Is Runaway Encryption Sabotaging Your Security?

Sometimes, an organization’s biggest information security headaches come not from the ill-intentioned, but from employees who are trying to do the right thing. As companies and government agencies create and exchange unprecedented volumes of sensitive data, uncontrolled or “runaway” encryption is becoming a serious concern for organizations around the world.

Runaway encryption happens when employees, contractors, or other parties encrypt an organization’s data with user-selected tools. It can take many forms, from an employee using Office to encrypt PDFs on his or her laptop, to a project team using PKI to exchange intellectual property. However it happens, runaway encryption always poses the same fundamental problem: because the encryption is not under high-level control, the organization is at risk of losing access to its own data.

Right idea, wrong approach

Often, runaway encryption is the only option employees have. Many organizations still have not adopted enterprise-wide encryption policies, so security-minded workers are left to choose between leaving their data unprotected or applying their own encryption. In other cases, employees ignore company encryption policies and use their own tools instead, usually because the company’s solution is difficult to use or unreliable. While these employees are attempting to keep their organization’s information safe, they are unknowingly creating a new set of issues that can be just as damaging as data theft or misuse.

Uncontrolled encryption locks out not only hackers and spies, but also employees and teams that need to access the encrypted data for legitimate purposes like auditing, security management, and DLP processing. On a small scale, this causes inconvenience and delays as employees have to request each other’s passphrases or certificates in order to do their work. When hundreds or thousands of employees are simultaneously applying their own encryption, however, the problems escalate. Runaway encryption at the enterprise level can lead to potentially catastrophic breakdowns in several areas:

  • Ineffective DLP scanning: Data loss prevention (DLP) is a critical element of many organizations’ security strategies. When an encrypted file is submitted for DLP inspection, the DLP scanner can’t analyze the file contents, and therefore can’t determine whether the file should be blocked, re-routed, or allowed to pass through.

    If the DLP process is integrated with an enterprise-wide encryption solution that provides a decrypted version of the file, the inspection can proceed (for more on this topic, read "Persistent Data Security That Enhances DLP"). However, if the file was secured with runaway encryption, the DLP process breaks, and the organization must risk either blocking a potentially important authorized transmission or allowing a potentially harmful unauthorized transmission to pass through.

  • Incomplete auditing:Just as runaway encryption prevents effective DLP processing, it can disrupt or invalidate internal and external audits. When auditors can’t access an encrypted file, they must either track down the encryption key or make an assumption about the file’s contents. Among other issues, this can lead to unfavorable audit reports or undetected flaws in a company’s operations.

  • Permanent data loss: What happens when an employee uses uncontrolled encryption to protect important files, and subsequently leaves the organization? In a best-case scenario, the employee will decrypt the files or provide the encryption key before moving on, so that the organization can access the information contained in the files. Unfortunately, departing employees often forget to take this step, and their managers may not be aware that it’s necessary.

  • Other factors can further complicate the situation—an employee might forget his or her encryption keys, a disgruntled employee might refuse to provide the information, or an employee might pass away unexpectedly, leaving no possibility of recovering the encrypted data. In every case the result is the same, with the organization deprived of customer data, intellectual property, or other essential information.

Regaining control

As widespread as the problem has become, runaway encryption can be avoided. When employees have access to an enterprise-wide encryption solution that provides cross-platform operability and simple functionality, they have no need to apply separate encryption on their own.

PKWARE’s Smartcrypt makes it easy for employees to encrypt data no matter what operating systems or devices they use. Formerly difficult tasks like key creation, exchange, synchronization, and integration with identity management systems are handled in the background, leaving the encryption and decryption process transparent to end users. Integrations with Outlook and other applications allow employees to protect sensitive information with no change to their existing workflows.

Smartcrypt also enables full administrative oversight. The Smartcrypt manager console gives security managers complete control over encryption keys and access lists, ensuring that the organization will always be able to decrypt its own data. With a single encryption solution in place, organizations can use their IT policies to prevent employees from installing or using uncontrolled encryption products on company assets.

If you’re concerned about the effects of runaway encryption within your own organization, take a few moments to learn more about how Smartcrypt can protect your sensitive data and eliminate the gaps in your security infrastructure.