It is an inescapable fact these days that information security and compliance swim together in the collective minds of many CIOs. As a result, the adoption of information security technology is often related to how well it solves compliance issues.
From many perspectives this is not an unreasonable approach: an organisation could spend a lot of money buying all of the security products they can find and still not be bullet-proof (and even if they have achieved a high level of security, the economics of such actions simply do not make sense). After all, corporate IT departments can’t be experts in all areas and they need guidance, leaving many organisations to turn to industry compliance standards to inform their information security strategy.
However, when compliance projects are the drivers for security initiatives, organisations may be left under-protected or vulnerable to advances in the threat landscape.
Focussing on compliance can hinder organisational security
Wrong way round or not, with compliance driving information security, mainstream security adoption typically catches up with best practice as the compliance mandates are updated.
This is certainly the pattern we have seen with information security over the past decade or so.
At one time, the firewall was everything: the impregnable ring of steel that kept all the good stuff in and the bad guys out. But with the rise in rich content and web applications, no amount of user education could stop those tempting email attachments from being opened, resulting in the growth in popularity of additional defences such as corporate anti-virus and password management.
At the same time businesses and individuals started to share more and more information across virtual boundaries, and compliance mandates around data confidentiality started to emerge.
And so encryption entered the mainstream. Now, finally, the proliferation of encryption and some high-profile incidents have led to the realisation that key management is critical.
Encryption alone is not a silver bullet. Signing high-value assets with software keys does not protect the global community. You have to treat keys and crypto with respect.
For those of us in the industry this is obvious: the keys are the security. Sadly though, the evidence suggests that many mainstream deployments of encryption and signing don’t adopt best-practice key management.
Software key storage or lax access control, poor selection of keys and protocols, and thefts of key material frequently make the headlines. This shouldn’t be surprising – by definition, the mainstream cannot be experts in cryptography. But that’s no excuse, and the security industry and individual industry regulators have a responsibility to fix this.
The turning tide in key management best practice
Happily things do seem to be changing. Compliance mandates that were focussed on encryption are now being updated to look much more closely at key management practice.
From PCI-DSS for payment security, to the more traditional world of US federal government security (which already did fairly well on key management), we see increased sophistication in the specification of key management requirements.
Data breach notification rules (such as those in Nevada) have been explicitly and carefully updated with the realisation that encryption is flawed without key management best practice. Rules are evolving from simple and naïve password encryption requirements to explicit mandates on key management.
In many cases these changes are made to improve the security of systems, and actually reduce the risk of breaches (such as the recommendation to use hardware devices). In other cases, this new understanding and acknowledgment for the role of key management enables business agility, as standards and technologies such as OASIS KMIP (Key Management Interoperability Protocol) make their way into the documents.
So now the secret is out: Everyone knows about key management and that simply encrypting data is no longer sufficient. Over the coming months and years, I expect the quality of key storage, access control and management to come under increasing scrutiny in all areas of the information society, and for lax key management to become viewed as a fault, not an innocent mistake.
Remember, compliance is the by-product of good security. If you want to comply, you’d better start managing those keys.
Jon Geater has more than 10 years of technical experience as a software architect and chief architect in the information security industry and has helped define many real-world security products and systems. As director of technical strategy at Thales, Geater is a technical evangelist for the the company’s information technology security activities. He serves as the technical voice of the Thales strategy group and ensures that the product portfolio meets the needs of both the company and the market. Geater represents Thales at academic conferences and on standards bodies, and is a co-founder of the OASIS KMIP key management group. He holds a BSc (Hons) in computer science.