Compliance mandates call for key management

Geater, whose company's technology is billed as securing more than 70% of payments transactions worldwide, claims that history shows that mainstream security adoption typically catches up with best practice only as and when the compliance mandates are updated.

This, he says, happened in the past with network security, firewalls, anti-virus and password management, and over recent months the scenario has been played out with encryption and key management.

"As businesses need to share more information across different company departments and expanding geographical borders, the prominence of encryption has risen, and we have seen it increasingly arriving in regulations and legislation", he said.

"But the crux of effective encryption is strong key management and without clearly defined compliance standards in this area, enterprises are often unaware of the critical nature of key management and therefore remain vulnerable to attack", he added.

According to Geater, the number of stories on software key storage or lax access control, poor selection of keys and protocols and thefts of key material alongside data breach notifications bear witness to this.

Fortunately, he says, regulators are beginning to catch up.

"Compliance mandates which had once simply called for encryption are now being updated to look much more closely at key management. From PCI-DSS to the more traditional world of US Federal government we are seeing increased sophistication in the specification of key management requirements", he said in his security blog.

"So now the secret is out: everyone knows about key management. Simply encrypting data isn't enough, default software installs will be deemed insufficient and lax key management will be viewed as an error, not an easy oversight", he added.

"If you want to comply (and follow encryption best practice), you'd better start managing those keys."



What’s hot on Infosecurity Magazine?