The average loss in
a brand’s value
after a data breach.
While encrypting data is
important, the keys that
control the encryption
and decryption processes
are even more important
because, well, data is
useless without a key. And
with so many programs
and devices requiring
encryption and individual
key management, it’s easy
to see why keys can be
mismanaged or why dangerous shortcuts are taken
to manage them.
Today, most encryption systems have their
own built-in key managers that also create backups, “so at least you have
some consistency,” Ouellet says. “The key manager
that comes with those solutions is probably good
enough.” But centralized key management might be
the answer for companies that find themselves using
a growing number of encryption tools and keys.
A quarter of companies surveyed by Forrester
have adopted centralized key management in
some form, he adds, but that number will grow as
interoperability standards take hold.
Open standards organization Oasis has developed
a key management interoperability protocol (KMIP)
as a standard within cryptographic systems. “This
standard has been growing and is replacing older
standards,” Ouellet explains. “The only catch is that
while most organizations that provide cryptography
want to support KMIP, they’ll do it as a means to
manage others’ keys. They’re not allowing others
to manage their keys. It’s kind of a chicken and egg
thing,” which will hold back adoption “unless the
vendors start opening themselves up,” he says.
able in the cloud with
service providers who
specialize in enterprise
key management. “
Traditional PKI vendors are
moving in that direction,”
Kindervag says, and credit
card payment processors
are capable of expanding their key management technologies into
intellectual property and
custodial data areas.
Cloud key manage-
ment is also “a big trend
right now” for smaller
organizations that don’t
feel comfortable owning
and managing keys,
The trick to successful deployments of encryp-
tion, key management and digital rights is to make
things easy for users.
“Spend quality time with self-installing packages,” says Applied Materials’ Archibald. “We have
automated distribution of the software, and it’s just
a matter of having it enabled for the user. There are
only two or three things an individual needs to do
— set their pass phrase, sync that to their Windows
login and reboot their machine.” u
Collett is a Computerworld contributing writer.
You can contact her at email@example.com.
SOuRcE: ExpERIan InfORMa TIOn
Do’s and Don’ts
Analysts say to leave key management to the profes-
sionals. Kindervag advises IT shops to deploy an
enterprise-quality key management program that
understands key management in their companies.
“Don’t try to build your own,” he cautions. “Don’t
email keys back and forth, and don’t leverage things
like Active Directory to store keys.”
Do keep the key management function in a
segment of your network that is completely separate
from the encrypted data, and protect it with features
such as Layer 7 firewalls, IPS devices and strong
access control, he adds. Only a few people who
are designated to manage keys should have access
to that segment of the network, and they should
constantly monitor what is happening on the key
management servers, such as who is seeking access.
In the near future, key management will be avail-
Proceed With Caution
WHILE ASSIGNING RIGH TS for viewing and editing documents seems like a good idea, it’s not something that Gartner’s Eric Ouellet recommends for organizations that need to keep documents for a long time. “There are no standards for EDRM
[Enterprise Digital Rights Management],” he explains. If a vendor
changes the cryptography or the way it applies the technology, users
must upgrade or retrofit all existing documents or run the risk of having
orphaned documents that no one can open. One Gartner client had to
upgrade twice over the past eight years, he adds.
“If documents are only going to live for 12 to 18 months, that’s a risk
window that you can manage,” he says. “But if the documents need
to live for four to five years or more, then you have to start building
alternate systems,” such as ones for keeping copies in plain text that are
accessible to only one or t wo people in the organization.