Feature

Encryption key management blunders can render deployments useless

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."

Download it now to read this article plus other related content.

If you plan on implementing PKI, take the following lesson learned the hard way from those who have gone before: Triple your proposed budget and double the implementation schedule.

The heart of the problem is that integrating and implementing key management takes more effort and energy than most organizations realize. These complexities and difficulties are why companies often steer clear of extensive use of data encryption.

Faulty key management renders encryption useless and is a prime reason organizations that say they are encrypting databases still get breached. It can also negate any exception encryption gives you under breach disclosure laws. Even though Califor-nia's SB 1386 requires organizations to report any disclosure of unencrypted data, improperly implemented encryption will put you back on the hook if the data may have been exposed.

The security of any encryption solution is based on the secrecy of the key, not the algorithm or cipher text. If the keys are not properly controlled, an attacker can acquire them.

The private encryption key is equivalent to your credit card, driver's license, Social Security number, and house and car keys all in one. If someone gets it, encryption is useless and they can get to the heart of your enterprise. The perennial problem is balancing functionality and security. An absolutely secure key is an inaccessible key, but if the key is built into database software so it can be used to decrypt database fields

    Requires Free Membership to View

automatically on the fly, it's also accessible to an attacker--compare it to leaving your house key under the front door mat. This is the main reason many databases are not encrypted.

The conundrum is managing keys as securely as possible to mitigate risk, while keeping them reasonably accessible so your employees, partners and customers can conduct business.

Let's examine the major elements of key management, the potential pitfalls and what you can do to make it work for your organization.

This was first published in June 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: