In the real world, if you buy and fit the strongest lock available on the market it might make your building secure. However, every time you give another person a key the strength of that lock is weakened as you’re now reliant on each person’s sincerity and their ability to protect your key. The question is simple, how strong is the lock if everyone can open it?
The same is true for your virtual assets. Whether it’s the customer database, your research and development data or even who is your top performing sales person – if it has a value to you it deserves to be locked away.
Many organisations think that, by encrypting their data, they’re secure. However, and here we must dispel a security myth, unfortunately it’s not true. It comes back to the strongest lock scenario outlined previously. Encryption means nothing unless they keys remain protected and accessible only to those who should have access to decrypt and consume data, otherwise the data that companies believe is protected remains woefully exposed.
To protect encryption keys, administrators must follow clear, well-documented processes that minimise the keys’ exposure. The sad truth is that most company’s manual key management practices fail to measure up:
- Keys have multiple access points
- Keystore passwords are not changed regularly
- The same password is used across multiple keystores
- Private key(s) are manually shared between administrators and applications
- Distribution policies are lax or unclear
- Private keys and passwords are not changed when administrators leave the organisation
- Expansive key volumes leave glaring gaps in coverage.
Instead, organisations need to implement sound encryption key management practices required to truly secure data. Using an automated and policy-based tool, you can then easily implement best practices such as separation of duties, regulated workflow, forensically durable logging, HSM integration, secure key distribution and regular key rotation.
With encryption keys’ exposure minimised, controlled and audited, companies know that their encryption assets truly deliver the promised security to truly protect vital data.
While Sir Isaac Newton may have a different take on the law of physics, were he alive today, I’m sure security would factor heavily in his theories.