Sunday, June 1, 2014

Locked In: Keeping Your Enterprise Encryption Keys in Order

Posted by on in Data Security


Every year, spring cleaning results in a few re-discoveries around my house (“I own a weed whacker?”). This year, it also led to a new, nerve-racking game, “What Could These Keys Possibly Belong To?”
b2ap3_thumbnail_Close_up_key_management_encryption_contingency_infosec.jpgWhat does this key go to? Key management is the tricky part of encryption, though vital to keeping control over security.In a shelf in the basement, I found a ring with two keys of unknown origin. I shuffled around the house, garage and shed trying to match them up to every lock and door. Nothing. Keys without a lock … or a lock somewhere else without a key, put another way. Given my background in encryption and enterprise key management, my mind went to paranoid circumstances where I’d soon be locked out by a new lock in my own front door, or a situation where I’d go mad looking for buried treasure in my yard.
Key management is the really hard part of enterprise encryption. Encryption, in its own right, remains the most impenetrable data security option in your wider “defense in depth” approach. The best encryption also comes with sensible, easy key management. If you lock down data, you need to make sure you (and only you) can unlock it, too. In that same sense, you don’t want to start handing out crypto keys to the point where encryption is more rampant than useful. Too many keys can be just as damaging for you, your customers and your sensitive business documents.
We often share the story of one customer who came to us initially asking to “unlock” encryption from another vendor. Unfortunate for this German manufacturer, the other vendor’s encryption did not come with a “contingency” key (kind of like a master decrypt key for security administrators). So, when a rogue employee sent off docs he had encrypted, the manufacturer was without a matching decryption key to find out just what had left its company firewalls. Contingency key goes by a few terms – we’ve heard “private key escrow” with one big financial services client as well as controlled encryption; we’re all ears to what term makes sense for you. The important aspect of contingency key, however, is that your CISO, department head or info sec team has an emergency decrypt capability for the host of issues that can come up from unchecked encryption.
There are enough potential leaks and breaches coming at your business information every day. Make sure that the protection you employ doesn’t lock you out of the very data you’re securing

No comments:

Post a Comment