Data breaches show need for better encryption key, certificate management

Hudson identified a number of security challenges that companies need to address in an era of proliferating data breaches – the increasing skill of hackers and the lack of management of encryption keys and digital certificates.

“The hackers are becoming incredibly sophisticated. They are going after things that people in the past had not spent anytime thinking about. So that’s the reality”, Hudson told Infosecurity.

The second challenge is that companies are not aware of all the encryption keys and certificates that have to manage on their networks. “Getting better at managing this stuff means they have the right people, processes, and practices in place.”

To enable companies to manage these assets, Venafi has launched an EKCM best practices website. Hudson said that Venafi’s customers have been asking, “How do you manage this stuff and how do you make sure that you are not going to have some of these breaches, like RSA or Comodo?”

He added, “We don’t know exactly how the systems got accessed at RSA so that part of the data could be compromised, but to the extent that there is better password management and better private key management, the possibility of [that type of breach happening] goes way down.”

“The website offers best-practice guidance for EKCM, breach and failure recovery, system availability, and security breach prevention. Information is provided on how to analyze the encryption inventory, establish effective policies, secure executive sponsorship, educate stakeholders, and develop breach and failure recovery plans.

“If companies would adopt these best practices, which have to do with policies, key rotation, key strengths, and separation of duties, the window of opportunity for hackers shrinks greatly”, Hudson said.

Hudson highlighted shorter validity periods for digital certificates, updating key links, and private key distribution as important best practice areas for companies.

“A lot of times people will set the validity period for a very long time, because then they don’t have to worry about it….The problem with that is the longer something is out there, the more hands it falls into and the more likely it is to be used in a nefarious way.” He recommended companies set certificate validity periods for six months to one year.

“Most people don’t track where all their keys are and where all the key links are….So the best practice is to scan often all of the keys on the network and make sure they are at the right strength so that somebody doesn’t put in there an easy lock to pick”, he said.

In the area of private key distribution, many companies do not separate public from private keys. The system administrators have access to both keys. “So they can do anything they want with that key. The best practice would be to allow the administrator to have the public key and the private key be managed through another channel, so that these two very important public and private key pairs don’t come together in one place”, Hudson said.

What’s Hot on Infosecurity Magazine?