Perimeter
3/12/2010
03:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: The Keys To Cohesive Encryption In The Enterprise

Lack of standards for multivendor encryption makes key management a major challenge today

Encryption is a harbinger of good and bad vibes: The word carries with it a feeling of security for users because they think their data is now protected from cybercriminals. It also elicits a feeling of dread for IT because of the headaches caused by trying to securely and effectively handle enterprise key management. Either way, encryption and key management are regularly misunderstood -- and mismanaged -- technologies.

Given the importance of encryption for privacy and compliance purposes, why is it that enterprises have such a hard time implementing key management? The answer is a lack of cohesive standards across encryption products that allow them to be centrally managed with other vendors' solutions. For example, solutions providing backup tape encryption have key management built in, but they can't interface with the key management system used by the e-mail systems and vice versa.

Without having open standards that all of the encryption vendors embrace and develop to, it's going to be a while before we see truly effective, vendor-agnostic, enterprise key management tools that can simply be dropped into place to manage all of the diverse encryption solutions already deployed within enterprises.

There is hope, however. Standards efforts are currently under way by OASIS and IEEE, and solutions from vendors HP, EMC/RSA, and Thales work by managing keys and certificates through the integrated key management embedded within current encryption products.

Joining the fight to wrangle in management of encryption keys, PGP announced its new PGP Key Management Server just in time for the RSA Conference. The PGP Key Management Server boasts management for symmetric, asymmetric, and proprietary keys, key life cycle, policy enforcement, and reporting.

The last two features often end up as "gotchas" for enterprises. Keeping policies consistent across multivendor platforms is tough. Terminology is never quite the same, getting user access roles correct isn't always straightforward, and often the configuration options vary in granularity.

The policy management hurdle doesn't stop at creating a technical policy. A written policy must first be created that defines key lifetimes, who has access to manage keys, split key assignment across upper management, and similar issues. Once all of those decisions are made and on paper, the hard work of mapping them to technical controls begins.

Of course, as good as policies are, you still have to consider the human factor. This problem is highlighted frighteningly well in the recent "Human Factor in Laptop Encryption" study by the Ponemon Institute and Absolute Software, which found 60 percent of U.S. business managers have circumvented encryption on their laptops.

The Ponemon study contains several other interesting findings, but the numbers surrounding lost laptops are the most disappointing. Ninety-five percent of IT participants reported that a laptop had been lost or stolen in their organizations, which lead to a data breach 72 percent of the time. And in regard to reporting, only 44 percent were able to prove the contents were encrypted.

Next to policy enforcement, reporting is nearly as important. If you can't report whether policies are being properly applied, what's the point of pushing them out? Sure, having key management and showing policies are configured properly can get that compliance check box marked, but auditors are going to want to see some reporting to ensure policies are being enforced.

Detailed reporting also provides IT with the ability to see when users are attempting to circumvent controls like laptop encryption. Businesses also will benefit from having access to detailed reports on policy enforcement since several states have safe-harbor clauses in their data breach laws. Businesses in those states that can prove the lost laptop, smartphone, or other mobile device was encrypted do not have to perform data breach notifications.

The technical issues surrounding enterprise key management are plenty, and hopefully many of them will be resolved as OASIS and IEEE work to develop standards. Beyond standards, enterprise key management systems still need the ability to define consistent policies across multivendor platforms and report on the effectiveness of those policies.

When that happens, enterprises can finally look forward to an interoperable, heterogeneous environment instead of a patchwork of point solutions they're stuck with today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.