Deploying and Managing Encryption
Deploying and managing encryption
Despite the growing recognition of the benefits of encryption, there remains a general lack of understanding about deploying and, more importantly, managing it. Encryption itself is simple; it is just mathematics. The hard bit is controlling the keys-the secret codes that have the power to unlock the data.
Without good encryption key management, what was thought to be black or white may actually have many shades of grey. A recent survey found that organizations see key management as the biggest challenge in encryption.
As the use of encryption grows, companies need to be able to manage (or control) a growing number of encryption keys. This is crucial, not only to prevent keys from being lost or stolen, but also for important operational reasons such as on-demand recovery of encrypted data, automated updates and compliance reporting.
Once encrypted, information only becomes readable if the encryption key is available to unlock it. Consequently, the key becomes as valuable as the data it is protecting. This situation can be likened to the security of a home: locking the house significantly increases the security of its contents. However, if the key is then left under the mat, then the level of security is compromised. In the same way, while encryption is an effective first step in enhancing data security, encryption keys need to be stored and managed effectively in order to ensure the data's security.
Many companies have found themselves in a situation where they need to manage thousands (or even many millions) of keys as they deploy separate encryption and key management systems to protect different areas of their IT infrastructure such as laptops, storage systems and databases. This typically involves manual processes to generate, distribute, store, expire and refresh encryption keys. It very often results in increased operational costs, delays in meeting audit and compliance requirements, and increased risk of human error.
With new silos of encryption taking root across the organization, security officers and administrators are being forced to act and to formalize and institutionalize good key management practices. Finding the encryption keys is a lot easier than cracking the encryption and this is where much criminal activity is focused. With encryption effectively impossible to break, the key management system becomes a natural target for attack. Consequently, key management issues need to be at the core of every company's IT security infrastructure.