Tech Insight: The Keys To Cohesive Encryption In The Enterprise
Lack of standards for multivendor encryption makes key management a major challenge today
John Sawyer- Special To Dark Reading,
March 12, 2010
Encryption is a harbinger of good and bad vibes: The word carries with it a feeling of security for users because they think their data is now protected from cybercriminals. It also elicits a feeling of dread for IT because of the headaches caused by trying to securely and effectively handle enterprise key management. Either way, encryption and key management are regularly misunderstood -- and mismanaged -- technologies.
Given the importance of encryption for privacy and compliance purposes, why is it that enterprises have such a hard time implementing key management? The answer is a lack of cohesive standards across encryption products that allow them to be centrally managed with other vendors' solutions. For example, solutions providing backup tape encryption have key management built in, but they can't interface with the key management system used by the e-mail systems and vice versa.
Without having open standards that all of the encryption vendors embrace and develop to, it's going to be a while before we see truly effective, vendor-agnostic, enterprise key management tools that can simply be dropped into place to manage all of the diverse encryption solutions already deployed within enterprises.
There is hope, however. Standards efforts are currently under way by OASIS and IEEE, and solutions from vendors HP, EMC/RSA, and Thales work by managing keys and certificates through the integrated key management embedded within current encryption products.
Joining the fight to wrangle in management of encryption keys, PGP announced its new PGP Key Management Server just in time for the RSA Conference. The PGP Key Management Server boasts management for symmetric, asymmetric, and proprietary keys, key life cycle, policy enforcement, and reporting.
The last two features often end up as "gotchas" for enterprises. Keeping policies consistent across multivendor platforms is tough. Terminology is never quite the same, getting user access roles correct isn't always straightforward, and often the configuration options vary in granularity.
The policy management hurdle doesn't stop at creating a technical policy. A written policy must first be created that defines key lifetimes, who has access to manage keys, split key assignment across upper management, and similar issues. Once all of those decisions are made and on paper, the hard work of mapping them to technical controls begins.
Of course, as good as policies are, you still have to consider the human factor. This problem is highlighted frighteningly well in the recent "Human Factor in Laptop Encryption" study by the Ponemon Institute and Absolute Software, which found 60 percent of U.S. business managers have circumvented encryption on their laptops.
The Ponemon study contains several other interesting findings, but the numbers surrounding lost laptops are the most disappointing. Ninety-five percent of IT participants reported that a laptop had been lost or stolen in their organizations, which lead to a data breach 72 percent of the time. And in regard to reporting, only 44 percent were able to prove the contents were encrypted.
Next to policy enforcement, reporting is nearly as important. If you can't report whether policies are being properly applied, what's the point of pushing them out? Sure, having key management and showing policies are configured properly can get that compliance check box marked, but auditors are going to want to see some reporting to ensure policies are being enforced.
Detailed reporting also provides IT with the ability to see when users are attempting to circumvent controls like laptop encryption. Businesses also will benefit from having access to detailed reports on policy enforcement since several states have safe-harbor clauses in their data breach laws. Businesses in those states that can prove the lost laptop, smartphone, or other mobile device was encrypted do not have to perform data breach notifications.
The technical issues surrounding enterprise key management are plenty, and hopefully many of them will be resolved as OASIS and IEEE work to develop standards. Beyond standards, enterprise key management systems still need the ability to define consistent policies across multivendor platforms and report on the effectiveness of those policies.
When that happens, enterprises can finally look forward to an interoperable, heterogeneous environment instead of a patchwork of point solutions they're stuck with today.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.