Protecting sensitive data, both during transit and while it is in storage, requires employing a number of methods. One common method of data protection is encryption, which allows organizations to meet strict regulatory compliance standards by rendering data unreadable if accessed without the appropriate key.
Encryption itself is relatively easy to achieve, thanks to simple solutions like those found at SafeNet-Inc.com, but encryption key managementcan cause problems. Encrypted data is only as safe as the encryption keys that can unlock it, and if the key is lost, mismanaged or falls into the wrong hands,encryption is useless in protecting data.
Common Key Management Challenges
All organizations face the same common challenges in the management of data encryption keys.
– Networks are no longer private. Thanks to the proliferation of BYOD and cloud services, data is constantly being shared and transferred instead of securely stored in one location. That meansorganizations must encrypt almost all data; as a result, the average company needs dozens of encryption keys depending on the lifecycle of the encryption.
– Encryption keys have varying lifecycles.The most sensitive information may use one time keys, while less vital data may use encryption and keys that only need changing every few days — or even years.
– Meeting regulations.Some companies must meet federallymandated security policies related to encryption; for example, companies handling payment card information must meet the standards of Payment Card Industry’s Data Security Standard, which aims to protect consumer payment information from theft.
– Lack of centralized management. When keys are created, stored, rotated and retired from multiple locations, successfully managing them and knowing exactly which keys are in use and where they belong is a challenge. In addition, when keys are decentralized, legitimate users may have difficulty accessing data because theydo not have the proper key.
– Inability to audit keys. Best practice dictates key management should include auditing and monitoring key access and use. Companies often struggle with “homegrown” solutions, though, when they do not have the ability to log key access, including noting who accessed encrypted information from where and when.
– Lack of support and third-party integration. When companies turn to Software as a Service (SaaS) and cloud applications, unless the SaaS vendor uses an encryption solution compatible with existing encryption, multiple standards are in play, which creates confusion and greater risk.
– Staff risks. In many organizations, one or a few IT professionals are responsible for managing keys. This creates a significant security risk, as there is no system of checks and balances to ensure all of the security standards are being adequately met.
Solving Key Management Challenges
All of the challenges with properly managing encryption keys make some companies wonder if using encryption is even worthwhile. The short answer is yes, encryption is very important, and when the right solutions are in place, encryption is seamless and provides a high level of security.
There are a number of solutions IT departments can employ in order to make their key management easy and effective. The first step is to utilize a formal key management solution centralizing the management of keys and allowing for the ongoing administration of all keys from one location. Such a solution increases security, as keys are not kept in multiple potentially vulnerable locations and allow for more effective rotation and retiring of keys. It’s also an important tool for maintaining compliance with industry security mandates.
Another important, and oft-ignored, best practice is to adhere to separation of duties within the organization. Because the greatest threat to many companies is not the nameless hacker attacking the network from a computer located thousands of miles away, but instead the actual employees of the organization (who may act maliciously or accidentally), it’s important to have more than one person handling the creation, storage, backup, rotation and retirement of encryption keys.
Finally, consider employing hardware encryption rather than software encryption to protect your data. Encrypting the hardware can create a greater burden in terms of updating and maintaining the encryptions codes, but it also provides a greater level of protection against brute force attacks, does not rely on the security of the operating system and doesn’t make a measurable difference in the speed of the machine. Hardware encryption also more effectively protects all of the data contained on the device, rather than just data contained within the specific piece of software, thereby limiting the overall number of necessary keys.
Encryption key management is an important part of a robust security protocol. By understanding the challenges and implementing the proper solutions, you can keep your data safely encrypted and out of the hands of criminals.