Wednesday, September 08, 2010      

Read All My Articles

Article received from Stuart Cole,
Chairperson of Thought Leadership Panel

THE KEY TO ENCRYPTION IS HOW YOU CONTROL IT

Received from Richard Moulds, vice president strategy for the information systems security activities of Thales

The business case for encryption has never been so clear. Significant data breaches are regularly hitting the headlines and the consequences of leaving data vulnerable to attack are huge. Research by the Ponemon Institute shows that the costs associated with a data breach increased by 28 per cent per record in 2008 and the average total cost per incident rose to £1.7 million from £1.4 million in 2007. The associated loss of customer loyalty and trust is equally damaging to business. Encryption is widely accepted as the most effective way of securing data on the market today and, while it may not be the silver bullet to ensure complete data security, it goes a long way towards addressing this issue.

A few years ago encryption was a niche requirement primarily used in banks and governments, however this is no longer the case.  Today the need for increased data protection is being felt across most businesses.  According to IDC, 44 per cent of enterprises plan to encrypt more than 75 per cent of their data by the end of 2009.  The move towards mainstream use of encryption has been pushed forward by privacy mandates and industry best practices who have expanded beyond the traditional focus on “people and processes” to specify the need for encryption. Additionally, regulators and policy setters are putting pressure on companies to implement encryption since the black and white nature of this technology, either data is encrypted or it is not, is easily measured and audited.

However, there is a general lack of understanding about encryption and in particular encryption key management in the enterprise space. Key management is essential for companies implementing this technology, since access to encrypted data ultimately comes down to access to the key. A 2008 Trust Catalyst survey  found that organisations saw key management as the biggest challenge in database encryption. As the use of encryption grows, companies need to be able to manage (or control) encryption keys securely. This is crucial not only to prevent keys from being lost or stolen, but also for important operational reasons such as on-demand recovery of encrypted data, automated updates and compliance reporting.
 
Once encrypted, information only becomes readable once the encryption key is available to unlock it.  Consequently, the key becomes as valuable as the data it is protecting.  This situation can be likened to the security of a home - locking the house significantly increases the security of its contents, however if the key is then left under the mat the level of security is compromised. In the same way, while encryption is an effective first step in enhancing data security, encryption keys need to be stored and managed effectively in order to ensure data is secure. 

Many companies have found themselves in a situation where they need to manage thousands or even many millions of keys as they deploy separate encryption and key management systems to protect different areas of their IT infrastructure, such as laptops, storage systems and databases. This typically involves manual processes to generate, distribute, store, expire, and rotate encryption keys and has resulted in increased operational costs, delays in meeting audit and compliance requirements and increased risk of human error. With many silos of encryption, security officers and administrators are increasingly looking towards a centralised method to define and enforce key management policies.

Even though encryption is essentially binary, with data being either locked or unlocked, when it comes to key management there can be shades of grey. There is a significant difference between good and bad key management and auditors are getting better at spotting this difference. There are many factors to consider in ensuring good key management but below are some of the most important.

Core security: With encryption effectively impossible to break, the key management system becomes a natural target as a gateway to company information. Consequently key management needs to be at the core of every company’s IT security infrastructure. Many companies used to store their keys in spreadsheets. While this practice is less common today, most companies do still rely on software-based key management tools and this poses a significant threat to secure data storage. Ultimately, keys stored in software are subject to attack by Trojans or other spyware and even general debugging tools.  However, techniques to provide enhanced physical and logical security in hardware are well established, for example through the use of hardware security modules (HSMs) and security certifications such as FIPS and Common Criteria.

Access controls and authorization: Even a physically secure key management system will be undermined by weak administrator access controls. This is a particularly important consideration given the current economic environment and the recent rise in insider fraud. BDO Stoy Hayward found that employee fraud comprised of 11 per cent of all fraud committed in 2008 compared with just 2.5 per cent in 2007.  Consequently, the value of strong authentication techniques for administrators is obvious.  Security against insider fraud can be bolstered by the concept of separation of duties, for example by ensuring that the administrators controlling access to encrypted data are different from those governing access to the keys. Going one step further still, the best key management systems require multiple administrators to collaborate, each requiring the others to authorize an operation. This provides a form of mutual supervision and ensures that no one person has complete control of a company’s encrypted data. Such controls are fairly simple to manage and, crucially for regulatory purposes, measurable and easily audited.  

Automation and scalability: Most key management tasks are highly proceduralised and execution becomes a costly challenge as the number of keys increases. In such cases, automation is essential and good key management systems can facilitate this. However, in emergency situations or when servicing urgent requests to access data, such as for forensic investigations, key management tasks are often time sensitive. In such situations the data recovery process often requires locating encryption keys quickly for tapes created weeks, months or several years earlier. A comprehensive key storage or escrow strategy is essential to ensure that keys are easily located and prevent the situation getting out of hand, particularly when large quantities of historic keys accumulate.

Audit and reporting: The value of keeping track of key management activities and establishing an audit trail is clear and a good example of this is key destruction. When storage media containing sensitive data, such as a disk drive, are decommissioned or malfunction, or after data retention periods have ended, organizations are faced with the challenge of destroying this data. They must also be able to prove that they are no longer a potential source of data leakage.  Physical ‘destruction’ of hardware might not destroy the data within it since a significant amount of information can be found on shards of magnetic disk. Encryption provides a  convenient, cheaper and greener means to achieve the same goal, since destroying the key is effectively destroyed the data. It is essential that companies can demonstrate that every copy of that key that was ever made, for example for back up purposes, has been destroyed and they must be able to prove it. This is only possible if a strong audit record is available and, once again, this comes down to good key management.

Whilst much of the onus for implementing good key management lies with security professionals within organisations, there are several initiatives underway designed to simplify the process. Key management standards are nearing ratification, deployment best practices are well understood within the auditing community and second generation key management products are reaching the market. Measures such as these will help enable organisations to implement cohesive key management strategies.

Regulation, market forces and sheer practicality will result in a shifting landscape for the use of encryption. The question of whether encryption should be adopted has developed into one of how and where encryption needs to be deployed. For example, the pain versus gain equation can be very different for storage, desktop, database or application level encryption and opinions are likely to shift over time. While these changes will impact upon the encryption landscape as a whole, adopting a solid and thoughtful approach to key management now can, to some degree, insulate companies from these changes. Key management can help create a point of stability around which to build security policies, reporting practices and, ultimately, a stronger sense of control.