Encryption key management blunders can render deployments useless - Information Security Magazine - Page 1

Encryption key management blunders can render deployments useless

If you plan on implementing PKI, take the following lesson learned the hard way from those who have gone before: Triple your proposed budget and double the implementation schedule.

The heart of the problem is that integrating and implementing key management takes more effort and energy than most organizations realize. These complexities and difficulties are why companies often steer clear of extensive use of data encryption.

Faulty key management renders encryption useless and is a prime reason organizations that say they are encrypting databases still get breached. It can also negate any exception encryption gives you under breach disclosure laws. Even though Califor-nia's SB 1386 requires organizations to report any disclosure of unencrypted data, improperly implemented encryption will put you back on the hook if the data may have been exposed.

The security of any encryption solution is based on the secrecy of the key, not the algorithm or cipher text. If the keys are not properly controlled, an attacker can acquire them.

The private encryption key is equivalent to your credit card, driver's license, Social Security number, and house and car keys all in one. If someone gets it, encryption is useless and they can get to the heart of your enterprise. The perennial problem is balancing functionality and security. An absolutely secure key is an inaccessible key, but if the key is built into database software so it can be used to decrypt database fields

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

automatically on the fly, it's also accessible to an attacker--compare it to leaving your house key under the front door mat. This is the main reason many databases are not encrypted.

The conundrum is managing keys as securely as possible to mitigate risk, while keeping them reasonably accessible so your employees, partners and customers can conduct business.

Let's examine the major elements of key management, the potential pitfalls and what you can do to make it work for your organization.

This was first published in June 2007