Monthly Archives: June 2024

2024 Global Study on Securing the Organization with Zero Trust, Encryption, Credential Management & HSMs

To stave off never-ending security exploits, organizations are investing in advanced technologies and processes. The purpose of this report, sponsored by Entrust, is to provide important information about the use of zero trust, encryption trends, credential management and HSMs to prepare for and prevent cyberattacks. The research also reveals what organizations believe to be the most significant threats. The top three are hackers, system or process malfunction and unmanaged certificates.

A second report will present the research findings of PKI and IoT, as well as how organizations are preparing to transition to post quantum cryptography in order to mitigate the quantum threat. For both reports, Ponemon Institute surveyed 4,052 IT and IT security practitioners who are familiar with the use of these technologies in their organizations.

“With the rise of costly breaches and AI-generated deepfakes, synthetic identity fraud, ransomware gangs, and cyber warfare, the threat landscape is intensifying at an alarming rate,” said Samantha Mabey, Director, Solutions Marketing at Entrust. “This means that implementing a Zero Trust security practice is an urgent business imperative – and the security of organizations’ and their customers’ data, networks, and identities depends on it.”

The countries in this research are the United States (908 respondents), United Kingdom (458 respondents), Canada (473 respondents), Germany (582 respondents), UAE (355 respondents), Australia/New Zealand (274 respondents), Japan (334 respondents), Singapore (367 respondents) and Middle East (301 respondents).

Organizations are adopting zero trust because of cyber risk concerns. Zero trust is defined in this research as an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. It assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership. Sixty-two percent of respondents say their organizations have adopted zero trust at some level. However, only 18 percent of respondents have implemented all zero-trust principles.

 In the survey, 67 percent of respondents say the most important drivers to implementing a zero-trust strategy is the risk of a data breach and/or other security incidents (37 percent) and the expanding attack surface (30 percent).

Following are the most salient findings from this year’s research

 The slow but growing adoption of zero trust

  • As evidence of the importance of zero trust to secure the organization, 57 percent of respondents that have or will implement zero trust say their organizations will include zero trust in their encryption plans or strategies. Sixty-two percent of respondents say their organizations have implemented all zero-trust principles (18 percent), some zero-trust principles (12 percent), laid the foundation for a zero-trust strategy (14 percent) or started exploring various solutions to help implement its zero-strategy (18 percent). According to the research, a lack of in-house expertise is slowing adoption.
  • Senior leaders are supporting an enterprise-wide zero-trust strategy. Fifty-nine percent of respondents say their leadership has significant or very significant support for zero trust. As evidence of senior leadership’s support, only 37 percent of respondents say lack of leadership buy-in is a challenge. The biggest challenges when implementing zero trust are lack of in-house expertise (47 percent of respondents) or lack of budget (40 percent of respondents). 
  • Securing identities is the highest priority for a zero-trust strategy. Respondents were asked to select the one area that has the highest priority for their zero-trust strategy. The risk areas are identities, devices, networks, applications and data. Forty percent of respondents say identities and 24 percent of respondents say devices are the priorities. 
  • Best-of-breed solutions are most important for a successful zero-trust strategy (44 percent of respondents). This is followed by an integrated solution ecosystem from one to three vendors (22 percent of respondents). 

Trends in encryption and encryption in the public cloud: 2019 to 2024 

  • Hackers are becoming more of a threat to sensitive and confidential data. Organizations need to make the hacker threat an important part of their security strategies. Since the last report, a significant increase from 29 percent of respondents to 46 percent of respondents cite hackers as the biggest concern to being able to protect sensitive and confidential information. 
  • Management of keys and enforcement of policy continue to be the most important features in encryption solutions. Respondents were asked to rate the importance of certain features in encryption solutions. The most important features are management of keys, enforcement of policy and system performance and latency. 
  • Since 2019, organizations have been steadily transferring sensitive and confidential data to public clouds whether or not it is encrypted or made unreadable via some other mechanism. In this year’s study, 80 percent of respondents say their organizations currently transfer (52 percent) or likely to do so in the next 12 to 24 months (28 percent). 
  • Encryption performed on-premise prior to sending data to the cloud using organizations’ own keys has declined significantly since 2019. The main methods for protecting data at rest in the cloud are using keys generated/managed by the cloud provider (39 percent of respondents) or encryption is performed in the cloud using keys their organizations generate and manage on-premises. Only 23 percent of respondents say encryption is performed on-premise. 
  • There has been a significant decrease in organizations only using keys controlled by their organization (from 42 percent to 22 percent of respondents). Instead, the primary strategy for encrypting data at rest in the cloud is the use of a combination of keys controlled by their organization and by the cloud provider, with a preference for keys controlled by their organization, a significant increase from 19 percent of respondents to 32 percent of respondents in 2024. This is followed by only using keys controlled by the cloud provider (24 percent of respondents). 
  • The importance of privileged user access controls has increased significantly. Respondents were asked to rate the importance of cloud encryption features on a scale of 1 = not important to 5 = most important. Privileged user access controls increased from 3.23 in 2022 to 4.38 in 2024 on the 5-point scale. The importance of granular access controls and the ability to encrypt and rekey data while in use without downtime also increased significantly. 

Trends in credential management and HSMs: 2019 to 2024 

  • Lack of skilled personnel and no clear ownership makes the management of credentials painful. Fifty-nine percent of respondents say managing keys has a severe impact on their organizations. There are interesting trends in what causes the pain since 2019. The lack of skilled personnel (50 percent of respondents) and no clear ownership (47 percent of respondents) continue to make credential management difficult. Insufficient personnel increased from 34 percent to 46 percent of respondents. Not causing as much pain are the inadequacy of key management tools (from 52 percent to 32 percent) and systems are isolated and fragmented (from 46 percent to 29 percent). 
  • Many types of keys are getting less painful to manage. Between 2019 to 2024 the following keys have become less painful to manage are external cloud or hosted services including Bring Your Own Keys (from 54 percent to 22 percent of respondents), SSH keys (from 57 percent to 27 percent of respondents) and signing keys (e.g. code signing, digital signatures (from 52 percent to 25 percent of respondents). 
  • Management of credentials is challenging because it is harder to consistently apply security policies over credentials used across multi-cloud and cross cloud environments. Fifty-five percent of respondents say the management of credentials becoming more challenging in a multi-cloud and cross-cloud environment. Thirty-six percent of respondents say it is due to the difficulty in consistently applying security policies over credentials used across cloud services followed by it is harder to have visibility over credentials that protect and enable access to critical data and applications (33 percent of respondents).  The applications that require the use of credential management across cloud-based deployments are mainly KMIP-compliant applications (44 percent of respondents), and databases, back-up and storage (43 percent of respondents). 
  • More organizations are using Hardware Security Modules (HSMs). HSMs are a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Since 2019, the use of HSMs has increased from 47 percent of respondents to 55 percent of respondents. 
  • Organizations value the use of HSMs. Since 2019, organizations are increasing the use of HSMs as part of their encryption and credential management strategies. The use of application-level encryption, database encryption and TLS/SSL have increased significantly. For the first time, respondents were asked where HSMs are deployed.  Most are deployed in online root, offline root and issuing CA.  

You can download a full copy of the report at Entrust’s website.

They’re finding dead bodies outside scam call centers; it’s time to sound the alarm on fraud

Bob Sullivan

“The cartel just very quickly, easily, and efficiently made an example of them by leaving their body parts in 48 bags outside of the city….They’re good at making high profile, gruesome examples of those who would defy them.”

I’ve spent many years writing about Internet crime, so I don’t spook easily.  After working on this week’s podcast, I’m spooked.

For the last year or two, I’ve had a gathering sense of doom about the computer crime landscape. I hear about scams constantly, but something has seemed different lately. The dollar figures seem higher, the criminals more relentless, the cover stories far more sophisticated. Thanks to fresh reporting and statistics, I am now fairly certain I’m not being paranoid. Increasingly, Internet scams are being run by organized crime organizations that combine the dark side of street gangs with Fortune 500 sales tactics.   I will share numbers in a moment, but stories are always needed to make a point this important, and that’s why we bring you “James’ ” harrowing tale this week.  He wanted to sell an old, useless timeshare, but instead had $900,000 stolen from him — by the New Generation Jalisco Cartel in Mexico. That same group was blamed for murdering call center workers and spreading their body parts around Jalisco.

 This episode offers a rare chance to hear a scam in action. James recorded some of his calls with criminals and shared them with us.  ‘Show me, don’t tell me’ is the oldest advice in storytelling, and that’s why I really hope you’ll listen.  As you hear criminals who go by the names “Michael” and “Jesus” badger and manipulate James, your skin will crawl, as mine did. But I hope it will also place a memory deep in your limbic brain, so when you inevitably find yourself on the phone with such a criminal one day, an autonomic defensive reaction will kick in.

For this episode, I also spoke with a remarkable journalist named Steve Fisher. An American from rural Pennslyvania, he worked in farms as a youth, learned a lot about the plight of migrant workers, and that led him to take a post as an investigative journalist in Mexico City covering crime gangs.  Fisher recently wrote about a victim like James who thought he was unloading an unwanted timeshare, but instead had $1.8 million stolen during a decade of interactions with the cartel. In that victim’s case, about 150 different cartel “workers” interacted with him. I can’t begin to stress how vast this conspiracy is — how detailed the cartel’s record-keeping must be — in order to carry on this kind of ongoing crime. As we point out in the story, timeshare scams have become so profitable that this dangerous Mexican cartel is trading in drug running operations for call centers.  The gruesome methods of control remain, however.

This model is replicated around the world.  From India, there are tech support scams. From Jamaica, we get sweepstakes fraud. From Southeast Asia, cryptocurrency scams.  From Africa, romance scams.

(Of course, there are scams operated in the U.S., too, but those criminals don’t enjoy the natural protection that international boundaries and jurisdictional challenges provide).

I know most of us imagine scam criminals sitting in dark, smoke-filled boiler rooms placing 100s of calls every day desperately hunting for single victims.  That’s not how it works any more. Scam call center “employees” work in cubicles  (though in some cases, they are victims of human trafficking).  They have fine-tuned software; they work from lead lists; they have well-researched sales scripts; they have formalized training. And they succeed, very often.

The numbers bear this out. Theft through fraud has surged over the last five years, with losses jumping from $2.4 billion in 2019 to more than $10 billion in 2023. Of course, many scam losses are never reported, so the real number could easily be four or five times that.

But I trust my own ears, and you should too.  Recently, I have heard a pile of stories from victims in my larger social circle.  Plenty of near misses — friends who tell me they got a call from a “sheriff” about an arrest summons that was so believable they were driving to a bitcoin ATM before something triggered skepticism.  Unfortunately, I hear plenty of heartbreaking stories too, of people who bought gift cards or sent crypto before that skepticism kicked in.

I want you to listen for these stories in your life. Look for them in your social feeds, ask for them at family parties. I bet you leave this exercise just as concerned as I am. Scams have become big businesses, operated by large, sophisticated crime gangs all over the world. It’s time to talk with your friends and family about this.

We can’t educate our way out of this problem.  There’s a lot more than U.S. financial institutions, regulators, and law enforcement can do to slow the massive growth of fraud.  But at the moment, you are the best defense for yourself and the people you love.

To that end, I would like to suggest you listen to this week’s episode and share it with people you care about. I can tell you that scams are up, and that criminals are so persuasive anyone can be vulnerable. But there is nothing like hearing it for yourself.

Be careful out there.

You can listen to part 1 of our series by clicking here. And part two is at this link.