Who Holds the Keys?

Encryption isn't bulletproof if keys and digital rights are left out in the open. Here's how to lock down stored data.

1 2 Page 2
Page 2 of 2

At Intel, 85% of laptops have full-disk encryption, but CISO Malcolm Harkins is already assessing the next big thing -- self-encrypting hard drives, which will address encryption gaps when laptops are in standby, sleep or hibernate modes.

"As you're moving to products that are always on/instant on, if you've got a nine-hour battery life and it's always on standby, the data is not encrypted," Harkins says. "I also want to improve the user experience," he adds, referring to the fact that encryption typically requires users to enter passcodes and wait for systems to reboot. "If I can do that, as well as potentially lower my cost of control, self-encrypting drives might be the answer."

Key Management

While encrypting data is important, the keys that control the encryption and decryption processes are even more important because, well, data is useless without a key. And with so many programs and devices requiring encryption and individual key management, it's easy to see why keys can be mismanaged or why dangerous shortcuts are taken to manage them.

Today, most encryption systems have their own built-in key managers that also create backups, "so at least you have some consistency," Ouellet says. "The key manager that comes with those solutions is probably good enough." But centralized key management might be the answer for companies that find themselves using a growing number of encryption tools and keys.

A quarter of companies surveyed by Forrester have adopted centralized key management in some form, he adds, but that number will grow as interoperability standards take hold.

Open standards organization Oasis has developed a key management interoperability protocol (KMIP) as a standard within cryptographic systems. "This standard has been growing and is replacing older standards," Ouellet explains. "The only catch is that while most organizations that provide cryptography want to support KMIP, they'll do it as a means to manage others' keys. They're not allowing others to manage their keys. It's kind of a chicken and egg thing," which will hold back adoption "unless the vendors start opening themselves up," he says.

Do's and Don'ts

Analysts say to leave key management to the professionals. Kindervag advises IT shops to deploy an enterprise-quality key management program that understands key management in their companies. "Don't try to build your own," he cautions. "Don't email keys back and forth, and don't leverage things like Active Directory to store keys."

Do keep the key management function in a segment of your network that is completely separate from the encrypted data, and protect it with features such as Layer 7 firewalls, IPS devices and strong access control, he adds. Only a few people who are designated to manage keys should have access to that segment of the network, and they should constantly monitor what is happening on the key management servers, such as who is seeking access.

In the near future, key management will be available in the cloud with service providers who specialize in enterprise key management. "Traditional PKI vendors are moving in that direction," Kindervag says, and credit card payment processors are capable of expanding their key management technologies into intellectual property and custodial data areas.

Cloud key management is also "a big trend right now" for smaller organizations that don't feel comfortable owning and managing keys, Ouellet says. Cloud providers can create private virtualized environments for small businesses and manage the technology side.

The trick to successful deployments of encryption, key management and digital rights is to make things easy for users.

"Spend quality time with self-installing packages," says Applied Materials' Archibald. "We have automated distribution of the software, and it's just a matter of having it enabled for the user. There are only two or three things an individual needs to do -- set their pass phrase, sync that to their Windows login and reboot their machine."

Collett is a Computerworld contributing writer. You can contact her at stcollett@aol.com.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon