As Irish hostages go they are probably unique. They are quiet and circumspect and sworn to secrecy. They have prompted a Garda Fraud Squad investigation, which has so far examined 150,000 e-mails, phone records and other communications, and taken approximately 400 witness statements. But still they remain hostages. The Garda is understood to be examining 10 strands of illegal activity connected to them, according to the Irish Press.
The hostages in question are thirty documents. They are being held by a small number of Anglo Irish Bank employees who, to date, have refused to provide the needed encryption keys required to access and consume sensitive data. This has thrown a large, national bank into chaos and the legal system into such crisis that the situation has been discussed in the country’s parliament, The Dail.
Former top Anglo Irish Bank employees are refusing to hand over computer passwords to the police. Fine Gael leader Enda Kenny said: "This information in these encrypted files is critical and may be the vital information in respect of prosecuting people for criminal or illegal activities.”
When I heard that that Anglo Irish Bank was in serious trouble because its staff were holding passwords and encryption keys hostage – resulting in the bank’s inability to gain access to encrypted data – I felt a certain sense of ‘I told you so’.
It appears that the motivation behind this unwillingness to return the keys for the encrypted data has to do with either attempting to hide some rather dubious practices while employed, or to use the keys as a negotiating chip for a better redundancy package. In any case, the problem comes down to why the employees have unfettered access to the keys in the first place.
You would think that with all the warnings over the past few years, not to mention financial services regulations, someone at a senior level would have taken steps to address proper key management. But they didn’t.
The regulatory duties that all organisations are required to comply with are very clear. There is therefore no excuse if organisations ignore them, or if those responsible for auditing these organisations simply pay lip service to the standards.
For example, the Payment Card Industry Data Security Standard (PCI DSS) clearly states that “the manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements”.
Further, it says “the encryption solution should also allow for and facilitate a process to replace keys that are known to be, or suspected of being, compromised”. And I could go on forever quoting standards, but the unwillingness of organisations to take this matter seriously, and for their CSOs, information security analysts, and auditors to brush it under the carpet, is simply unbelievable.
A report by Gartner, titled PCI Compliance Remains Challenging and Expensive, found that “retailers were mostly concerned about unauthorized access to their systems by insiders, not outsiders. Insiders typically caused the most damage because they know where to find sensitive corporate personal, financial account and other information” and “As you secure your enterprise systems, remember that insiders with privileged and knowledgeable access can cause significantly more damage than an outside hacker acting alone.”
In 2007 the PCI Standards Council said: “…some companies are dragged into compliance kicking and screaming, but there’s nothing like the prospect of brand reputation damage and lawsuits to get them to do what’s necessary to secure systems and respond properly when there is a breach.”
Encryption guru Bruce Schneier said, “regulation – SOX, HIPAA, GLBA, the credit-card industry’s PCI, the various disclosure laws, the European Data Protection Act, whatever – has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously.” Really?
In the vast majority of organisations, key management is totally out of control, and nobody is prepared to take it seriously. In fact I’m beginning to wonder if the ‘cloud bandwagon’ and outsourcing push is just an excuse for senior executives to try and wash their hands of a problem that they have failed to address, and is resulting in their organisations being exposed to significant unmanaged and unquantified risk.
Last year I was asked to give my view on the trends for 2011 and I said, “…more chief security officers will end up on the dole. Too many organisations are failing to address encryption management effectively because it is in the hands of a few staff whose prime objective is to protect their own domain rather than get a grip on key management, segregation of duties, access controls, etc.” Well, maybe it’s time that these people were held accountable. The fact is that in most organizations, they have absolutely no idea what’s happening at the coal face.
Anglo Irish Bank should serve as a wake-up call for every business. In the mad rush to increase profits and reduce costs, organisations are determined to reduce investment in areas such as IT and information security.
Bonus payments to bankers take the headlines, but what seems to be getting lost in the whole discussion is that most banks are reducing their head count in IT services. Most trading in the financial sector today is based on electronic trading systems. So it’s no longer the guy with the Ferrari who is the superstar on the trading floor – rather it’s the IT person who keeps the system running. This is not someone you want to upset if you plan to make sure that critical systems such as key management are fully automated.
It’s high time that companies took their IT security seriously and address the unmanaged and unquantified risk of who has access to encryption keys. It’s no longer about the data – the encryption key is the data; and it’s not just about the size of the key, it’s about who has access to it. Think about the encryption keys being held hostage by Anglo Irish Bank employees. There is one consolation to this story – these particular hostages can’t write their memories.
Calum MacLeod has over 30 years of expertise in secure networking technologies, and is currently EMEA director for Venafi, a digital certificate and encryption key management specialist. Before joining Venafi he worked for Tufin and then Cyber-Ark. MacLeod has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.