Encryption: Don’t forget your keys

(11/04/2008)

The protection of sensitive data is one of the most critical concerns for organisations and their customers. Coupled with growing regulatory and governance pressures, this is forcing businesses to protect the integrity, privacy and security of information under their control more than ever before.

While this is a complex challenge that requires both policy and technology, cryptography is emerging as the foundation for enterprise data protection and is quickly becoming the cornerstone of security best practice. It is the last line of defence. Even if perimeter security is breached, cryptography means the data remains worthless unless it can be unlocked. Once seen as a specialised, esoteric discipline of information security, cryptography is finally coming of age.

Cryptography and encryption are not new technologies. Ever since the Egyptians – encryption has been seen as the most reliable way to secure data. National security agencies and major financial institutions have long protected their sensitive data using encryption, but today it is being deployed across in a much wider set of industry sectors, applications and platforms.

As merchants and retailers take action in order to meet the stringent Payment Card Industry Data Security Standard (PCI DSS), the need to protect sensitive data is highlighted by the recent TJX breach that exposed at least 45 million customers' credit and debit card records. The investigation by the Canadian Government indicated that the lack of proper encryption was to blame; but looking more broadly the issue isn’t limited to just credit card data. In September, more than 800,000 people who applied for jobs at clothing retailer the Gap Inc. were alerted to the fact that a laptop containing personal information was stolen, exposing the applicants to potential identity theft.

A recent independent survey conducted by industry analyst firm Aberdeen Group supports this increased use of encryption, while also highlighting the need for better encryption key management.

The survey, ‘Encryption and Key Management’, which was co-sponsored by encryption management vendor, nCipher, found that best-in-class organisations reflected a major increase in the deployment of cryptography to protect sensitive data.

Eighty-one percent of respondents had increased the number of applications using encryption, 50 percent had increased the number of locations implementing encryption and 71 percent had increased the number of encryption keys under management compared with one year ago.

In order to address the challenges brought about by the increased deployment of cryptography, the same best-in-class companies were 60 percent more likely than the industry average to take a more strategic, enterprise-wide approach to encryption and key management. This is compared to the traditional and more tactical approach of addressing isolated points of risk such as the theft of laptops or back-up tapes.

The survey concludes that by investing in enterprise encryption and key management technologies, these organisations have already benefited by lowering the instances of actual or potential exposure, while simultaneously reducing key management costs by an average of 34 percent.

Access to encryption technology is getting easier and easier. It often comes bundled for free and has already made its way into a host of devices we use every day. Laptop computers, wireless access points and even devices such as vending machines, parking meters, gaming machines and electronic voting terminals, have encryption embedded. The same is true for business applications and data centre hardware such as back-up tape devices and database software.

The widespread availability of encryption is good news but without a clear way of managing its deployment a number of pitfalls remain. Organisations of all sizes and in all industries need to look seriously at the management of the cryptographic keys - the secret codes that lock and unlock the data.

Encryption is a powerful tool, but getting it wrong either from a technology or operational perspective can at best result in a false sense of security and, at worst, leave your data scrambled forever. If a key is lost, access to all of the data is lost. To put it bluntly, encryption without competent key management is effectively electronic data shredding. Just as with house keys, office keys or car keys, care must be taken to keep back-ups and thought needs to be given to who has access to the keys. Establishing a key management policy and creating an infrastructure to enforce it is therefore a vital component of a successful enterprise security deployment.

Key management is about bringing encryption processes under control, both from a security and a cost perspective. Keys must be created, backed up, delivered to the systems that need them, on time and ideally automatically under the control of the appropriate people, and finally deleted at the end of their life-span. In addition to the logistics of handling keys securely it is also critical to set and enforce policies that define the use of keys – the who, when, where and why of data access.

Archiving, recovery and delivery of keys are all crucial parts of the equation. For instance, if a laptop breaks down or a back-up tape is stolen the issue is not just one of security, but also business continuity. Information recovery takes on a whole new dimension, particularly in an emergency situation when the recovery process is performed in a different location, by a different team, governed by different policies and on protected data that is years or even decades old. What used to be a data management problem is now also a serious key management problem.

Traditionally, key management has been tied to specific applications and therefore quickly becomes fragmented as the number of applications increases. Scalability quickly becomes an issue as a result of relying on manual processes for renewing certificates, rolling-over keys or moving and replicating keys across multiple host machines and removing keys as machines and storage media are retired, fail or redeployed. This also results in higher costs, particularly where security and audit ability are high priorities.

The only way to deal with these challenges is through the use of a dedicated, general purpose key management system that can act as a centralised repository for storing and distributing keys for multiple applications or ‘end-points’. This provides a simple mechanism to unify key management policies and automate key life-cycle management tasks, greatly reducing costs and easing time critical tasks such as key recovery, key revocation and auditing.

But the key management solution itself must also be able to deliver complete security and integrity if it is to underpin enterprise date protection. This includes the security of the key repository, tamper controls surrounding audit capabilities and the fundamental integrity of the key management software.

If, as it seems, encryption is increasingly seen as the last line of defence to protect data, the key management challenge needs to be addressed. But this should not be a barrier. Implementing a flexible and extensible solution that automates many of the time-consuming and error-prone key management tasks in an automated enterprise-wide manner is now achievable. But organisations need to deploy the correct tool to manage the keys. In the same way that data protection has moved from an IT challenge to a C-level issue, key management has now become a high-level business imperative.

nCipher is exhibiting at Infosecurity Europe 2008, www.infosec.co.uk

Related topics:  Data management and data security   Encryption   Knowledgebase 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources