|
Keys to Good Security
There is no magic bullet when it comes to key management. It is critical that organizations understand the risks, know where their exposures are and implement defense in depth to protect against possible compromise. Key management is a human problem as much as it is a technology problem. Take both into account as you deploy your encryption infrastructure.
Plan it well. Implementing key management is like building a house: If it is done correctly, all major problems should be identified during the design stage. Too many organizations rush their projects and identify problems after deployment or a compromise occurs.
Stress liability. If the keys are not properly protected and someone can gain access to the information, who is going to be liable when an improperly protected key results in identity theft or fraud? Consider having users sign an acceptance for...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
m, acknowledging their responsibility and liability.
Train your people. Don't underestimate this. Key management is not as user-transparent as some vendors may claim. In addition to stressing the risks and liabilities, and the need for establishing and protecting strong pass phrases, users often have to deal with technical issues, such as clearing their cache, since the key is unprotected in clear text. If you're thinking there is no way you'll get all your users to do things like this, you're beginning to appreciate some of the human difficulties. Software may do this, but it often has an option that says something like "Run with Optimal Performance," which may disable cache clearing.
Implement sound security policy. All encryption key exposure points need to be stated as policy, such as the level and complexity of pass phrases and prohibiting putting unprotected keys on portable drives.
|
 |
|
