Perimeter
3/12/2010
03:44 PM
50%
50%

Tech Insight: The Keys To Cohesive Encryption In The Enterprise

Lack of standards for multivendor encryption makes key management a major challenge today

Encryption is a harbinger of good and bad vibes: The word carries with it a feeling of security for users because they think their data is now protected from cybercriminals. It also elicits a feeling of dread for IT because of the headaches caused by trying to securely and effectively handle enterprise key management. Either way, encryption and key management are regularly misunderstood -- and mismanaged -- technologies.

Given the importance of encryption for privacy and compliance purposes, why is it that enterprises have such a hard time implementing key management? The answer is a lack of cohesive standards across encryption products that allow them to be centrally managed with other vendors' solutions. For example, solutions providing backup tape encryption have key management built in, but they can't interface with the key management system used by the e-mail systems and vice versa.

Without having open standards that all of the encryption vendors embrace and develop to, it's going to be a while before we see truly effective, vendor-agnostic, enterprise key management tools that can simply be dropped into place to manage all of the diverse encryption solutions already deployed within enterprises.

There is hope, however. Standards efforts are currently under way by OASIS and IEEE, and solutions from vendors HP, EMC/RSA, and Thales work by managing keys and certificates through the integrated key management embedded within current encryption products.

Joining the fight to wrangle in management of encryption keys, PGP announced its new PGP Key Management Server just in time for the RSA Conference. The PGP Key Management Server boasts management for symmetric, asymmetric, and proprietary keys, key life cycle, policy enforcement, and reporting.

The last two features often end up as "gotchas" for enterprises. Keeping policies consistent across multivendor platforms is tough. Terminology is never quite the same, getting user access roles correct isn't always straightforward, and often the configuration options vary in granularity.

The policy management hurdle doesn't stop at creating a technical policy. A written policy must first be created that defines key lifetimes, who has access to manage keys, split key assignment across upper management, and similar issues. Once all of those decisions are made and on paper, the hard work of mapping them to technical controls begins.

Of course, as good as policies are, you still have to consider the human factor. This problem is highlighted frighteningly well in the recent "Human Factor in Laptop Encryption" study by the Ponemon Institute and Absolute Software, which found 60 percent of U.S. business managers have circumvented encryption on their laptops.

The Ponemon study contains several other interesting findings, but the numbers surrounding lost laptops are the most disappointing. Ninety-five percent of IT participants reported that a laptop had been lost or stolen in their organizations, which lead to a data breach 72 percent of the time. And in regard to reporting, only 44 percent were able to prove the contents were encrypted.

Next to policy enforcement, reporting is nearly as important. If you can't report whether policies are being properly applied, what's the point of pushing them out? Sure, having key management and showing policies are configured properly can get that compliance check box marked, but auditors are going to want to see some reporting to ensure policies are being enforced.

Detailed reporting also provides IT with the ability to see when users are attempting to circumvent controls like laptop encryption. Businesses also will benefit from having access to detailed reports on policy enforcement since several states have safe-harbor clauses in their data breach laws. Businesses in those states that can prove the lost laptop, smartphone, or other mobile device was encrypted do not have to perform data breach notifications.

The technical issues surrounding enterprise key management are plenty, and hopefully many of them will be resolved as OASIS and IEEE work to develop standards. Beyond standards, enterprise key management systems still need the ability to define consistent policies across multivendor platforms and report on the effectiveness of those policies.

When that happens, enterprises can finally look forward to an interoperable, heterogeneous environment instead of a patchwork of point solutions they're stuck with today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.