In today’s world the protection of sensitive data is one of the most critical concerns for organizations and their customers. This, coupled with growing regulatory pressures, is forcing businesses to protect the integrity, privacy and security of critical information. As a result cryptography is emerging as the foundation for enterprise data security and compliance, and quickly becoming the foundation of security best practice. Cryptography, once seen as a specialized, esoteric discipline of information security, is finally coming of age.
No one would argue that cryptography and encryption are new technologies. It was true decades ago and it is still true today – encryption is the most reliable way to secure data. National security agencies and major financial institutions have long protected their sensitive data using cryptography and encryption. Today the use of encryption is growing rapidly, being deployed in a much wider set of industry sectors and across an increasing range of applications and platforms. Put simply, cryptography and encryption have become one of the hottest technologies in the IT security industry – the challenge now is to ensure that IT organizations are equipped to handle this shift and are laying the groundwork today to satisfy their future needs.
Last line of defense for personal data
As many merchants and retailers take action in order to meet the stringent Payment Card Industry Data Security Standard (PCI DSS), the need to protect sensitive credit card data is first and foremost on their minds. This is highlighted in the recent finding by the Canadian government that the lack of proper encryption was to blame for the TJX breach that exposed at least 45 million customers’ credit and debit card records. But looking more broadly the issue isn’t limited to just credit card data. In September, more than 800,000 people who applied for jobs at clothing retailer the Gap Inc. were alerted to the fact that a laptop containing personal information such as social security numbers was stolen, exposing the applicants to potential identity theft.
It is clear that the protection of personal or private data is critical to the well being of any company that stores or processes this information. Encryption has become a last line of defense for data protection because, once data is encrypted, if stolen or even simply misplaced, it is rendered unreadable without the keys to decrypt that data.
A recent independent survey conducted by industry analyst firm Aberdeen Group shows an increasing use of encryption and a growing need for centralized and automated key management.
The survey, “Encryption and Key Management” which was co-sponsored by encryption management vendor, nCipher, found that Best-in-Class organizations (a category that Aberdeen defined as including organizations that have seen the most improvement in their IT security effectiveness over the past 12 months) demonstrated a tremendous increase in the number of applications and locations deploying cryptography in order to protect sensitive data compared with one year ago and, consequently, an increase in the number of encryption keys they have to manage.
Eighty-one percent of respondents had increased the number of applications using encryption, 50 percent had increased the number of locations implementing encryption and 71 percent had increased the number of encryption keys under management compared with one year ago.
So, how is the growth of encryption and the need to manage the keys changing organizations’ behaviours? In order to address the challenges brought about by the increased deployment of cryptography, Best-in-Class companies have shifted their thinking and were 60 percent more likely than the industry average group to take a more strategic, enterprise-wide approach to encryption and key management than the traditional more tactical approach of addressing particular and isolated points of risk within their infrastructure such as the theft of laptops or back-up tapes.
To further quantify this shift, the Aberdeen Group survey describes the significantly higher priorities and corresponding investments by the same Best-in-Class companies in specific encryption and key management technologies to complement other organizational structure and process related topics. The survey concludes that these pioneering organizations have already benefited by lowering the instances of actual or potential exposure while simultaneously reducing actual key management costs by an average of 34 percent.
Cryptography, embedded security by default
As Aberdeen and other independent analysts have discussed, access to encryption technology is getting easier and easier, with it often coming along for free, and has already made its way into a host of devices we use every day. Laptop computers, wireless access points, and even devices we don’t think of as being part of a typical IT infrastructure such as vending machines, parking meters, gaming machines and electronic voting terminals, have encryption embedded. The same is true for business applications and data center hardware such as back-up tape devices and database software. This is steadily resolving one of the big challenges with encryption, how to upgrade existing systems to support encryption without penalizing performance or costing a fortune in custom developments or “bolt-on’ encryption products.
Don’t forget the keys
The widespread availability of encryption is good news but without a clear way of managing its deployment a number of pitfalls remain. Organizations of all sizes and in all industries need to look seriously at the management of the cryptographic keys, the secret codes that lock and unlock the data. Unless organizations begin laying the groundwork today this new age of encryption will present serious management challenges.
Encryption is a powerful tool, but getting it wrong either from a technology or operational perspective can at best result in a false sense of security and, at worst, leave your data scrambled forever.
Protecting data is important, but if a key is lost, access to all of the data originally encrypted by that key is also lost. To put it bluntly, encryption without competent key management is effectively electronic data shredding. Just as with house keys, office keys or car keys, great care must be taken to keep back-ups and special thought needs to be given to who has access to keys. Establishing a key management policy and creating an infrastructure to enforce it is therefore an important component of a successful enterprise security deployment.
Key management brings encryption under control
Key management can’t just be an after thought, it is the process by which encryption and cryptography become effective security and business tools. Key management is about bringing encryption processes under control, both from a security and a cost perspective. Keys must be created according to the correct process, backed up in case of disaster, delivered to the systems that need them, on time and ideally automatically, under the control of the appropriate people and, finally, deleted at the end of their life-span. In addition to the logistics of handling keys securely, which are secrets after all, it is also critical to set and enforce policies that define the use of keys – the who, when, where and why of data access.
Archiving, recovery and delivery of keys are all crucial parts of the equation. For instance, if a laptop breaks down or a back-up tape is stolen the issue is not just one of security, but also business continuity. Information recovery takes on a whole new dimension, particularly in an emergency situation when the recovery process is performed in a different location, by a different team, governed by different policies and on protected data that is years or even decades old. What used to be a data management problem is now also a serious key management problem.
Enterprise key management recommendations
Traditionally key management has been tied to the specific applications in use and therefore quickly becomes fragmented and ad hoc as the number of applications increases. Scalability quickly becomes an issue as a result of relying on manual processes for renewing certificates, rolling-over keys or moving and replicating keys across multiple host machines and removing keys as machines and storage media are retired, fail or redeployed. This frequently results in escalating costs particularly in situations where security and audit ability are high priorities.
In many situations the only way to adequately deal with these challenges is through the use of a dedicated, general purpose key management system. Such a system can act as a centralized repository for storing keys on behalf of multiple applications or “end-points’, distributing keys on demand. This provides a simple mechanism to unify key management policies and automate key life-cycle management tasks, greatly reducing costs and easing time critical tasks such as key recovery, key revocation and auditing. Important product selection criteria include scalability and the range of end-points that can be managed both in terms of target application and type of host platform and operating system. Finally due to the unique security characteristics of key management tasks, the absolute security properties of the key management system become important additional selection criteria. This includes the security of the key repository, tamper controls surrounding audit capabilities and the fundamental integrity of the key management software.
At the end of the day we need to protect our data. Increasingly, encryption is being seen as the best way to ensure that data is protected, but the ever growing use of encryption creates a management challenge. The challenge, however, doesn’t need to be daunting. Implementing a flexible and extensible solution that automates many of the time-consuming and error-prone key management tasks in an automated enterprise-wide manner is rapidly becoming a priority for many organizations. In order for enterprise-wide encryption to be deployed correctly, organizations need to deploy the correct tool to manage the keys. In the same way that data protection has moved from an IT challenge to a C-level issue, key management has become a high-level business imperative.