How to stay secure in a changing world
by Jeff Hudson - CEO at Venafi - Wednesday, 7 November 2012.
Virtually safe and sound

In the real world, if you buy and fit the strongest lock available on the market it might make your building secure. However, every time you give another person a key the strength of that lock is weakened as you’re now reliant on each person’s sincerity and their ability to protect your key. The question is simple, how strong is the lock if everyone can open it?

The same is true for your virtual assets. Whether it’s the customer database, your research and development data or even who is your top performing sales person – if it has a value to you it deserves to be locked away.

Many organisations think that, by encrypting their data, they’re secure. However, and here we must dispel a security myth, unfortunately it’s not true. It comes back to the strongest lock scenario outlined previously. Encryption means nothing unless they keys remain protected and accessible only to those who should have access to decrypt and consume data, otherwise the data that companies believe is protected remains woefully exposed.

To protect encryption keys, administrators must follow clear, well-documented processes that minimise the keys’ exposure. The sad truth is that most company’s manual key management practices fail to measure up:
  • Keys have multiple access points
  • Keystore passwords are not changed regularly
  • The same password is used across multiple keystores
  • Private key(s) are manually shared between administrators and applications
  • Distribution policies are lax or unclear
  • Private keys and passwords are not changed when administrators leave the organisation
  • Expansive key volumes leave glaring gaps in coverage.
With so many points of exposure, dozens of people can access thousands of keys. Additionally the reality of typically high IT staff turnover instead of reducing the risk of a compromise, instead actually magnifies it.

Instead, organisations need to implement sound encryption key management practices required to truly secure data. Using an automated and policy-based tool, you can then easily implement best practices such as separation of duties, regulated workflow, forensically durable logging, HSM integration, secure key distribution and regular key rotation.

With encryption keys’ exposure minimised, controlled and audited, companies know that their encryption assets truly deliver the promised security to truly protect vital data.

While Sir Isaac Newton may have a different take on the law of physics, were he alive today, I’m sure security would factor heavily in his theories.

Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //