This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
The heart of the problem is that integrating and implementing key management takes more effort and energy than most organizations realize. These complexities and difficulties are why companies often steer clear of extensive use of data encryption.
Faulty key management renders encryption useless and is a prime reason organizations that say they are encrypting databases still get breached. It can also negate any exception encryption gives you under breach disclosure laws. Even though Califor-nia's SB 1386 requires organizations to report any disclosure of unencrypted data, improperly implemented encryption will put you back on the hook if the data may have been exposed.
The security of any encryption solution is based on the secrecy of the key, not the algorithm or cipher text. If the keys are not properly controlled, an attacker can acquire them.
The private encryption key is equivalent to your credit card, driver's license, Social Security number, and house and car keys all in one. If someone gets it, encryption is useless and they can get to the heart of your enterprise. The perennial problem is balancing functionality and security. An absolutely secure key is an inaccessible key, but if the key is built into database software so it can be used to decrypt database fields
The conundrum is managing keys as securely as possible to mitigate risk, while keeping them reasonably accessible so your employees, partners and customers can conduct business.
Let's examine the major elements of key management, the potential pitfalls and what you can do to make it work for your organization.
This was first published in June 2007