Perimeter
3/12/2010
03:44 PM
50%
50%

Tech Insight: The Keys To Cohesive Encryption In The Enterprise

Lack of standards for multivendor encryption makes key management a major challenge today

Encryption is a harbinger of good and bad vibes: The word carries with it a feeling of security for users because they think their data is now protected from cybercriminals. It also elicits a feeling of dread for IT because of the headaches caused by trying to securely and effectively handle enterprise key management. Either way, encryption and key management are regularly misunderstood -- and mismanaged -- technologies.

Given the importance of encryption for privacy and compliance purposes, why is it that enterprises have such a hard time implementing key management? The answer is a lack of cohesive standards across encryption products that allow them to be centrally managed with other vendors' solutions. For example, solutions providing backup tape encryption have key management built in, but they can't interface with the key management system used by the e-mail systems and vice versa.

Without having open standards that all of the encryption vendors embrace and develop to, it's going to be a while before we see truly effective, vendor-agnostic, enterprise key management tools that can simply be dropped into place to manage all of the diverse encryption solutions already deployed within enterprises.

There is hope, however. Standards efforts are currently under way by OASIS and IEEE, and solutions from vendors HP, EMC/RSA, and Thales work by managing keys and certificates through the integrated key management embedded within current encryption products.

Joining the fight to wrangle in management of encryption keys, PGP announced its new PGP Key Management Server just in time for the RSA Conference. The PGP Key Management Server boasts management for symmetric, asymmetric, and proprietary keys, key life cycle, policy enforcement, and reporting.

The last two features often end up as "gotchas" for enterprises. Keeping policies consistent across multivendor platforms is tough. Terminology is never quite the same, getting user access roles correct isn't always straightforward, and often the configuration options vary in granularity.

The policy management hurdle doesn't stop at creating a technical policy. A written policy must first be created that defines key lifetimes, who has access to manage keys, split key assignment across upper management, and similar issues. Once all of those decisions are made and on paper, the hard work of mapping them to technical controls begins.

Of course, as good as policies are, you still have to consider the human factor. This problem is highlighted frighteningly well in the recent "Human Factor in Laptop Encryption" study by the Ponemon Institute and Absolute Software, which found 60 percent of U.S. business managers have circumvented encryption on their laptops.

The Ponemon study contains several other interesting findings, but the numbers surrounding lost laptops are the most disappointing. Ninety-five percent of IT participants reported that a laptop had been lost or stolen in their organizations, which lead to a data breach 72 percent of the time. And in regard to reporting, only 44 percent were able to prove the contents were encrypted.

Next to policy enforcement, reporting is nearly as important. If you can't report whether policies are being properly applied, what's the point of pushing them out? Sure, having key management and showing policies are configured properly can get that compliance check box marked, but auditors are going to want to see some reporting to ensure policies are being enforced.

Detailed reporting also provides IT with the ability to see when users are attempting to circumvent controls like laptop encryption. Businesses also will benefit from having access to detailed reports on policy enforcement since several states have safe-harbor clauses in their data breach laws. Businesses in those states that can prove the lost laptop, smartphone, or other mobile device was encrypted do not have to perform data breach notifications.

The technical issues surrounding enterprise key management are plenty, and hopefully many of them will be resolved as OASIS and IEEE work to develop standards. Beyond standards, enterprise key management systems still need the ability to define consistent policies across multivendor platforms and report on the effectiveness of those policies.

When that happens, enterprises can finally look forward to an interoperable, heterogeneous environment instead of a patchwork of point solutions they're stuck with today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Experienced reindeers wanted
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.