Encryption key management blunders can render deployments useless


This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."

Download it now to read this article plus other related content.

Keys to Good Security
There is no magic bullet when it comes to key management. It is critical that organizations understand the risks, know where their exposures are and implement defense in depth to protect against possible compromise. Key management is a human problem as much as it is a technology problem. Take both into account as you deploy your encryption infrastructure.

Plan it well. Implementing key management is like building a house: If it is done correctly, all major problems should be identified during the design stage. Too many organizations rush their projects and identify problems after deployment or a compromise occurs.

Stress liability. If the keys are not properly protected and someone can gain access to the information, who is going to be liable when an improperly protected key results in identity theft or fraud? Consider having users sign an acceptance form, acknowledging their responsibility and liability.

Train your people. Don't underestimate this. Key management is not as user-transparent as some vendors may claim. In addition to stressing the risks and liabilities, and the need for establishing and protecting strong pass phrases, users often have to deal with technical issues, such as clearing their cache, since the key is unprotected in clear text. If you're thinking there is no way you'll get all your users to do things like this, you're beginning to appreciate some of the

    Requires Free Membership to View

human difficulties. Software may do this, but it often has an option that says something like "Run with Optimal Performance," which may disable cache clearing.

Implement sound security policy. All encryption key exposure points need to be stated as policy, such as the level and complexity of pass phrases and prohibiting putting unprotected keys on portable drives.

This was first published in June 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: