2018 thales data threat report - thales...

#2018DataThreat

2018THALESDATA THREATREPORT

Trends in Encryption and Data Security

U.S. FINANCE EDITION

2 2018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION

TABLE OF CONTENTS

INTRODUCTION 3

KEY FINDINGS 4

SECURITY SPENDING UP CONSIDERABLE; SO ARE THE BREACHES 6

SPENDING IN ALL THE WRONG PLACES 7

More on spending 10

DATA SOVEREIGNTY 12

SECURING THE CLOUD 13

BIG DATA 15

IoT 16

DOCKERS/CONTAINERS 17

AI/MACHINE LEARNING 18

MOBILE PAYMENTS 20

BLOCKCHAIN TRENDS 20

RECOMMENDATIONS 22

OUR SPONSORS GEOBRIDGE

32018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION

INTRODUCTION

There have been no signs of relief from ongoing reports of major data breaches globally, underlining the stark realities of the state of cybersecurity today. Year-to-year increases in IT security spending across a broad range of vertical markets and geographies have done little to stem the tide of breaches. The ongoing game of cat-and-mouse between attackers and security professionals suggests that the tactics, sophistication, and motivation are helping global attackers stay at least one step ahead of their often overwhelmed and beleaguered counterparts. The obvious – or what should be obvious – question is whether the cyber defenses that are being deployed today need to be re-examined for overall effectiveness and recalibrated.

Data security and data privacy in the U.S. Financial sector, which has historically been highly regulated, got a lot more stringent following the global financial collapse of 2009. The U.S. Congress enacted the Dodd-Frank Act mandating sweeping data management regulations. Moreover, Basel II and III states that global financial institutions must be certain their data is accurate and of high integrity. Atop these, U.S. Financial firms must also comply with explicit security regulations like PCI DSS for payment card information or Sarbanes-Oxley (SOX).

Earlier this year the European Union’s GDPR took effect, impacting any organization doing business with any of the 700 million residents of the EU – which obviously includes large U.S. Financial firms. Under both GDPR and U.S. regulations, U.S. Financial organizations must report any cyber incident within 72 hours; and under GDPR must tighten all policies and procedures concerning usage and storage of personal data. The hastily passed California Consumer Privacy Act promises to have a similar effect on this side of the pond, with strict requirements regarding how covered firms must protect personal data.

Add to this ever-stricter regulatory environment the rapidly growing threat environment and you’ve got a recipe for major data security headaches today for U.S. Financial firms. This report details steps U.S. Financial firms are taking to address these steep security challenges.

The data in this report is based on detailed input from more than 100 senior IT security managers in large U.S. Financial services organizations– all part of the Global Thales 2018 Global Data Threat Report. The Global report polled 1,200 IT security managers in eight countries and across four major vertical markets.

“Year-to-year increases in IT security spending across a broad range of vertical markets and geographies have done little to stem the tide of breaches.”

“The obvious – or what should be obvious – question is whether the cyber defenses that are being deployed today need to be re-examined for overall effectiveness and recalibrated.”

3

https://dtr.thalesesecurity.com


KEY FINDINGS

As with most other vertical sectors as well as discrete geographical sectors, report findings for U.S. Financial sector are a mixed bag of news.

• A solid 84% of U.S. Financial firms are increasing security spending this year, well ahead of last year’s 78% and also ahead of this year’s global average of 78% (and 75% for Global Financial firms).

• But reported breaches are also up at U.S. Financial firms, with 36% reporting a successful breach last year (and 28% for Global Financial firms) compared with just 24% last year. Moreover, nearly two-thirds (65%) of U.S. Financial firms report being breached at some time in the past.

• In general, the U.S. Financial sector is more likely to store sensitive data in every ‘new’ or ‘emerging’ technology category, including SaaS, IaaS, PaaS, mobile apps, IoT, and Big Data.

• As was reported in virtually all other vertical and geographic segments, U.S. Financial firms are putting most of its security spending in support of technologies and solutions it ironically deems least effective, while budgeting the least spending in areas it deems most effective at stopping breaches.

“A solid 84% of U.S. Financial firms are increasing security spending this year, well ahead of last year’s 78% and also ahead of this year’s global average of 78% (and 75% for Global Financial firms).”

How spending in 12 months will compare to its current level

U.S. Financial2018

U.S. Financial2017

Global Financial2018

Global Average2018

84%78% 75% 78%

Data breach rates

Breached at some point in the pastBreached in the last year

U.S. Financial2018

U.S. Financial2017


36%

65%

42%

28%36%

Global Average2018

52018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION 5

“Reported breaches are also up at U.S. Financial firms, with 36% reporting a successful breach last year (and 28% for Global Financial firms) compared with just 24% last year. Moreover, nearly two-thirds (65%) of U.S. Financial firms report being breached at some time in the past.”

36%


• U.S. Financial respondents not surprisingly rank high in confidence that compliance requirements are either ‘very’ or ‘extremely’ effective at preventing breaches at 78%, compared with just 64% of the global average.

• Mirroring global sentiments, the U.S. Financial sector ranks encryption/tokenization as the top choice for securing emerging/new environments, with encryption with either locally managed keys (56%) or with keys managed by service providers (44%) the top choices for securing cloud resources.

• Improved monitoring and reporting tops the list for U.S. Financial firms of technologies that would boost willingness to adopt Big Data, while authentication and encryption/tokenization head this list for boosting adoption of IoT.

SECURITY SPENDING UP CONSIDERABLE; SO ARE THE BREACHES

The percent of U.S. Financial respondents planning increases in security spending jumped decisively this year (84% compared with 78% the previous year), also well ahead of the global average (also 78%). That said, the 33% of U.S. Financial respondents stating that spending would be ‘much higher’ significantly trail those in other segments such as U.S. Healthcare (46%) and U.S. Federal Government (73%). This may reflect the ongoing aggressive spending on security that the U.S. Financial sector has undertaken since the financial collapse of 2009, and a maintenance stream of spending rather than an upward step function. Nonetheless, this represents a large increase over last year’s report when just 24% of U.S. Financial respondents indicated ‘much higher’ spending ahead.

“U.S. Financial firms are putting most of its security spending in support of technologies and solutions it ironically deems least effective, while budgeting the least spending in areas it deems most effective at stopping breaches.”

“Mirroring global sentiments, the U.S. Financial sector ranks encryption/tokenization as the top choice for securing emerging/ new environments.”

“The percent of U.S. Financial respondents planning increases in security spending jumped decisively this year (84% compared with 78% the previous year), also well ahead of the global average (also 78%).”

Effectiveness of compliance requirements

U.S. Financial2018


Global Average2018

78% 53% 64%

Spending of corporate defenses

U.S. Financial2018

U.S. Financial2017


33%

24% 23%

7

On the negative side, more than a third (36%) of U.S. Financial respondents said their organizations were breached last year, up over last year (24%) and well ahead of Global Financial (28%), which has likely driven the planned spending increases. Meanwhile, the number of U.S. Financial respondents saying their organization has been breached at least once in the past (65%) is in line with Global Financial (65%) and the overall global average (67%) – and shockingly high, given that this is where the world stores its critical financial assets.

The sharp increase in breaches reported last year has U.S. financial firms, not surprisingly, feeling more vulnerable to threats against sensitive data, with 89% feeling some level of vulnerability (in line with the global average of 90%). More to the point, 49% of U.S. Financial respondents report feeling either ‘very’ or ‘extremely’ vulnerable, well ahead of the 34% global average and the Global Financial average of 36%.

SPENDING IN ALL THE WRONG PLACES

As we have seen in virtually all vertical markets and geographic sectors, the U.S. Financial sector is spending the most money on the least effective defenses. To wit, network defenses ranked number one (89%) as most effective at stopping data breaches, followed closely by data-at-rest defenses at 88%, while endpoint/mobile defenses (71%) were ranked as least effective. Paradoxically, U.S. Financial firms spending plans for endpoint defenses are the highest at 69%. Network defenses are ranked second (67%), while data-at-rest (58%) ranked last, despite being ranked near the top in terms of effectiveness. Similarly, for Global Financial, data-at-rest (72%) defenses were ranked as most effective at stopping data breaches yet ranked dead last along with analysis and correlation tools at 38% in terms of spending plans.

“On the negative side, more than a third (36%) of U.S. Financial respondents said their organizations were breached last year, up over last year (24%).”

“49% of U.S. Financial respondents report feeling either ‘very’ or ‘extremely’ vulnerable, well ahead of the 34% global average and the Global Financial average of 36%.”

U.S. Financial 2017 Global Financial 2018 Global Average 2018U.S. Financial 2018

Some level of vulnerability ‘Very’ or ‘extremely’ vulnerable

Level of vulnerability to threats

89% 86% 91% 90%

49%

27%36% 34%

“U.S. Financial spending plans for end point defenses are the highest at 69%, despite being ranked as least effective, while data-at-rest (58%) ranked last, despite being ranked near the top in terms of effectiveness.”

7

8 2018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION8

“49% of U.S. Financial respondents report feeling either ‘very’ or ‘extremely’ vulnerable, well ahead of the 34% global average and the Global Financial average of 36%.”

49%


“Concerns about impacts on performance and business process second (44%) is the

top barrier followed by the perception of complexity to implementing data security

(43%). For Global Financial, complexity is also the top answer (42%) followed by

lack of staff (40%).”

Global Financial 2018 Global Average 2018U.S. Financial 2018

Network defenses

Data-at-rest defenses

Data-in-motion defenses

Analysis and correlation tools

Endpoint and mobiledevice defenses

Effectiveness of defense categories at protecting sensitive data

0% 20% 40% 60% 80% 100%


Network defenses

Data-at-rest defenses

Data-in-motion defenses

Analysis and correlation tools

Endpoint and mobiledevice defenses

Spending on defense categories

0% 10% 20% 30% 40% 50% 60% 70% 80%

“As we have seen in virtually all vertical markets and geographic sectors, the U.S. Financial sector is spending the most money on the least effective defenses.”

9



Concerns about impacts on performance and business process

Complexity

Lack of budget

Lack of organizationalbuy-in/Low Priority

Lack of perceived need

Lack of staff to manage

Main barriers to adopting/implementing data security

0% 10% 20% 30% 40% 50%

More on spendingWith U.S. Financial, compliance tops the list of drivers for security spending (43%), which is no surprise given the previously mentioned comprehensive regulatory environment faced by most financial firms. Avoiding financial penalties – also linked to compliance and regulation – is second (41%), with the impact of cloud a distant third (34%). Avoidance of penalties tops the list (43%) for Global Financial, followed closely by reputation and brand (42%)

Aside from U.S. Retail, U.S. Financial respondents are among the most optimistic with respect to compliance mandates. More than three-fourths (78%) of U.S. Financial firms view compliance requirements as either ‘very’ or ‘extremely effective’ at preventing breaches compared to the global average of 64%, and well ahead of last year’s 61% figure.

For U.S. Financial firms, tokenization tops the list of security solutions to be deployed this year (48% vs. 44% for the global average), followed closely by encryption with ‘bring your own key’ (BYOK) options (46% vs. 43% globally); hardware security modules (HSMs) were third at 40% (vs. 41% globally). Global Financial firms, however, put more emphasis on encryption with BYOK and SIEM (44% each) followed by multifactor authentication (42%).

Likely explanations include what we may think of as organizational inertia – ‘old habits die hard’ – established budget patterns, as well as perceptions that other forms of security are more complex, costly or have negative impacts on user experience. Indeed, for U.S. Financial firms, concerns about impacts on performance and business process second (44%) is the top barrier followed by the perception of complexity to implementing data security (43%). For Global Financial, complexity is also the top answer (42%) followed by lack of staff (40%).

112018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION 11

“U.S. Financial respondents are among the most optimistic with respect to compliance mandates. More than three-fourths (78%) of U.S. Financial firms view compliance requirements as either ‘very’ or ‘extremely effective’ at preventing breaches.”


DATA SOVEREIGNTY

In such a highly regulated industry as financial services and with GDPR in full bloom, data sovereignty looms large. Only 19% of U.S. Financial respondents and Global Financial respondents say they won’t be impacted by GDPR (13% global average). The top solution to protect personal data to comply with local data sovereignty rules for U.S. Financial firms is encryption (47% vs. the global average of 42%) – by a wide margin. Migrating customer data to new locations to remain compliant with data privacy/sovereignty regulations was a very distant second at 14%.

“In such a highly regulated industry as financial services and with GDPR in full bloom, data sovereignty looms large. Only 19% of U.S. Financial respondents and Global Financial respondents say they won’t be impacted by GDPR (13% global average).”

Strategy for complying with local data sovereignty rules

Encrypt personal data

Migrate customer data

Tokenize personal data

Utilize local hosting or cloud providers

Not impacted


0% 10% 20% 30% 40% 50%


Tokenization

Bring Your Own Key (BYOK) encryption key management

Hardware Security Modules

Multi-factor authentication

Security information and event management (SIEM) or other log

analysis and analytical tools

Top security solutions to be deployed this year

0% 10% 20% 30% 40% 50%


SECURING THE CLOUD

Most organizations are pursuing a multi-cloud strategy today, and this is even more true for the U.S. Financial sector. Multi-cloud strategies for this sector are made all the more challenging given the stringent regulatory and compliance environment that most financial firms face, as well as potential performance impacts from increased latency or downtime.

• IaaS: More than half – 57% – of both U.S. Financial respondents and the global average are using three or more IaaS providers.

• PaaS: Just 11% of U.S. Financial respondents are using just one PaaS provider while nearly two thirds – 62% – report using 2 or 3, compared with 56% for the global average.

• SaaS: Nearly half of U.S. Financial respondents (45%) use more than 51 SaaS applications (42% globally, 35% Global Financial). Further, nearly two-thirds (63%) of U.S. Financial respondents report storing sensitive data in SaaS applications compared with just 45% globally and 47% for Global Financial).

• A full 85% of U.S. Financial firms report storing sensitive data in the cloud (SaaS, IaaS, PaaS, etc.), the same as U.S. Retail but higher than U.S. Healthcare (70%) and much higher than U.S. Government (55%), likely reflecting the latter’s greater willingness to adopt cloud technologies to remain competitive.

Global Financial 2018

Global Average 2018

U.S. Financial 2018

Number of PaaS providerscurrently used or planned to use

Number of SaaS appscurrently used or planned to use

51+ 26-50 11-25 0-10

Number of IaaS providerscurrently used or planned to use

3 or more 2 1

2 or 3 1

57%

32% 29% 27%

11% 15% 16%

57% 56%

62%

45%

35%

42%

19% 25%

19% 20% 24% 22%

16% 17% 17%

62% 56%

11% 20% 17%

Storing sensitive data in SaaS applications in 2018

U.S. Financial Global AverageGlobal Financial

63%

45%47%

Storing sensitive data in the cloud(i.e. SaaS, IaaS, PaaS, etc.) in 2018

U.S. Financial U.S HealthcareU.S. Retail U.S. Government

85% 85%70%

55%


Attacks and breaches at the cloud provider remain the top cloud security concern globally, and those concerns are growing (64%, up from 59% last year) along with growing cloud usage. Among U.S. Financial respondents specifically, the top cloud security concerns include increased vulnerabilities from shared infrastructure, security breaches at providers, and monitoring and deploying multiple cloud-native security tools – at 77% each. Security breaches also topped the list of concerns for Global Financial (61%).

For cloud security controls, the U.S. Financial sector favors encryption with local key management (56%), detailed physical and IT architectural and security implementation information ranked second at 48% and encryption controlled by service providers ranked third (44%). In contrast, encryption with service provider key control ranks number one with Global Financial (44%), indicating that key control remains more of an issue with the U.S. Financial sector, perhaps reflecting greater regulatory scrutiny as well as greater concerns regarding government surveillance.

“Attacks and breaches at the cloud provider remain the top cloud security concern globally, and those concerns are growing (64%, up from 59% last year) along with growing cloud usage.”

Data security concerns about public cloud services


0% 10% 20% 30% 40% 50% 60% 70% 80%

Increased vulnerabilitiesfrom shared infrastructure

Security breaches/attacksat the service provider

Managing, monitoring and deploying multiple cloud-native security tools

Lack of control over the locationof data/data residency concerns

Managing Encryption Keys across multiple cloud environments

Encryption of my organization's data with the ability to store and manage

my encryption keys locally

Detailed physical and ITarchitectural and security

implementation information

Encryption of my organization's data within the service provider's

infrastructure with keys stored and managed by the service provider

Service level agreements and liability terms for a data breach

Security options that would increase willingness to use public cloud


0% 10% 20% 30% 40% 50% 60%

BIG DATA

With respect to Big data, discovering where sensitive data may be located within a Big Data environment ranks as the top concern for U.S. Financial firms (37%, vs. 27% globally and 29% for Global Financial). Tied for second place is the security of reports that may contain sensitive data and data residency concerns (35% each). Lack of native security frameworks/controls within the Big Data environment is the top concern for Global Financial (36%).

“For cloud security controls, the U.S. Financial sector favors encryption with local key management (56%), detailed physical and IT architectural and security implementation information ranked second at 48% and encryption controlled by service providers ranked third (44%).”

Discovering where sensitivedata may be located within

a Big Data environment

Sensitive information may reside anywhere within the environment

Security of reports that mayinclude sensitive data

Privacy violations from dataoriginating in multiple countries

Lack of native securityframeworks/controls within

the Big Data environment

Concerns about Big Data implementationsGlobal Financial 2018 Global Average 2018U.S. Financial 2018

0% 5% 10% 15% 20% 25% 30% 35% 40%

“With respect to Big data, discovering where sensitive data may be located

within a Big Data environment ranks as the top concern for U.S. Financial

firms (37%, vs. 27% globally and 29% for Global Financial). Tied for second

place is the security of reports that may contain sensitive data and data

residency concerns (35% each).”

15


Meanwhile the top choice for security tools that would increase the use of Big Data – a new question this year – is improved monitoring and reporting tools (43%) for U.S. Financial firms, well ahead of the global average (36%) and Global Financial (34%). This is followed by stronger authentication at 39% (which is number one for Global Financial at 38%.

IoT

In addition to the manufacturing, energy and healthcare sectors, financial institutions are also adopting IoT for use cases such as sensors for predictive maintenance for ATMs, as well as video cameras to cross-reference identity verification. Insurers could also adopt IoT to collect personal data to help establish more accurate premiums for health and auto insurance.

The top IoT security concern cited by U.S. Financial sector is protecting sensitive data generated by an IoT device (31% vs. 26% globally). Attacks on IoT devices that may impact critical operations is second at 27% vs. 26% globally. For U.S. Financial firms, the top security controls that would boost usage of IoT two answers are authentication (58% vs. 47% globally) and encryption/tokenization (53% vs. 48% globally).

“For U.S. Financial firms, the top security controls that would boost usage of IoT two answers are authentication (58% vs. 47% globally) and encryption/tokenization (53% vs. 48% globally).”

Tools that would increase the use of Big Data


Improved monitoringand reporting tools

Stronger authentication for access to the big data environment

Compliance certi�cationsfor big data environments

Capability to mask data by role within the big data environment

Sensitive datadiscovery/classi�cation

System-level encryption and access controls on underlying systems and

compute nodes

Capability to analyze and use encrypted or tokenized data within

big data environments

0% 10% 20% 30% 40% 50%


DOCKERS/CONTAINERS

Container usage is gaining rapid adoption across all vertical segments and geographical regions. For U.S. Financial firms, the top container security concern is the security of data stored in containers (38%), followed by privacy violations (34%). The top security controls needed for greater adoption of containers by U.S. Financial firms are encryption (56%) followed by digital signatures for validating published container images (45%) and vulnerability scanning (43%). Encryption ranked #1 in 2017 with 54% followed by anti-malware at 44%. For Global Financial, anti-malware was the top security control needed for greater adoption of containers (52%), closely followed by encryption (45%) and monitoring (41%).

“For the U.S. Federal, the top choice was the ability to analyze and encrypt/tokenize Big Data coming out on top (34% vs. 30% at Global Federal and 32% overall.”

Protecting sensitive data generated by an IoT device (encryption, tokenization, etc.)

Attacks on IoT devices thatmay impact critical operations

Lack of skilled personnel toimplement IoT securely

Identifying or discovering data generated by an IoT device that may be sensitive

Lack of security frameworks and controls within the IoT environment

Concerns about IoT implementations


0% 5% 10% 15% 20% 25% 30% 35%

Authentication/secure digital identi�cation of IoT devices

Encryption/tokenization of data generated by IoT devices

Perimeter/gateway protections between IoT/ICS and IP networks

Anti-malware

Behavioral analytics/anomaly detection

Tools that would increase IoT deployments


0% 10% 20% 30% 40% 50% 60%


AI/MACHINE LEARNING

This represents another new area of questions in this year’s report. Like most security tools, AI can be used both for beneficial and malicious uses, and thanks to new API-based AI and machine-learning services such as Google’s Cloud AutoML, AI is quickly becoming more mainstream. The good news is that beneficial uses of AI are viewed as greatly outnumbering nefarious uses. Two-thirds (67%) of U.S. Financial respondents and 68% of Global Financial respondents report that using machine language or AI helps increase data security by recognizing and alerting on attacks. On the flip side, 43% of U.S. Financial respondents and 46% of Global Financial say the use of AI/Machine Learning is resulting in increased breaches due to their ongoing use by sophisticated hackers.

“ Two-thirds (67%) of U.S. Financial respondents and 68% of Global Financial respondents report that using machine language or AI helps increase data security by recognizing and alerting on attacks.”

Data security (encryption)

Digital signatures for validating published container images

Vulnerability scanning

Monitoring

Anti-malware

Tools that would increase container adoption


0% 10% 20% 30% 40% 50% 60%

“The top security controls needed for greater adoption of containers by U.S. Financial firms are encryption (56%) followed by digital signatures for validating published container images (45%) and vulnerability scanning (43%).“


Results in increased threats due to use as a hacking tool

Increases data security by recognizing and alerting on attacks

Impact of AI and machine learning on data security

43% 46% 43%

67% 68% 64%

19 2018 THALES DATA THREAT REPORT • U.S. FINANCE EDITION 19

“Two-thirds (67%) of U.S. Financial respondents and 68% of Global Financial respondents report that using machine language or AI helps increase data security by recognizing and alerting on attacks.”


MOBILE PAYMENTS

In another new area of questioning for this year’s report, mobile payments represent a fast-growing technology segment that is also spurring fresh security concerns for banks and retail as well. Financial institutions must be mindful of new participants entering the mobile payments ecosystem, such as technology companies and retailers, that offer their own mobile payment apps, such as Walmart, Kohl’s, Starbucks and Shell. These stakeholders in nearly all cases rely on bank account information and credit card credentials to power their applications, creating new attack vectors for fraudsters to exploit.

The top security concern for mobile payment applications for U.S. Financial firms are weak authentication protocols used by mobile payment apps and fraudsters using mobile payment apps for new account fraud – each at 44%. Potential exposure of payment card information (other than payment card info) was #1 for Global Financial at 44% as well as for the global average at 41%.

BLOCKCHAIN TRENDS

Blockchain could be one of the most significant new developments in years for securing transactions and protecting data, and thus particularly relevant for financial institutions. Though it is still very early for commercial implementations of blockchain, just 8% for both U.S. Financial respondents and respondents globally have no plans to adopt blockchain (7% for Global Financial). The main use cases cited for blockchain by U.S. Financial firms include financial transactions/secure payments (48% vs. 38% globally); protecting customer information (43% (vs. 40% globally). For Global Financial firms, financial transactions/secure payments were #1 at 42% and protecting customer information #2 at 37%.

“Financial institutions must be mindful of new participants entering the mobile payments ecosystem, such as technology companies and retailers, that offer their own mobile payment apps, such as Walmart, Kohl’s, Starbucks and Shell. These stakeholders in nearly all cases rely on bank account information and credit card credentials to power their applications, creating new attack vectors for fraudsters to exploit.”

Data security concerns for mobile payment applications


Weak authentication protocols used by mobile payment apps

Fraudsters using mobile payment apps for new account fraud

Potential exposure ofpayment card information

Potential exposure of personally identi�able information (other than

payment card info)

Fraudsters using mobile payment apps for account takeover (ATO)

0% 10% 20% 30% 40% 50%


Blockchain was noted in earlier vertical market reports as finding widespread potential usage, for example in Healthcare for securing highly sensitive personal health information and in retail for securing inventories and other sensitive data.

Potential uses for blockchain


For �nancial transactions/secure payments

To protect customer information

To authenticate users

To authenticate devices

For online purchase transactions

0% 10% 20% 30% 40% 50%

“Though it is still very early for commercial implementations of blockchain, just 8% for both U.S. Financial respondents and respondents globally have no plans to adopt blockchain (7% for Global Financial).”

“More than two-thirds (61%) say they are likely to store sensitive data in PaaS, the highest among all countries and well above the 39% global average. Another 59% will store sensitive data in SaaS vs. 45% globally; and 57% will do so in IaaS vs. 41% globally.

21


RECOMMENDATIONS

RE-PRIORITIZE YOUR IT SECURITY TOOL SET

DISCOVER AND CLASSIFY

DON’T JUST CHECK OFF THE COMPLIANCE BOX

ENCRYPTION AND ACCESS CONTROL

With increasingly porous networks, and expanding use of external resources (SaaS, PaaSand IaaS most especially) traditional endpoint and network security are no longer suf�cient,particularly for heavy adopters of public cloud resources such as the U.S. Financial sector, yet the latter continue to garner the bulk of attention with respect to security budgeting plans. Conversely, data security offers increased effectiveness at protecting both known and unknown sensitive data found within advanced technology environments like cloud, containers, Big Data and IoT.

Services-based deployments, platforms and automation can help reduce usage and deployment complexity for an additional layer of protection for data.

Get a better handle on the location of sensitive data, particularly to deal with SaaS apps,Big Data, IoT and data sovereignty mandates such as GDPR and the California ConsumerPrivacy Act that could impact both U.S. based and global �nancial �rms.

More than three-fourths of U.S. Financial respondents still have considerable faith in compliance mandates. However, �nancial organizations should consider moving beyond compliance and adopting security tools such as encryption or tokenization that may be more appropriate as new technologies like cloud, IoT and mobile payments are increasingly adopted by �nancial �rms looking for a competitive edge.

Encryption needs to move beyond laptops and desktops.

Cloud: Encrypt and manage keys locally, BYOK is an enabler for enterprise SaaS, PaaS and IaaS use, particularly for heavy cloud adopters like Financial Services

Big Data: Employ encryption and tokenization as a complement to monitoring and access controls

Containers: Encrypt and control access to data both within containers and underlying data storage locations

IoT: Use secure device ID and authentication, as well as encryption of data at rest on devices, back-end systems and in transit to limit data threats

Data Sovereignty: Consider both encryption and tokenization as a way to avoid hefty �nes from violating nascent privacy laws like GDPR

“With increasingly porous networks, and expanding use of external resources (SaaS, PaaS and IaaS most especially) traditional endpoint and network security are no longer sufficient, particularly for heavy adopters of public cloud resources such as the U.S. Financial sector.”

“More than three-fourths of U.S. Financial respondents still have considerable faith in compliance mandates.”

22


ANALYST PROFILE Garrett Bekker is a Principle Analyst in the Information Security Practice at 451 Research. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 15 years. Garrett spent more than 10 years as an equity research analyst at several investment banking firms, including Merrill Lynch, where he was the lead enterprise security analyst, as an investment banker, and also in sales and marketing roles with early-stage enterprise security vendors. Throughout his career, Garrett has focused on a wide variety of subsectors within enterprise security and is now focusing primarily on identity and access management (IAM) and data security, with a special interest in applying the former to cloud-based resources.

ABOUT 451 RESEARCH 451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.

ABOUT THALES eSECURITY

Thales eSecurity is a leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities are both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security does not just reduce risk; it is an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.

Please visit www.thalesesecurity.com and find us on Twitter @thalesesecurity.

PLATINUM PARTNER – GEOBRIDGE

Established in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that provides Cryptography and Key Management, Payment Security , Compliance, and HSM Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.

PLATINUM PARTNER – VENAFI

Venafi is the cyber security market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With 31 patents currently in its portfolio, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 2000 organizations. Venafi is backed by top-tier investors, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, Mercato Partners and NextEquity. For more information, visit: www.venafi.com.

Garrett Bekker Principal Analyst 451 Research

http://www.thalesesecurity.com

https://twitter.com/thalesesecurity?lang=en

2018 thales data threat report - thales...

Documents