Key Management

Lock up Your Data – But Don’t Throw Away the Keys

By Vince Lee, Regional Manager, Australia/New Zealand for SafeNet

It’s great to see Vince_Lee_Web_Portrait

with the rise of cloud computing that de-perimeterisation is starting to get a lot more airplay in information security forums like CSO.com.au [see: The differences between cloud security and data centre security by Matt Tett].

Trying to keep the bad guys out was always considered the first protection layer. However, almost all of the security breaches we read about every day happen in spite of perimeter security. With the evolving threat landscape, where a large number of organisations have suffered from Advanced Persistent Threats, the need for multiple layers of protection has become mandatory.

Of course, the best way to protect sensitive data is to encrypt it. Cryptography isn’t anything new – encrypted messages have been used in wartime since Ancient Greece – and it’s a great way to make sensitive data useless to attackers. Recently Forrester analyst John Kindervag published a new report called “Kill the Data” which predicts that, “In the future, you will encrypt data – both in motion and at rest – by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. By encrypting, and thereby devaluing, your sensitive data, you can make cybercriminals bypass your networks and look for less robustly protected targets”.

But encryption kills the data for legitimate users as well. The issue organisations have had to face is: What happens if the encryption keys get lost? Do you lose your data? Overall, it has been much easier to ignore the whole thing and focus on perimeter security like access controls and Data Loss Prevention (DLP) to prevent the bad guys from getting in and stealing your data.

As most organisations care about data availability as much as they care about data security, encryption has been considered hard to deploy, and usually used only by organisations with highly sensitive data or when mandated by regulation – typically financial services, military and defence organisations and government agencies. But recent attacks and the de-perimeterisation inherent in cloud-based infrastructure and applications now force all of us to implement better security than perimeter control – and that means encryption.

Unfortunately, with very few exceptions, managing encryption keys are not a central part of organisations’ information security infrastructures. The way most organisations have set up encryption is in silos that are each managed in isolation. You have disk encryption, database encryption, and application encryption, but nothing is coordinated.

If the threats from data breaches are dangerous, the implications of bad encryption management could be even worse. As Vic Wheatman, Vice President, Gartner Research says: “As the use of encryption grows and various solutions are deployed, key management becomes exponentially critical and complex. Mismanagement of keys can expose an organisation to unnecessary risk.”

So, how do you connect all those silos of encryption and gain control over your keys? Well, yes, there are comprehensive enterprise key management solutions that keep track of which keys go with which data, ensure keys are rotated and backed up, and that easily encrypt and decrypt data across the organisation so that it doesn’t impact performance.

But even before you get to that stage there is one thing you should do right now as the first step in building a scalable key management infrastructure. And the key to that is using standard protocols. The next time your organisation adds a new system that uses cryptography – such as a secure storage solution – make sure it supports KMIP.

KMIP, the Key Management Interoperability Protocol, was developed by the Organization for the Advancement of Structured Information Standards (OASIS), a non-profit consortium. If a system is KMIP-compliant, then you will be in a position to manage it centrally, according to a single set of policies, and maintain operational efficiency as you scale your use of encryption technology.

The alternative is introducing yet another key management silo which – if it hasn’t already reached that point – will bring more pain than gain in the not too distant future.