As organizations focus on protecting confidential information, CISOs are wrestling with how to manage and protect encryption keys.
Mastering encryption key management is one of the next big obstacles in data protection for chief information security officers to overcome, according to Gary Palgon, nuBridges’ vice president of Product Management and an industry expert on data security. After a spate of embarrassing and costly data breaches, and a plethora of industry data security mandates, breach notification laws and government privacy laws, organizations have responded and are doing a much better job of protecting payment card data and personally identifiable information from cyber criminals and accidental loss using encryption.
A byproduct of encryption is a generation of encryption keys that allow authorized users and applications to lock and unlock the data, all of which need to be managed and protected on an enterprise level.
“The challenge of encryption key management is one that has been boiling up to the surface with increasing intensity over the last several months and it’s only going to get worse,” predicted Palgon. “It’s only a matter of time before there will be a significant breach of keys. For that reason, companies must embrace the practice of automated lifecycle encryption key management—advice we’ve presented repeatedly to data security professionals at conferences this year.”
According to Trust Catalyst Principal Kimberly Getgen in a 2009 report on encryption and key management1, “Eight percent of organizations have experienced problems with lost encryption keys, creating security concerns (50 percent), causing data to be permanently destroyed (39 percent), or disrupting the business (39 percent), while 19 percent of respondents said they directly lost business.”
“There are two truths about key management that drive protection strategies,” observed Palgon. “First, if you’re not protecting the keys, you’re not protecting the data; second, if you lose keys, you’ve effectively erased the data. Stolen keys can lead to data breaches. Lost keys result in unrecoverable data. One is costly and reputation-damaging; the other disrupts business.”
The 2009 Trust Catalyst report also shows that “rotating keys, decrypting and re-encrypting data” is the most difficult aspect of key management, according to the survey. In 2008, it was considered the second most difficult aspect, following “preparing for the unfortunate publicity and impact of data breach,” illustrating the rise of encryption key management anxiety among data security professionals.
“This survey illustrates the great strides companies have taken over the past year to protect information,” said Palgon. “The natural fallout of encrypting more information is protecting the keys, which can be complex and expensive when done manually.”
Effective lifecycle encryption key management requires organizations to protect each key from the time it’s generated until it is destroyed, whether it resides in a database, in an application or on back-up tapes on a variety of server, mobile and desktop hardware. One publicized mishap concerning backing up keys occurred last summer.
On July 9, The H, a European online security publication, reported that Germany’s first-generation electronic health cards and doctor’s “health professional cards” had suffered a serious setback because it was revealed that the private keys had not been backed up and the production ones had become corrupted. Had this not been a test run of the technology, this oversight in key management best practices would have meant that real data would have been erased.2
“Protecting and backing up encryption keys is just as important to data security as encrypting and backing up data,” said Palgon. “Fortunately, there are data security solutions that incorporate unified key management with strong encryption to automate the protection and management of an unlimited number of keys across the enterprise.”
About nuBridges
nuBridges is a leading provider of software and services to protect sensitive data at rest and in transit, and to transfer data internally or externally with end-to-end security, control and visibility. nuBridges encryption, key management, managed file transfer and B2B integration solutions are used to comply with security mandates and to digitally integrate business processes among enterprises, systems, applications and people. More than 3,000 customers depend on nuBridges secure eBusiness solutions to encrypt billions of credit card transactions, exchange billions of dollars in B2B transactions and enable countless business-critical file transfers. nuBridges is headquartered in Atlanta, Georgia. For more information, visit www.nubridges.com,
______________________
1Kimberly Getgen, “2009 Encryption and Key Management Industry Benchmark Report.” Trust Catalyst. October 20, 2009.
2Detlef Borchers, “Loss of data has serious consequences for German electronic health card,” The H. July 11, 2009.
LATEST COMMENTS
MC Press Online