The reason Ylönen was so frustrated is because getting senior executives to pay attention to the need for key management seems like Hercules’ task of cleaning the Augean Stables. Even partial success requires a high tolerance to bovine byproducts.
The reason is that while a variety of laws require organizations to protect their data with encryption, those laws don’t specifically require good key management.
This means that the compliance audit won’t report a key management problem unless there’s a breach and as we all know many corporate senior managers believe such a thing can’t possibly happen to them.
The idea behind the UKM is to make protecting encryption keys easy and effective, so that it doesn’t require a huge staff to operate.
As we talked, Ylönen explained that a good key management system needed to be able define policies for the use and maintenance of the keys track where to find them in the IT environment.
In addition, he said that a UKM should provide compliance reporting detailed enough to show how and where encryption keys were being used in the enterprise. Finally, he explained that proper key management also includes good risk assessment and reporting.
Because the SSH Universal Key Manager is a single point of management, it effectively helps make the communications environment more secure with a reduced demand on staff time.
The idea that since it’s relatively easy and cheap to provide the level of protection that companies normally demand means that it’s easy to adopt. Providing senior managers a single and relatively easy solution to potential security woes seems like a no-brainer.
But it’s only a no-brainer if chief information security officers can get the other C-level executives to buy in to the idea that security needs improvement. Ylönen worries that they can’t be convinced. My suggestion to Ylönen is that you have to make a sacrifice of one person for everyone else to believe you.
That sacrifice will be a manager at a company that is hit with a major data breach after neglecting to adopt sensible security practices including key management. Then it becomes possible to hold that manager up as a bad example.
This worked well a few years ago when Target was breached and the company lost a third of its valuation, causing heads to roll. For a year or so, companies believed that maybe security was important. But it seems they are forgetting that lesson already.
Perhaps now that key management has become both easy and cheap, it’s the next level of accountability. Perhaps by then more executives will believe in the need for strong security.
Originally published on eWeek
Page: 1 2
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
US Supreme Court says it will hear appeal of TikTok and parent ByteDance against ban…
Japanese start-up Space One destroys Kairos rocket for second time shortly after launch, as country…