Deploying and Managing Encryption

By Paul Meadowcroft  |  Posted 2010-01-13 Print this article Print

Deploying and managing encryption

Despite the growing recognition of the benefits of encryption, there remains a general lack of understanding about deploying and, more importantly, managing it. Encryption itself is simple; it is just mathematics. The hard bit is controlling the keys-the secret codes that have the power to unlock the data.

Without good encryption key management, what was thought to be black or white may actually have many shades of grey. A recent survey found that organizations see key management as the biggest challenge in encryption.

As the use of encryption grows, companies need to be able to manage (or control) a growing number of encryption keys. This is crucial, not only to prevent keys from being lost or stolen, but also for important operational reasons such as on-demand recovery of encrypted data, automated updates and compliance reporting.

Once encrypted, information only becomes readable if the encryption key is available to unlock it. Consequently, the key becomes as valuable as the data it is protecting. This situation can be likened to the security of a home: locking the house significantly increases the security of its contents. However, if the key is then left under the mat, then the level of security is compromised. In the same way, while encryption is an effective first step in enhancing data security, encryption keys need to be stored and managed effectively in order to ensure the data's security.

Many companies have found themselves in a situation where they need to manage thousands (or even many millions) of keys as they deploy separate encryption and key management systems to protect different areas of their IT infrastructure such as laptops, storage systems and databases. This typically involves manual processes to generate, distribute, store, expire and refresh encryption keys. It very often results in increased operational costs, delays in meeting audit and compliance requirements, and increased risk of human error.

With new silos of encryption taking root across the organization, security officers and administrators are being forced to act and to formalize and institutionalize good key management practices. Finding the encryption keys is a lot easier than cracking the encryption and this is where much criminal activity is focused. With encryption effectively impossible to break, the key management system becomes a natural target for attack. Consequently, key management issues need to be at the core of every company's IT security infrastructure.

Paul Meadowcroft is Enterprise and Government Business Unit Director for the Information Systems security activities at Thales. Paul has more than 15 years experience in information security. Paul is an expert on a wide range of information security topics, including the use of cryptography, key management, public key infrastructures and payment systems. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel