Aberdeen Encryption Key Management

8/9/2019 Aberdeen Encryption Key Management

1/20

Encryption and Key Management

August 2007
http://www.aberdeen.com/common/send_to_friend.asp?cid=4262


2/20

Encryption & Key Management

Page 2

2007 Aberdeen Group. Telephone: 617 723 7890

Executive Summary

To support the broader deployment of encryption for the protection ofsensitive data and to deal with the management of encryption keys over

their lifecycle, Best-in-Class organizations are beginning to look towardscentralized key management and automated key distribution solutions todeliver higher scalability, lower operational costs, reduce risk, establishconsistent security policies, and sustain regulatory compliance.

You have to plan. We spend lot of time planning. If yodont, youre likely to ge

yourself in a hole you cant geout of. The number of key

under management never goedown and we may need to

go back and recover encryptedata at any time.

~ Trusted ComputinDevelopment Manager

$5.7B US-based IndustriaEquipment Manufacture

(managing encryption keysince 1996, with >3M key

currently under management

Best-in-Class Performance

Based on feedback from more than 150 organizations, Aberdeen used thefollowing performance criteria to distinguish Best-in-Class companies fromIndustry Average and Laggard organizations in the protection of sensitivedata using encryption and key management:

Increase in the total percentage of sensitive data identified,compared to a year ago;

Decrease in the number of incidents of exposed or potentiallyexposed data due to inconsistent encryption and key managementpolicies, compared to a year ago; and

Decrease in the number of incidents of inaccessible data due tomismanagement of encryption keys, compared to a year ago.

Competitive Maturity Assessment

Survey results show that the firms enjoying Best-in-Class performanceshared several common characteristics. Compared to one year ago:

81% increased the number of application types / use cases usingencryption

71% increased the number of encryption keys under management 50% increased the number of locations (including multiple sites,

branches, outsourcing partners, partner extranets) implementingencryption

46% increased the consistency of encryption and key managementpolicies across multiple applications / use cases

Required ActionsIn addition to the specific recommendations in Chapter 3 of this report, toachieve Best-in-Class performance organizations should build the strategiccapability to support the flow of information across organizational andnetwork boundaries, by using encryption solutions to secure the datacoupled with an infrastructure to manage, protect and control access to theencryption keys that provide the foundation for this higher level ofprotection.

www.aberdeen.com Fax: 617 723 7897


3/20


Page 3



Table of Contents

Executive Summary.......................................................................................................2 Best-in-Class Performance.........................................................................2Competitive Maturity Assessment...........................................................2Required Actions .........................................................................................2

Chapter One: Benchmarking the Best-in-Class .....................................................4Expanding Use of Encryption .................................................................... 4Maturity Class Framework ........................................................................5Best-in-Class PACE Model.........................................................................6

Chapter Two: Benchmarking Requirements for Success ..................................10Competitive Assessment..........................................................................10Organizational Capabilities and Technology Enablers .......................13

Chapter Three: Required Actions.........................................................................15Laggard Steps to Success..........................................................................15Industry Average Steps to Success.........................................................15Best-in-Class Steps to Success ................................................................15

Appendix A: Research Methodology.....................................................................17Appendix B: Related Aberdeen Research............................................................20

Figures

Figure 1: Leading Drivers for Use of Encryption (all respondents) ..................4Figure 2: Strategic Approach to Securing Sensitive Data .................................... 7Figure 3: Strategic Approach to Encryption............................................................ 8Figure 4: Key Management Level of Automation.............................................13Tables

Table 1: Companies with Top Performance Earn Best-in-Class Status .......5Table 2: Best-in-Class PACE Framework................................................................6Table 3: Competitive Framework ...........................................................................11Table 4: PACE Framework Key...............................................................................18Table 5: Competitive Framework Key...................................................................18Table 6: Relationship Between PACE and Competitive Framework..............19


4/20


Page 4


Chapter One:

Benchmarking the Best-in-Class

Expanding Use of EncryptionFast Facts

Compared to one year ago:

81% of the Best-in-Classincreased the total numberof application types / usecases for encryption

71% of the Best-in-Classincreased the total numberof encryption keys undermanagement

50% of the Best-in-Classincreased the number oflocations (including multiplesites, branches, outsourcingpartners, and partnerextranets) using encryption

Encryption is the process of transforming information into a form that cannotbe read without the possession of special knowledge, referred to as a key.The purpose of encryption is to ensure that the information remains privatefrom anyone not authorized to read it, even from those who may haveaccess to the encrypted data. Although the use of encryption to protectsensitive data whether the data is at rest, in transit, or in use is anythingbut new, its application is growing ever more widespread. High-profile databreaches, identity theft, industry and government regulations, insiderattacks, softening consumer confidence, and the increasing mobility ofsensitive information are among the many motivations for the expanding useof encryption.

Figure 1: Leading Drivers for Use of Encryption (all respondents)

66%

19%13% 11%

0%

10%

20%

30%

40%

50%

60%

70%

Protect sensitive

data

Protect against

the threat of

external attacks

Protect against

the threat of

internal attacks

Support the

mobility

requirements of

employees

Source: Aberdeen Group, August 2007

The increasing adoption of encryption-enabled solutions, however, alsotranslates to a proliferation of encryption keys, and creates a new securitymanagement problem: all keys have a lifecycle, which includes generation,

distribution, storage, use, archiving, backup and retrieval, replacement,revocation, and eventual expiration and termination. To support thebroader deployment of encryption and to deal with the management ofencryption keys over their lifecycle, Best-in-Class organizations arebeginning to look towards centralized key management and automated keydistribution solutions to deliver higher scalability, lower operational costs,reduce risk, establish consistent security policies, and sustain regulatorycompliance.



5/20


Page 5



Objectives for this ReportThis research report was designed to give new insights into howorganizations are leveraging encryption and key management solutions to:

Support the use of encryption across an increasing volume ofapplications, servers, end-users, and networked devices; Manage encryption keys across their complete lifecycle, from

generation to eventual termination;

Manage risk in a consistent way across multiple use cases andgeographically dispersed locations; and

Achieve and sustain compliance with internal security policies andexternal regulations.

For additional details on Aberdeens research methodology,see Appendix A.

Maturity Class Framework

Aberdeen used the following performance criteria to distinguish Best-in-Class organizations from Industry Average and Laggard organizations intheir use of encryption and key management to protect sensitive data:

Increase in the total percentage of sensitive data identified,compared to a year ago;

Decrease in the number of incidents of exposed or potentiallyexposed data due to inconsistent encryption and key managementpolicies, compared to a year ago; and

Decrease in the number of incidents of inaccessible data due tomismanagement of encryption keys, compared to a year ago.

Companies with top performance based on these criteria earn Best-in-Class status, as described in Table l. (For additional details, see Table 5 inAppendix A.)

Table 1: Companies with Top Performance Earn Best-in-Class

Status

Definition of

Maturity

Class

Mean Class Performance

Best-in-Class:

Top 20% ofaggregate

performancescorers

64% increased the total percentage of sensitive dataidentified, compared to a year ago

82%decreased the number of incidents of exposed orpotentially exposed data due to inconsistent encryptionand key management policies, compared to a year ago

72%decreased the number of incidents of inaccessibledata due to mismanagement of encryption keys,compared to a year ago


6/20


Page 6



Definition of

Maturity

Class

Mean Class Performance

Industry

Average:

Middle 50% ofaggregate

performancescorers


6%increased the number of incidents of exposed orpotentially exposed data due to inconsistent encryptionand key management policies, compared to a year ago

4%increased the number of incidents of inaccessibledata due to mismanagement of encryption keys,compared to a year ago

Laggard:

Bottom 30% ofaggregate

performancescorers


33%increased the number of incidents of exposed orpotentially exposed data due to inconsistent encryptionand key management policies, compared to a year ago

31%increased the number of incidents of inaccessibledata due to mismanagement of encryption keys,compared to a year ago

Note: the percentages reflected in Table 1 represent the netof all responses of increased,remained the same, and decreased compared to one year ago.

Source: Aberdeen Group, 2007

Best-in-Class PACE Model

Achieving superior performance in protecting sensitive data usingencryption and key management requires a combination of strategic actions,organizational capabilities, and enabling technologies, as summarized in Table

2. (For a description of Aberdeens PACE Framework, see Table 4.)

Table 2: Best-in-Class PACE Framework

Pressures Actions Capabilities Enablers

Protectsensitive data

Support the useof third-partyencryption

solutions acrossan increasingrange of existing

infrastructure,

applications,servers, end-users, and

networkeddevices

Protect andcontrol access tothe network and

to the data itself

Flexibledistributionand integration

of keys to awide variety ofencryption-

enabled

endpoints

Management ofencryption

keys acrosstheir completelifecycle, from

generation toeventual

termination

File Encryption Full-Disk

Encryption

Mobile DeviceEncryption

USB DeviceEncryption Database

Encryption

Storage / BackupEncryption

ApplicationEncryption


7/20


Page 7


Pressures Actions Capabilities Enablers

Secure the data,and protect and

control access tothe encryptionkeys that secure

the data

Enforcement ofconsistent

securitypolicies tomanage

business risk

Audit, analysisand reporting

capabilities toaddress

compliancerequirements

Key Management Hardware

Security Modules

(HSM)

Trusted PlatformModules (TPM)

Public-KeyInfrastructure(PKI)

Smart Cards;Card Issuance

Systems


In response to the pressure to protect sensitive data, 40% of the Best-in-Class indicate that they are supporting the use of third-party encryptionsolutions across an increasing range of existing infrastructure, applications,servers, end-users, and networked devices. Best-in-Class companies havebegun to shift their strategic approach to securing sensitive data:

from the traditional, perimeter-based approach of protecting thenetwork and controlling access to the data itself (39%),

to an information-centric, de-perimeterized approach of securingthe data combined with protecting and controlling access to the

encryption keys that secure the data (25%).Compared to the Industry Average, the Best-in-Class companies in thesurvey were 1.9X more likely to have adopted an information-centric, de-perimeterized approach than a traditional, perimeter-based approach tosecuring sensitive data. See Figure 2.

Figure 2: Strategic Approach to Securing Sensitive Data

39%45%

25%

15%

0%

10%

20%

30%

40%

50%

Best-in-Class Industry Average

Protect and control access to the network and access to the data itself

Secure the data, and protect and control access to the encryption keys that secure the data




8/20


Page 8


To date, the most common adoption of encryption across all companiessurveyed has been the tactical deployment of point solutions where specificneeds exist. However, the research indicates that a new, more strategicapproach to encryption and key management has emerged. Best-in-Class

companies have started to shift:

from tactical deployment of point solutions for encryption, wherespecific needs exist (46%),

to a top down, enterprise-wide view of encryption for protectingsensitive data (36%).

Compared to the Industry Average, the Best-in-Class companies in thesurvey were 1.6X more likely to take a strategic, pan-enterprise approachto encryption and key management than a tactical, point wise approach todeployment of encryption solutions. See Figure 3.

Figure 3: Strategic Approach to Encryption

36%

46%

18%

26%

52%

22%

0%

20%

40%

60%

Top down, enterprise

view of encryption for

protecting sensitivedata

Point solutions for

encryption have been

deployed wherespecific needs exist

Limited deployments

of encryption

Best-in-Class Industry Average


In the next chapter, we will see what the leading companies are doing toachieve superior performance in encryption and key management.

Aberdeen Insights Strategy

Not quite 25 years ago now, the innate tension between two contrary aspects

of electronic information was first noted: on the one hand, information can beimmeasurably valuable; on the other hand, information wants to be free. Thistension between value and the ease and convenience with which informationcan be perfectly replicated is at the heart of the different strategic approachesto protecting sensitive data that we see highlighted in this report.



9/20


Page 9



Aberdeen Insights Strategy

The traditional, perimeter-based approach to protecting sensitive data managesinformation in a central location, and controls access to the information itself analogous to putting the eggs in one basket, then guarding that basket. But asmore open, flexible network access and distributed computing models dissolvethe traditional network perimeter, the centralized fortress model for dataprotection can be increasingly impractical and ineffective.

In its place, an information-centric approach to protecting sensitive data isclearly emerging. By securing the data, rather than only the network and ITinfrastructure, information that inherently wants to be free can flow freelyacross organizational and network boundaries to stretch the previousegg/basket analogy, although they are no longer in one basket the eggs still havea protective shell. This information-centric approach requires among otherthings that along with encryption to secure the data, an infrastructure must

be put in place to manage, protect, and control access to the encryption keys.The research shows clear evidence of growth in encryption-relatedinfrastructure solutions that is consistent with the evolution from tactical pointdeployments of encryption to such a strategic enterprise-wide approach.


10/20


Page 10


Chapter Two:

Benchmarking Requirements for Success

The selection and deployment of encryption and key management solutions,and their successful integration with existing business process, plays a crucialrole in the ability to leverage these enabling technologies to support higherscale, reduce costs, manage security risk, and achieve compliance withinternal policy and external regulations.

Fast Facts

Based on survey responses forcurrent use vs. planned use inthe next 12 months,organizations will:

Significantly expand the useof encryption to gain controlover data in use by mobileend-users, with greatestattention on smart phonesand PDAs, USB devices suchas iPods and thumb drives,

and flash memory cards(>100% year-over-yeargrowth)

More uniformly deployencryption for protection ofdata in back-end applications,including databaseencryption, applicationencryption, server-to-serverencryption, and encryption ofWeb Services transactions(>50% year-over-yeargrowth)

Case Study: Maritz, Inc., Fenton, Missouri

Maritz, Inc., a $1.3B provider of integrated performance improvement,incentive travel, and market research services headquartered near St.Louis, is home to 10 business units and 17 call centers. They useencryption throughout the organization for file transfers, wireless

connections and to protect payment card data. Maritz has recently putpolicy and process in place to centralize the management and distributionof encryption keys and to enforce responsible key usage.

Currently, most of our process is manual, say enterprise architect BillHamilton. We want physical signatures. Hamilton says theres beensome pushback within the organization against the strict languageassociated with key usage, but feels that Maritz is getting what it wants interms of manageability and accountability. Our key management processis relatively new, says Hamilton, and its helping us manage our ServiceLevel Agreements. We want everything managed from one centrallocation, so we know exactly what got sent and when.

Identification and classification of information assets is the first step in anyencryption and key management initiative, and as the saying goes the firststep can be the hardest. The hardest part [of protecting sensitive data]is finding all the places its being used, notes Hamilton.

A higher degree of automation of the key management process remainspossible for the future, but in the early stages Maritz will continue to relyon its proven manual processes. Because our auditors require papertrails, were likely to stick with our manual process for now itsworking.

Competitive AssessmentThe aggregated performance of surveyed companies determined whetherthey ranked as Best-in-Class, Industry Average or Laggard. Each class alsoshared common characteristics in the following categories:

(1) Process (scope of process standardization; efficiency andeffectiveness of these processes);

(2) Organization (how the company is organized to manage andoptimize these processes);



11/20


Page 11



(3) Knowledge (visibility into vital information and intelligence requiredto manage these processes);

(4) Technology (selection of appropriate enabling tools, and intelligentdeployment of those tools); and

(5) Performance (measurement of the benefits of technologydeployment, and use of the results to improve processes further).

These characteristics (identified in Table 3 below) serve as a guideline forbest practices and correlate directly with Best-in-Class performance acrossthe respective metrics.

Table 3: Competitive Framework

Best-in-Class Average Laggards

Distribution and integration of encryption keys to a widevariety of encryption-enabled endpoints

46% 30% 16%Management of encryption keys across their completelifecycle, from generation to eventual termination

36% 26% 8%

Enforcement of consistent security policies related toencryption and key management

46% 27% 14%

Controls to ensure that monitoring and compliance methodssatisfy the requirements of INTERNAL policies

71% 47% 31%

Controls to ensure that monitoring and compliance methods

satisfy the requirements of EXTERNAL regulations

Process

64% 44% 20%

Responsible executive or team with primary ownership forthe creation and revision of encryption and key management

policies and practices

50% 40% 18%

Formal awareness and end-user training programs aroundencryption and key management

Organization

32% 14% 14%

Consistent asset classification scheme

40% 40% 10%

All data assets are identified and classifiedKnowledge

36% 27% 12%


12/20


Page 12



Best-in-Class Average Laggards

Selected encryption technologies currently in use:

Technology

57% File

encryption

(desktop /laptop)

57% File

encryption

(server)

22%Full-Disk

encryption

39%Database

encryption

46% Client

certificates

46%Public-Key

Infrastructure(PKI)

29%Key

Management (asa standaloneproduct)

51% File

encryption

(desktop /laptop)

32% File

encryption

(server)

22%Full-Disk

encryption

26%Database

encryption

37% Client

certificates

38%Public-Key

Infrastructure(PKI)

25%Key


29% File

encryption

(desktop /laptop)

27% File

encryption

(server)

14%Full-Disk

encryption

16%Database

encryption

12% Client

certificates

25%Public-Key

Infrastructure(PKI)

18%Key


Support encryption at more endpoint types

81% 52% 35%

Manage larger number of encryption keys

71% 55% 27%

Greater consistency of encryption and key managementpolicies across multiple applications / use cases

46% 18% 8%Support encryption at more locations (including multiple

sites, branches, outsourcing partners, partner extranets)

50% 38% 12%

Greater consistency of encryption and key management

policies across multiple locations

Performance

29% 18% 8%

Note: the percentages reflected under Performance are in comparison to one year ago.


As shown in Figure 4, the research shows that Best-in-Class companies areinvesting in automated key management and key distribution capabilities to

cope with, and reap the benefits of, significantly broader use of encryption.Compared to all companies surveyed, the Best-in-Class supported 1.9Xmore keys with an estimated 34% lower total annual cost on a per-keybasis.


13/20


Page 13


Figure 4: Key Management Level of Automation

1.8

3.4

2.9

1.6

2.3

3.0

2.32.0

1.4

1

2

3

4

ONE YEAR AGO CURRENTLY PROJECTED ONE

YEAR FROM NOW

Average

PerformanceRating(1=Low,

5=High)

Best in ClassIndustry Average

Laggards


Organizational Capabilities and Technology Enablers

A well-designed implementation strategy for encryption and key

management includes the following essential steps:

Identify and classify all information assets Best-in-Classorganizations are 4X more likely than Laggards to have a consistentasset classification scheme, and 3X more likely than Laggards tohave classified and identified all data assets.

Establish policies for all classifications, applications, use cases, andlocations involving sensitive data Best-in-Class organizationsenforce consistent policies for encryption and key management at arate 3.3X higher than that of Laggards.

Implement enabling technologies to remediate known risks and toprotect against future risks to sensitive data as detailed in Table 3,Best-in-Class organizations have deployed encryption technologiesand encryption-related infrastructure more broadly than theircounterparts in Industry Average or Laggard organizations toachieve these objectives. See additional discussion on enablingtechnologies in theAberdeen Insights section on Technology, below.

Establish controls to ensure that monitoring and compliancemethods satisfy the requirements of both internal policies and



14/20


Page 14



external regulations Best-in-Class organizations have established

consistent controls at a rate 1.5X higher than that of the Industry

Average, for both internal and external requirements.

Educate relevant stakeholders with formal awareness and end-usertraining programs around encryption and key management Best-

in-Class organizations do this with 2.3X higher incidence than all

other companies, although at only 40% even the Best-in-Class can

improve in this regard.

Aberdeen Insights Technology

To date, companies surveyed deploying encryption to protect data at rest on

end-user devices have focused most heavily on file encryption (45%) and full-

disk encryption (20%) on desktops and laptops. Nearly twice as many

respondents indicate they will deploy full-disk encryption versus file encryption

for desktops / laptops in the year to come. In the next 12 months,organizations surveyed also indicate that they are seeking to gain more control

over the data that is flowing to end-user devices, with significantly increasing

attention on smart phones and PDAs, as well as USB devices such as iPods (to

combat potential Pod-slurping) and USB thumb drives (to prevent loss of

data through thumb-sucking). Projected year-over-year growth in these

areas (planned use versus current use) is >100%. The data wants to be free,

and yet it must be protected.

For protection of data in back-end applications, the data indicates more

uniform deployment in areas such as database encryption, application

encryption, server-to-server encryption, and encryption of Web Services

transactions each with >50% year-over-year growth in planned deployment.

Indicated growth of several encryption-related infrastructure solutions isconsistent with the expected evolution from tactical, point deployments to a

more strategic, enterprise-wide approach to protecting sensitive data.

Hardware Security Modules (HSMs), standalone Key Management solutions,Public-Key Infrastructure (PKI), and Smart Card Issuance systems all had year-

over-year growth outlooks of about 50%. In addition, although starting from arelatively small base, the projected growth outlook for Trusted Platform

Modules (TPMs) was very strong at >120%.

As more technology solutions provide native, out-of-the-box support for

encryption, organizations have the promise of broader deployment and better

protection of sensitive data in the long term as well as the short term

potential for market confusion and redundant management costs. Comparedto the Industry Average, Best-in-Class organizations are about 10% more likely

to support the use of third-party encryption solutions, but they are 2X more

likely to support the use of encryption as it is supported natively in their

portfolio of deployed solutions. This open attitude towards early adoption of

native encryption by the Best-in-Class is more feasible due to the fact that

these are the companies who have also adopted the more strategic,

enterprise-wide approach to encryption and key management.


15/20


Page 15


Chapter Three:

Required ActionsFast Facts

Best-in-Class companies areinvesting in automated keymanagement and keydistribution capabilities tocope with, and reap thebenefits of, significantlybroader use of encryption.Compared to all companiessurveyed, the Best-in-Classsupported 1.9X more keyswith an estimated 34% lowertotal annual cost on a per-

key basis.

Whether an organization is trying to move its performance in encryptionand key management from Laggard to Industry Average, or IndustryAverage to Best-in-Class, the following actions will help drive thenecessary performance improvements.

Laggard Steps to Success

Identity and classify all information assets only 10% of Laggardorganizations have a consistent asset allocation scheme, and only12% indicate that they have identified and classified all data assets.The hardest part of protecting data is first finding where it is.

Establish consistent policies very few (8%) Laggard organizationsindicated an increase in consistency of policies across multipleapplications, use cases and locations compared to a year ago.Planning and knowing what to do is a critical prelude toimplementation of enabling technologies.

Assign clear organizational ownership only 18% of Laggardorganizations have a responsible executive or team with primaryownership for the creation and revision of encryption and keymanagement policies and practices. Clear responsibility andaccountability (one throat to choke) is a critical success factor forany IT security project.

Industry Average Steps to Success Identity and classify all information assets Industry Average

organizations are on par with the Best-in-Class at having aconsistent asset allocation scheme (40%), but only 27% indicate thatthey have identified and classified all data assets.

Increase consistency of policies more than 50% of IndustryAverage organizations indicated an increase in number of endpointtypes using encryption and number of encryption keys undermanagement but only 18% indicated an increase in consistency ofpolicies across multiple applications, use cases and locationscompared to a year ago.

Improve controls to sustain compliance less than half of IndustryAverage organizations had implemented controls to ensure thattheir monitoring and compliance methods satisfy the requirementsof both internal policies and external regulations.

Best-in-Class Steps to Success

Identity and classify all information assets Best-in-Classorganizations led the way at having identified and classified their data



16/20


Page 16


assets, but at only 40% they should continue to carry out their workin this vitally important step.

Continue steps towards a strategic, top-down view of encryptionand key management only 36% of Best-in-Class organizationscurrently report management of encryption keys across theircomplete lifecycle, from generation to eventual termination.

Invest in end-user training and awareness only 32% of Best-in-Class organizations indicate that they currently have formalawareness and end-user training programs around encryption andkey management. The technological aspect of data protection isnecessary, but not sufficient the human factor plays a critical roleas well.

Aberdeen Insights Summary

In an information-centric, de-perimeterized approach to protectingsensitive data, all organizations need to:

identify and classify their information assets; establish consistent policies; implement an appropriate portfolio of enabling technologies for

encryption and key management; and

establish controls to ensure compliance with both internalpolicies and external regulations.

Technical controls alone are not enough companies must also educate

all relevant stakeholders through formal awareness and end-user trainingprograms around encryption and key management. Clear ownership andaccountability for the creation and revision of encryption and keymanagement policies and practices by a senior executive or team is also acritical factor for successful implementation.

Best-in-Class organizations have not only deployed encryption morewidely for the protection of sensitive data, but also have begun toimplement centralized key management and automated key distributionsolutions to deliver higher scalability, lower operational costs, reducerisk, establish consistent security policies, and sustain regulatorycompliance.



17/20


Page 17



Appendix A:

Research Methodology

In August 2007, Aberdeen Group examined the current and planned use ofencryption to protect sensitive data, and best practices for managing theencryption keys that secure the data over their life cycle. The experiencesand intentions of more than 150 enterprises from a diverse set oforganizations are represented in this study.

Respondents completed an online survey that included questions designedto determine the following:

The degree to which organizations are using encryption across anincreasing variety of applications, servers, end-users, and networkeddevices;

The approaches taken to manage encryption keys across theircomplete lifecycle, from generation to eventual termination;

The degree to which encryption is being used to help organizationsmanage risk in a consistent way across multiple use cases andgeographically dispersed locations; and

The impact of encryption and key management on achievement ofcompliance with internal security policies and external regulations.

Aberdeen supplemented this online survey effort with telephone interviewswith select survey respondents, gathering additional information onencryption and key management strategies, experiences, and results. Thestudy aimed to identify emerging best practices for encryption and key

management, and to provide a framework by which readers can assess theirown capabilities in these areas.

Responding enterprises included the following:

Job title/function: The research sample included respondents withthe following job titles: President/CEO/COO/CIO/CSO/ChiefCompliance Officer (28%); Vice President/Director (20%); Manager(22%), Staff/Consultant (25%). The largest segment by functionalresponsibility was IT, representing 56% of the sample.

Industry: The research sample included respondents from a widevariety of industries, including Finance/Banking (20%), Government

/Aerospace/Defense (17%), Telecommunications (14%), Healthcare(7%), and Insurance (7%).

Geography: The majority of respondents (54%) were from NorthAmerica. Remaining respondents were from Europe/MiddleEast/Africa (25%), the Asia-Pacific region (16%), and South/CentralAmerica (5%).

Company size: Large enterprises (annual revenues above US$1billion) represented 22% of the respondents; 26% were from


18/20


Page 18


midsize enterprises (annual revenues between $50 million and $1billion); and 52% of respondents were from smaller enterprises(annual revenues of $50 million or less).

Solution providers recognized as sponsors of this research were solicitedafter the fact and had no substantive influence on the direction of the finalEncryption & Key Management benchmark report. Their sponsorship hasmade it possible for Aberdeen Group to make these findings available toreaders at no charge.

Table 4: PACE Framework Key

Overview

Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions, capabilities, andenablers (PACE) that indicate corporate behavior in specific business processes. These terms are defined as follows:

Pressures external forces that impact an organizations market position, competitiveness, or business operations (e.g.,

economic, political and regulatory, technology, changing customer preferences, competitive)Actions the strategic approaches that an organization takes in response to industry pressures (e.g., align the corporatebusiness model to leverage industry opportunities, such as product/service strategy, target markets, financial strategy, go-to-market, and sales strategy)

Capabilities the business process competencies required to execute corporate strategy (e.g., skilled people, brand,market positioning, viable products/services, ecosystem partners, financing)

Enablersthe key functionality of technology solutions required to support the organizations enabling businesspractices (e.g., development platform, applications, network connectivity, user interface, training and support, partnerinterfaces, data cleansing, and management)


Table 5: Competitive Framework Key

Overview

The Aberdeen Competitive Framework definesenterprises as falling into one of the following threelevels of practices and performance

Best-in-Class (20%) Practices that are the bestcurrently being employed and significantly superior tothe Industry Average, and result in the top industryperformance.

Industry Average(50%) Practices that represent the

average or norm, and result in average industryperformance.

Laggards (30%) Practices that are significantly behindthe average of the industry, and result in below averageperformance.

In the following categories:

ProcessWhat is the scope of process standardization?What is the efficiency and effectiveness of this process?

Organization How is your company currentlyorganized to manage and optimize this particular process?

Knowledge What visibility do you have into key dataand intelligence required to manage this process?

TechnologyWhat level of automation have you used tosupport this process? How is this automation integratedand aligned?

Performance What do you measure? How frequently?Whats your actual performance?




19/20


Page 19



Table 6: Relationship Between PACE and Competitive Framework

PACE and Competitive Framework: How They Interact

Aberdeen research indicates that companies that identify the most impactful pressures and take the most transformational

and effective actions are most likely to achieve superior performance. The level of competitive performance that a companyachieves is strongly determined by the PACE choices they make and how well they execute.



20/20


Page 20


Appendix B:

Related Aberdeen Research

Related Aberdeen research that forms a companion or reference to thisreport includes:

The Ins and Outs of Email Vulnerabilities(July 2007) Protecting Cardholder Data: Best-in-Class Performance at Addressing the

PCI Data Security Standard(June 2007)

Thwarting Data Loss(May 2007)Information on these and any other Aberdeen publications can be found atwww.aberdeen.com.

Author:Derek E. Brink, Vice President & Research Director, IT Security([email protected])

Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrableresults. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquelypositioned to educate users to action: driving market awareness, creating demand, enabling sales, anddelivering meaningful return-on-investment analysis. As the trusted advisor to the global technologymarkets, corporations turn to Aberdeen for insights that drive decisions.

As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the globaldirect and targeted marketing company. Aberdeen's analytical and independent view of the "customeroptimization" process of Harte-Hanks (Information Opportunity Insight Engagement Interaction)extends the client value and accentuates the strategic role Harte-Hanks brings to the market. Foradditional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learnmore about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com.

V073107b
http://www.aberdeen.com/summary/report/benchmark/4124-RA-email-vulnerabilities.asphttp://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asphttp://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asphttp://www.aberdeen.com/summary/report/benchmark/3967-RA-Data-Loss.asphttp://www.aberdeen.com/mailto:[email protected]://www.aberdeen.com/http://www.harte-hanks.com/http://www.harte-hanks.com/http://www.aberdeen.com/mailto:[email protected]://www.aberdeen.com/http://www.aberdeen.com/summary/report/benchmark/3967-RA-Data-Loss.asphttp://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asphttp://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asphttp://www.aberdeen.com/summary/report/benchmark/4124-RA-email-vulnerabilities.asp

Aberdeen Encryption Key Management

Documents