Perimeter
3/12/2010
03:44 PM
50%
50%

Tech Insight: The Keys To Cohesive Encryption In The Enterprise

Lack of standards for multivendor encryption makes key management a major challenge today

Encryption is a harbinger of good and bad vibes: The word carries with it a feeling of security for users because they think their data is now protected from cybercriminals. It also elicits a feeling of dread for IT because of the headaches caused by trying to securely and effectively handle enterprise key management. Either way, encryption and key management are regularly misunderstood -- and mismanaged -- technologies.

Given the importance of encryption for privacy and compliance purposes, why is it that enterprises have such a hard time implementing key management? The answer is a lack of cohesive standards across encryption products that allow them to be centrally managed with other vendors' solutions. For example, solutions providing backup tape encryption have key management built in, but they can't interface with the key management system used by the e-mail systems and vice versa.

Without having open standards that all of the encryption vendors embrace and develop to, it's going to be a while before we see truly effective, vendor-agnostic, enterprise key management tools that can simply be dropped into place to manage all of the diverse encryption solutions already deployed within enterprises.

There is hope, however. Standards efforts are currently under way by OASIS and IEEE, and solutions from vendors HP, EMC/RSA, and Thales work by managing keys and certificates through the integrated key management embedded within current encryption products.

Joining the fight to wrangle in management of encryption keys, PGP announced its new PGP Key Management Server just in time for the RSA Conference. The PGP Key Management Server boasts management for symmetric, asymmetric, and proprietary keys, key life cycle, policy enforcement, and reporting.

The last two features often end up as "gotchas" for enterprises. Keeping policies consistent across multivendor platforms is tough. Terminology is never quite the same, getting user access roles correct isn't always straightforward, and often the configuration options vary in granularity.

The policy management hurdle doesn't stop at creating a technical policy. A written policy must first be created that defines key lifetimes, who has access to manage keys, split key assignment across upper management, and similar issues. Once all of those decisions are made and on paper, the hard work of mapping them to technical controls begins.

Of course, as good as policies are, you still have to consider the human factor. This problem is highlighted frighteningly well in the recent "Human Factor in Laptop Encryption" study by the Ponemon Institute and Absolute Software, which found 60 percent of U.S. business managers have circumvented encryption on their laptops.

The Ponemon study contains several other interesting findings, but the numbers surrounding lost laptops are the most disappointing. Ninety-five percent of IT participants reported that a laptop had been lost or stolen in their organizations, which lead to a data breach 72 percent of the time. And in regard to reporting, only 44 percent were able to prove the contents were encrypted.

Next to policy enforcement, reporting is nearly as important. If you can't report whether policies are being properly applied, what's the point of pushing them out? Sure, having key management and showing policies are configured properly can get that compliance check box marked, but auditors are going to want to see some reporting to ensure policies are being enforced.

Detailed reporting also provides IT with the ability to see when users are attempting to circumvent controls like laptop encryption. Businesses also will benefit from having access to detailed reports on policy enforcement since several states have safe-harbor clauses in their data breach laws. Businesses in those states that can prove the lost laptop, smartphone, or other mobile device was encrypted do not have to perform data breach notifications.

The technical issues surrounding enterprise key management are plenty, and hopefully many of them will be resolved as OASIS and IEEE work to develop standards. Beyond standards, enterprise key management systems still need the ability to define consistent policies across multivendor platforms and report on the effectiveness of those policies.

When that happens, enterprises can finally look forward to an interoperable, heterogeneous environment instead of a patchwork of point solutions they're stuck with today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report