It is commonly understood that the majority of security breaches originate from an internal rather than an external source. According to the FBI and the Computer Security Institute, 50-80% of all attacks happen from inside company firewalls. Of those companies surveyed, 73% of them reported that they’d experienced some form of internal security breach over the past year.
Within a consolidated data centre there is often little separation between the people that manage the data storage devices and the information that sits on it, providing them with unrestricted access to sensitive data. This means that an organisation’s security may be well ordered from a user perspective but wide open to third parties such as short term technical consultants and technical staff within the data centre.
There are now devices that encrypt data as it moves into the storage environment, divorcing the administration of the data storage devices from the ability to make sense of the information stored on them. This function will certainly migrate to storage endpoints, alleviating the need for encryption appliances to be fitted into the network. As vendors bring these devices to market, encryption itself ceases to be the security challenge; instead, encryption key management becomes the security challenge that has to be dealt with.
Encryption is based on an exchange of keys which allows those in possession of the key to make sense of encrypted data. However, in this new environment, the types of key used will vary enormously between vendors encryption methodology and as a result the number and variety of keys that will need to be managed will grow.
As the name implies, encryption keys perform much the same function as the keys for a workplace where the variety of keys for different locks and lock types must be managed. In the workplace this is often done by having a key box with secure access by an approved individual, who can then ‘sign-out’ the keys to authorised personnel.
Much the same system needs to be applied to encryption keys but the challenge here is that there will inevitably be a greater variety of key types to manage and the security system may need to be more complex. There is also the challenge of flexibility as rights of access are assigned and reassigned to reflect organisaional change. What will be required to achieve this is secure, automated, and open (not restricted to any key type or encryption methodology) key management systems.
The current landscape of encryption key management systems tends to be an all manual process. This scenario creates potential for administrator error, especially in critical situations such as disaster recovery where the pressures on an individual can lead to mistakes. The solution can only be to automate all the essential operations to do with key management – on a secure platform. The issue of a secure platform is of particular importance because it represents a ‘hidden’ security challenge – how to control access to the computer system that holds the keys, when well known operating systems having well publicised security loop-holes which can be exploited.
As you can imagine, this situation has not gone un-noticed by manufacturers of security equipment and today we are starting to see the emergence of first generation automated key management systems. These are based on a secure platform with multiple levels of controls for allowing or denying access. In this way a policy can be set which, unless changed, will function error free even in the most testing of situations and which can be seamlessly ported to a remote site as part of a business continuity strategy.