We're considering implementing a new cryptographic system, but we are concerned with how it fits in with legal...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
and regulatory compliance. Can you advise?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
First, consider the new system in terms of cryptographic strength, and only then look at issues of regulatory compliance. Generally speaking, you'll find that if you make a technically sound choice, you'll be fine when it comes to regulatory issues.
So, what should you look for when selecting a cryptographic system? Here are a few basic guidelines:
- Choose technology based upon a well-known algorithm. "Security through obscurity" is something to avoid when it comes to cryptography. Consider it a huge red flag if a vendor says they can't share the details of a proprietary algorithm because it would jeopardize their security. Any cryptographic algorithm that is truly secure doesn't need to be kept secret, since the security of the algorithm rests in the secrecy of the key.
- Use a reliable vendor. Along those same lines, choose a vendor that you're confident has strong software development practices and a good security track record. An improperly implemented cryptographic algorithm could undermine the security of the entire system.
- Practice good key management. Choose a system that allows you to change the cryptographic keys periodically and provides strong key escrow mechanisms to recover keys that are lost. Systems that embed keys in the code are dangerous because you don't have the ability to change them if they are compromised, and there is a strong likelihood that the same key is shared among multiple vendors.
As I mentioned, following these best practices will help you choose an algorithm that will serve you well. You'll then want to look at the legal and regulatory compliance requirements you operate under and ensure that you meet the specific obligations, such as encryption key length, algorithm choice and key management.
Related Q&A from Mike Chapple
Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.continue reading
An SEC report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at ...continue reading
The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.