Effective Encryption Begins and Ends at Key Management

With the specter of lost devices, hacked servers and rogue employees fresh in the minds of today's information security professionals, there has been a growing awareness for the merits of data encryption software. Implementation must be a thoughtful process, however, as poorly planned key management protocols can negate the best of intentions.

A line in the sand
The illusion of safety has effectively evaporated in the business community in recent years as a spate of high-profile digital disasters revealed the vulnerabilities held by companies both large and small. As more IT departments are starting to realize, it may be wiser to allocate resources away from the illusory goal of total prevention and toward the more pragmatic pursuit of threat mitigation and resolution tactics.

In fact, the National Institute of Standards and Technology (NIST) recently solicited feedback from private sector firms regarding their experiences with, and best practice recommendations for, data encryption technologies. Following President Obama's Executive Order on cybersecurity, the agency has been tasked with working across sectors to establish a cooperative threat intelligence network that serves the common good.

Mastering key management
Encryption keys are essentially the shared secret between the protected files and authorized viewers, and they are the integral asset cybercriminals are yearning for. As a result, mismanagement of the keys can spoil data encryption software investments and compromise sensitive information.

As one security consultant told Dark Reading, only about 20 percent of the "mature financial institutions" he works with can be classified as proficient encryption key managers. As the number of encrypted databases increases within an organization, issues of interoperability and organizational orchestration can quickly complicate projects and inhibit effective key management.

At the very least, companies are encouraged to observe the cardinal rule of data encryption software and ensure that keys are not stored on the same servers as the information they are protecting. If that database is compromised by an intruder, they'll have all they need to exploit the sensitive files. However, the true indicator of successful security is how intelligently IT departments distribute responsibility.

According to Dark Reading, there must be a certain separation of duties to ensure that no one employee has access to all encryption keys - or exclusive control over any one. If this administrator were to unexpectedly leave the organization, or translate job dissatisfaction into a vengeful plot against the company, the operational consequences could be disastrous. As a result, an enlightened system of checks and balances must be in place to ensure encryption keys are handled by a team of trusted guardians.