It is commonly understood that the majority of security breaches originate from an internal rather than an external source. According to the FBI and the Computer Security Institute, 50-80% of all attacks happen from inside company firewalls. Of those companies surveyed, 73% of them reported that they’d experienced some form of internal security breach over the past year.
Within a consolidated data centre there is often little separation between the people that manage the data storage devices and the information that sits on it, providing them with unrestricted access to sensitive data. This means that an organisation’s security may be well ordered from a user perspective but wide open to third parties such as short term technical consultants and technical staff within the data centre.
There are now devices that encrypt data as it moves into the storage environment, divorcing the administration of the data storage devices from the ability to make sense of the information stored on them. This function will certainly migrate to storage endpoints, alleviating the need for encryption appliances to be fitted into the network. As vendors bring these devices to market, encryption itself ceases to be the security challenge; instead, encryption key management becomes the security challenge that has to be dealt with.
Encryption is based on an exchange of keys which allows those in possession of the key to make sense of encrypted data. However, in this new environment, the types of key used will vary enormously between vendors encryption methodology and as a result the number and variety of keys that will need to be managed will grow.
As the name implies, encryption keys perform much the same function as the keys for a workplace where the variety of keys for different locks and lock types must be managed. In the workplace this is often done by having a key box with secure access by an approved individual, who can then ‘sign-out’ the keys to authorised personnel.
Much the same system needs to be applied to encryption keys but the challenge here is that there will inevitably be a greater variety of key types to manage and the security system may need to be more complex. There is also the challenge of flexibility as rights of access are assigned and reassigned to reflect organisaional change. What will be required to achieve this is secure, automated, and open (not restricted to any key type or encryption methodology) key management systems.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.