According to the PGP 2009 annual study of U.S. enterprise encryption trends [pdf link], only 25% of US organizations have an encryption strategy in place that is enforced enterprise-wide. Part of the reason may be that companies are often terrified that encryption can lock them out of their own data. For that reason, some firms prohibit employees from using encryption on corporate assets, as they see it as a means to keep secrets from them. But that concern is a non-issue in a well-designed encryption program. This fear can be readily addressed with stringent cryptographic administration policies-procedures, and also by implementing key escrow and skeleton key components. The policies-procedures help to ensure proper cryptographic key management and administration and identify responsible key custodians; and key escrow helps to recover keys and also critical data in the event of an emergency.
One of the first to obviate companies from being locked out of their own data was PGP Corp. with the use of an additional decryption key (ADK). Note that in truth, it is an additional encryption key; as decryption is done by a private key. However, the terminology additional decryption key and its acronym have stuck.
As stated already and as will be reiterated in this article, data encryption projects require attention to detail to the extreme. Project plans need to be created that are tactical and focused to the specific application of the encryption services needed. They should also employ concise strategic objectives and milestones. If encryption is not done correctly, there can be negative impacts to the performance of applications, systems and people who are supposed to use it. It can also adversely impact existing Service Level Agreements with business partners, customers, service providers, and other third party entities.
Many encryption rollouts have failed due to the fact that the company did not give sufficient attention to the design and testing phases preceding implementation. Far too many companies think that encryption is plug-and-play, which it most often is not. Effective encryption roll-outs take time and require significant attention to detail, and cannot be rushed.
As mentioned previously, an effective encryption roll-out requires a strategic approach. Forrester's Paul Stamp writes in Adopting an Enterprise Approach to Encryption that there are two main considerations when adopting a more enterprise-wide approach to encryption. They are as follows:
* Make sure that users and administrators can use the system transparently and simply in concert with other operational processes