For most of us the words “I told you so” are just so annoying because every time you hear them you realise they’re true. Sometimes nobody says them; it’s just that voice in your head telling you that you should slow down about thirty seconds before the speed camera flashes.
My wife is the great “I told you so” in our family; the kids hate to hear it, and so do I, but invariably she did tell us and she was right! And even this morning she’s asking me when am I planning to return to the gym, and it even comes with an upfront warning – “I don’t want to say I told you so”.
So when I read the news that Anglo Irish Bank are in serious trouble because staff have taken passwords and keys which has resulted in the bank being unable to gain access to encrypted data, there’s a certain sense of “I told you so”.
I’ve heard from various sources that the motivation behind this apparent unwillingness to return the keys for the encrypted data has to do with either attempting to hide some rather dubious practices while employed, or to use the keys as a negotiating chip for a better redundancy package. In any case the problem comes down to why employees have unfettered access to keys in the first place.
You would think that with all the warnings over the past few years, and the financial services regulations, that someone at a senior level in such an organisation would have taken steps to address key management. Obviously not, or if they did they certainly did a poor job of it.
It’s even so clearly stated in the regulations that organisations that are require to comply with, such as PCI, that it beggars belief that either an organisation does not implement controls, or that those responsible for auditing these organisations are simply paying lip service to the standards.
For example, the Payment Card Industry (PCI) clearly states that “the manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements”.
Further, it states “the encryption solution should also allow for and facilitate a process to replace keys that are known to be, or suspected of being, compromised”. And I could go on forever quoting standards, but the unwillingness of organisations to take this matter seriously, and for their CSOs, Information Security analysts, and auditors to just brush it under the carpet is simply unbelievable.
A report by Gartner entitled PCI Compliance Remains Challenging and Expensive, found that “retailers were mostly concerned about unauthorized access to their systems by insiders, not outsiders. Insiders typically caused the most damage because they know where to find sensitive corporate personal, financial account and other information” and “As you secure your enterprise systems, remember that insiders with privileged and knowledgeable access can cause significantly more damage than an outside hacker acting alone.”
In 2007 after another debacle when it came to managing keys, the PCI Standard Council were quoted as saying that “some companies are dragged into compliance kicking and screaming, but there’s nothing like the prospect of brand reputation damage and lawsuits to get them to do what’s necessary to secure systems and respond properly when there is a breach.”
Noted security Czar and encryption guru Bruce Schneier said, “that Regulation—SOX, HIPAA, GLBA, the credit-card industry’s PCI, the various disclosure laws, the European Data Protection Act, whatever—has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously.” Really?
Quite frankly the impression I get is that in the vast majority of organisations, key management is so totally out of control that nobody is prepared to take it seriously. In fact I’m beginning to wonder if the “cloud bandwagon” and outsourcing push is just an excuse for senior executives to try and wash their hands of a problem that they have failed to address and is resulting in their organisations being exposed to significant unmanaged and unquantified risk.
Late last year I was asked to give my view on the trends for this coming year and I said, “more chief security officers will end up on the dole in 2011. Too many organisations are failing to address encryption management effectively because it is in the hands of a few staff whose prime objective is to protect their own domain rather than get a grip on key management, segregation of duties, access controls, etc.” Well maybe it’s time that these people were held accountable. The fact is that in most organisations they have absolutely no idea what’s happening at the coal face.
However the problem with key management is being exacerbated by the drive to streamline organisations. Anglo Irish Bank should serve as a wakeup call for every business. In the mad rush to increase profits, and reduce costs, it seems that company after company are determined to reduce investment in areas such as IT and Information Security.
With all the arguments about bonus payments to bankers, what seems to be getting lost in the whole discussion is that most banks are today reducing their head count in IT services. And as I understand it, most trading in the financial sector today is based on electronic trading system.
So it’s no longer the guy with the Ferrari whose the superstar on the trading floor, rather it’s the IT guy who keeps a system running that is automatically trading, and is now responsible for 80% of the trades that are made. And trust me, this is not a guy you want to upset, or if you plan to make sure that critical systems such as key management are fully automated.
It’s high time that companies took their IT security seriously and address the unmanaged and unquantified risk of who has access to the keys. It’s no longer about the data; the key is the data; and it’s not just about the size of the key, it’s about who has access to it. Now where did I put my car keys – before my wife says “I told you…”