The Future of Encryption
by Richard Moulds - nCipher - Monday, 18 February 2008.
So, how is the growth of encryption and the need to manage the keys changing organizations' behaviours? In order to address the challenges brought about by the increased deployment of cryptography, Best-in-Class companies have shifted their thinking and were 60 percent more likely than the industry average group to take a more strategic, enterprise-wide approach to encryption and key management than the traditional more tactical approach of addressing particular and isolated points of risk within their infrastructure such as the theft of laptops or back-up tapes.

To further quantify this shift, the Aberdeen Group survey describes the significantly higher priorities and corresponding investments by the same Best-in-Class companies in specific encryption and key management technologies to complement other organizational structure and process related topics. The survey concludes that these pioneering organizations have already benefited by lowering the instances of actual or potential exposure while simultaneously reducing actual key management costs by an average of 34 percent.

Cryptography, embedded security by default

As Aberdeen and other independent analysts have discussed, access to encryption technology is getting easier and easier, with it often coming along for free, and has already made its way into a host of devices we use every day. Laptop computers, wireless access points, and even devices we don’t think of as being part of a typical IT infrastructure such as vending machines, parking meters, gaming machines and electronic voting terminals, have encryption embedded. The same is true for business applications and data center hardware such as back-up tape devices and database software. This is steadily resolving one of the big challenges with encryption, how to upgrade existing systems to support encryption without penalizing performance or costing a fortune in custom developments or ‘bolt-on’ encryption products.

Don't forget the keys

The widespread availability of encryption is good news but without a clear way of managing its deployment a number of pitfalls remain. Organizations of all sizes and in all industries need to look seriously at the management of the cryptographic keys, the secret codes that lock and unlock the data. Unless organizations begin laying the groundwork today this new age of encryption will present serious management challenges.

Encryption is a powerful tool, but getting it wrong either from a technology or operational perspective can at best result in a false sense of security and, at worst, leave your data scrambled forever.

Protecting data is important, but if a key is lost, access to all of the data originally encrypted by that key is also lost. To put it bluntly, encryption without competent key management is effectively electronic data shredding. Just as with house keys, office keys or car keys, great care must be taken to keep back-ups and special thought needs to be given to who has access to keys. Establishing a key management policy and creating an infrastructure to enforce it is therefore an important component of a successful enterprise security deployment.

Key management brings encryption under control

Key management can’t just be an after thought, it is the process by which encryption and cryptography become effective security and business tools. Key management is about bringing encryption processes under control, both from a security and a cost perspective. Keys must be created according to the correct process, backed up in case of disaster, delivered to the systems that need them, on time and ideally automatically, under the control of the appropriate people and, finally, deleted at the end of their life-span. In addition to the logistics of handling keys securely, which are secrets after all, it is also critical to set and enforce policies that define the use of keys – the who, when, where and why of data access.


Credential manager system used by Cisco, IBM, F5 has been breached

Pearson VUE is part of Pearson, the world's largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Nov 25th