Comment: How Decentralized Encryption Can Impair Security

Key management silos make regulatory compliance extremely difficult
Key management silos make regulatory compliance extremely difficult

To protect digital assets from theft, accidental or intentional misuse, and to meet regulatory requirements, many organizations secure sensitive data with several different point encryption solutions. While increased adoption of encryption has improved security, it has made life much more difficult for IT security and operations teams. That’s because each disparate island of encryption has its own set of encryption keys and key management software that which do not interoperate with each other. This patchwork approach is not only inefficient, but also puts an enterprise’s overall security and availability posture at risk.

Nearly all offline data storage devices include the option of an embedded encryption capability. At the same time, many database management systems (DBMS) and application software providers also offer native encryption options. The resulting silos of security, where system administrators and database administrators (DBAs) have to become the managers of the encryption keys for a particular system, distracts from their primary tasks of IT or database administration.

Following are the challenges posed by decentralized encryption key management and how to address them.

Key Security

Protecting encryption keys is perhaps the single most important component of IT system security. Keys are vulnerable to attacks from outside hackers and malicious insiders. They are also at risk when being generated, stored, used, verified, distributed, and ultimately retired or destroyed if compromised.

As with any important organizational function, key management begins with a unified strategy and a description and dissemination of proper policies and procedures. Every step in the lifecycle must be carefully managed.
Using a centralized enterprise key management system can provide the tools, as well as the visibility and reports to undertake this task. Such a system must be able to scale as the company grows, but also be flexible enough to allow for the adoption of new technologies and industry standards as they emerge. Key security is not only important for thwarting costly cyber attacks, it is also a mandatory part of compliance regulations.

Key Availability

Organizations cannot function without the availability of their essential data. It stands to reason that the most important data for the functioning of the business is also the most likely to need encryption for security. Therefore, encrypted data must be easily accessible to authorized users. For a user, whether it’s an employee, customer, or business partner, being unable to access data due to lack of key availability is no different from complete loss of data due to a hardware failure.

A centralized key management system can reduce the complexity of key administration that ultimately reduces mistakes and security lapses, which in turn helps maintain the availability of data. But there are other components of centralized key management that address high availability. Redundant, high-availability key appliances can be utilized, with all key activities and access controls mirrored in real time to a separate, fail-over key appliance, across multiple geographically distributed data centers. This enables key management to provide business continuity.

Governance and Reporting

Shareholders, customers, and government entities can all mandate that an organization maintain an information governance system. The consequences of poor governance can be devastating and include large fines, lawsuits, and loss of customer loyalty. The most important aspect of governance is a discipline for managing, controlling, and protecting the security and privacy of data.

Encryption key management plays a key role here by using policies to enforce adherence to procedures for separation of duties and user authorization, and automating all the security processes involved in the key lifecycle. It can also generate management reports that identify problem hotspots and vulnerabilities.

There are many industry and regulatory mandates that affect key management today, and more are constantly being added. In the payments sector, the Payment Card Industry Data Security Standard (PCI DSS) requires encryption key management systems with controls and procedures for managing key use and performing decryption functions.

In financial services, the Gramm Leach Bliley Act (GLBA) requires firms publicly acknowledge when a disclosure event occurs. Led by California’s Database Security Breach Notification Act in 2003, more than half of all US states have passed additional breach notification rules that go beyond the general requirements of GLBA. If stolen data is encrypted, it provides the company that was breached with safe harbor from these laws and the expensive public notification they require.

Meanwhile, in healthcare, the US Health Information Technology for Economic and Clinical Health (HITECH) Act includes a breach notification clause for which encryption provides safe harbor in the event of a data breach. For “unsecured protected health information” that is not secured by a technology that renders the information unusable, unreadable, or undecipherable (i.e., encryption technology), notification of the breach to every individual affected must be made.

Many native key management solutions, like those within databases, merely store and retrieve keys for authorized users. They cannot create and enforce policies, nor produce activity reports required to meet and document compliance with these regulatory requirements.

Centralize Keys for Better Security

Without an enterprise-wide key management system to apply consistent policies, each system administrator separately controls the keys, leaving room for security compromises. These key management silos also make regulatory compliance extremely difficult, if not impossible, to document. Centralizing key management using a standards-based platform will ensure that keys are secure and always provisioned to authorized encryption services.

Ashvin Kamaraju is vice president of product development and partner management for data security vendor Vormetric 

What’s Hot on Infosecurity Magazine?