In-Depth
Challenges in the Age of Encryption
IT management will face challenges unless it lays the groundwork for the growing ubiquity of encryption
by Richard Moulds
Cryptography, once seen as a specialist area of information security, is coming of age. Growing regulatory pressures are forcing enerprises to protect the integrity, privacy, and security of critical information. As a result, cryptography is emerging as the foundation for enterprise data security and compliance.
It was true decades ago and it is still true today – encryption is the most reliable way to secure data. As recently as the late 1990s, encryption was primarily used to secure data in government facilities and financial institutions. The rapid rise of the Internet and e-commerce expanded the use of encryption to include an ever-growing variety of financial transactions and communications.
Today, as encryption use continues to grow, it is now making its way into a host of devices we use every day, such as laptop computers and wireless access points, and even devices we don’t think of as being part of an IT infrastructure such as vending machines, parking meters, gaming machines and electronic voting terminals. IT security is entering the age of ubiquitous encryption, an age that will present serious management challenges unless organizations begin laying the groundwork today.
The Challenges
There’s no doubt that encryption is a powerful tool, but getting it wrong—either from a technology or management perspective—can at best result in a false sense of security and (even worse) leave your data scrambled forever, the equivalent of a corporate document shredder.
With data protection stakes high, enterprises need to look seriously at the management of encryption and decryption keys, the secret codes that lock and unlock the data. As encryption takes off, providing lifetime management of private keys and digital certificates across hundreds of applications and thousands of servers, end users and networked devices can quickly overburden the cumbersome manual processes that have been used until now.
Managing All the Keys
From the corporate data center to an employee’s laptop all the way out to the vending machine at a local ballpark – organizations will need to deploy systems to manage their encryption centrally. Local staff, if they exist at all, will not necessarily be sufficiently experienced or trustworthy to perform the operations locally. Manual processes coordinated and dispatched from the corporate IT group simply won’t scale across a large number of devices. An encryption management system needs to be automated to a high degree and, it almost goes without saying, absolutely secure.
Key archivial, recovery, and mobility are all crucial parts of the equation. For instance, if a laptop breaks down or a back-up tape is stolen, the issue is not just one of security but recovery and business continuity as well. Now that data on the hard drive or tape is encrypted (and therefore useless without the keys that can unlock it), information recovery takes on a whole new dimension, particularly in an emergency. When the recovery process is performed in a different location, by a different team, governed by different policies, and on protected data that is years or even decades old, what used to be a data management problem has now become a serious key-management problem.
Managing cryptography becomes more difficult as the use of cryptography proliferates, leading to increased scale and diversity, driving up costs and risk. As a result, products are emerging to manage and automate the distribution of keys across disparate applications running on large numbers of geographically dispersed computing devices.
Until recently, the management of cryptography has been an ad hoc, manual process which includes renewing certificates, rolling-over keys, generating new keys, or importing existing keys to machines as they come on line and removing keys as machines are retired or fail-in service. In addition to the physical management of these keys, there is also the enforcement of security policies and the necessity to provide a full audit trail that reveals who did what, when, how, and why.
Summary
Encryption is the optimal means of securing data. With the recent technology advances in computer operating systems such as Microsoft Windows Vista, hardware devices such as Trusted Platform Modules (TPMs), and key management solutions, this once-onerous technology is no longer seen as a management nightmare. In fact, with the proper key management system, enterprise-wide encryption can become a competitive advantage for organizations operating in a world without boundaries.
Richard Moulds is nCipher’s vice president of marketing and product management. He leads the company’s product strategy, including that of keyAuthority™, nCipher’s key management solution. Richard holds a bachelor's degree in electrical engineering from Birmingham University and an MBA from Warwick University, UK.