The only things certain in life are death, tax and encryption keys

Every so many weeks around dinner time, the phone rings and it’s somebody asking me if I’m interested in changing some insurance policy or other. Now I don’t know about you, but I think like most people I have more insurance policies than I know what to do with.

I have house, car, health, life, pension, travel, contents, accident, glass, legal aid, and mortgage insurance – I think, and I’m assuming the wife knows where they all are. I certainly don’t. In fact, I’m probably paying more than one insurance policy for certain items!

And of course the first question on the call is if I happen to know the expiry date of the policies. Of course not – I don’t even know which company is insuring me. Then the next question is what I pay for specific policies. Answer – lots because my bank account is empty every month!

It all started out very simply years ago when I got my first car. But then stuff happens such as marriage, kids, mortgage, etc., and before you know it you are implementing policies to cover every eventuality!

Back in the mid 70s when I first entered the IT world, the use of encryption in enterprises was pretty much unheard of. The highlight of the week for me was printing the paychecks for the company. This was when we began to understand the power of the IT person – we knew exactly what everyone took home.

Soon companies started to introduce some encryption in limited instances, and my first experience was using encoders on communication lines to encrypt financial transactions. In fact, the first place I saw this used was for connection to the SWIFT network.

A painful process of having two people at each end key in a sequence of numbers, push a button and hoping the box would sync – a process that could take hours! A major breakthrough in the 90’s saw the rapid expansion of the use of encryption with the arrival of asymmetric key encryption. And asymmetric encryption gave birth to two technologies that are now found in every corner of the enterprise: SSH and SSL.

Critical company information and communications are protected by keys and certificates, and ineffective management of keys and certificates is the single biggest reason why companies experience data security breaches. And this applies not just too symmetric keys, but to all cryptographic keys, including private keys, asymmetric keys SSH keys, and certificates.

Symmetric key technology is still widely used today for the protection of data at rest, and SSH and SSL are the de-factor standards for data in motion. In the case of symmetric key encryption there are no de-facto standards with the result that most storage vendors such as IBM, HP, EMC, etc., provide proprietary solutions.

The result is that until now key management has been segregated into different silos. IT staff manage storage keys, UNIX administrators will manage SSH keys, and SSL keys are loosely managed by security staff because the SSL keys tend to be found in securing nearly every part of the infrastructure, from the load balancer/off-loaders through web servers right through to back end systems such as Websphere.

In all three areas, a variety of attempts have been made to introduce key management to address the specific management and oversight limitations, but these have all tended to be developed, supported and sold by companies whose core business is to provide cryptography solutions. As a result companies have been faced with the daunting task of replacing their existing encryption technology with a vendor-specific solution which in many instances is just simply not viable or requires an extensive and therefore costly rip-and-replace approach.

It’s All About The Keys!

“They want what you’ve got! The decryption key, they want the key! The data is worthless without the key!” NCIS Los Angeles “- Archangel” Episode January 18, 2011. Today data encryption has permeated every facet of life. It’s in every corner of the IT infrastructure, and is a de-facto requirement in every business sector, as evidenced by references in popular culture. Whether it is Anglo Irish Bank’s missing encryption keys, Stuxnet, Playstation 3 or Fedora; hardly a day goes by without yet another story related to encryption and keys.

The encryption keys used to secure data have become the “keys to the kingdom.” The key (and not the data itself) becomes the entity that must be safeguarded. Manually managing the lifecycle of these encryption certificates and keys and the systems that rely on them is impossible and increases security vulnerabilities.

Given that nearly every enterprise application and IT system has been encryption key and certificate enabled. While this delivers greater security capabilities than ever before, the complexity of utilizing this encryption capability has created a significant increase in security and operational risk.

It is therefore essential that organisations take a much broader approach to handling the complexities of managing encryption keys and digital certificates. In addition to automating the creation and management of keys and certificates, such an approach includes configuring the applications that use encryption, policy-based management and enforcement, comprehensive tools to monitor and report on status, workflow, notifications, audit and more. This complete approach results in improved data security, system uptime, operational efficiency and regulatory compliance.

To date, many organisations have relied on manual processes or adopted siloed point solutions for managing their encryption assets. It is increasingly important to target more automated, enterprise-wide encryption management strategies.

The cost of preventative measures—including automated management tools—is often far less than the total cost of a breach, particularly when long-term costs like lost business opportunities are considered. According to The Ponemon Institute’s 2010 Cost of a Data Breach Study, “The investment required to prevent a data breach is dwarfed by the resulting costs of a breach, with an average breach costing in excess of £4 million…”, and never mind the reputational damage.

And as I contemplate my insurance policies, I’ve just remembered that we now have funeral insurance. Benjamin Franklin was quoted as saying that, “The only things certain in life are death and taxes.” But we can also add that the expiration and loss of encryption keys is also guaranteed. So it seems to me that it makes sense to have some insurance and implement effective key management – or it might just be somebody’s funeral!

Calum MacLeod has over 30 years of expertise in secure networking technologies, and as EMEA Director for Venafi is responsible for developing their business across Europe providing solutions in the automated encryption management arena including certificate management and enterprise key management. Before joining Venafi, Calum worked for Tufin Technologies growing their lifecycle security management business across Europe and South Africa and previous to this worked for Cyber-Ark and AEP where he was responsible for leading some of the early SSL VPN projects in Europe. Calum has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.