject to multiple jurisdictions.”
How do organisations conquer such a mammoth task? Pyper says organisations like Gemalto are at hand to help.
“One of the key areas for me this year is addressing our partner network. We’re looking at how we can work closely with the reseller community in Australia and New Zealand and helping them grow at the same time as enabling our growth plans as well," Pyper says.
Gemalto has seen a rise in its product portfolio over the last 12 months, more engagement with large ANZ organisations. This year the company will be launching new solutions in the authentication and identity space, and it’s all about building on the foundation from last year.
“Our core message to all of our customers is assume that your perimeter will be breached. The only fallback you would have is to stop the bad guys from getting away with the important stuff, is to encrypt the information that you have, be it in the cloud, storage or on premise, and manage those encryption keys within hardware," Pyper concludes.