How To Protect The Encryption Keys To Your Kingdom
ANALYSIS: Encryption keys are wonderful things that allow your organisation to conduct secure communications without issue- as long as you have control
The reason Ylönen was so frustrated is because getting senior executives to pay attention to the need for key management seems like Hercules’ task of cleaning the Augean Stables. Even partial success requires a high tolerance to bovine byproducts.
The reason is that while a variety of laws require organizations to protect their data with encryption, those laws don’t specifically require good key management.
This means that the compliance audit won’t report a key management problem unless there’s a breach and as we all know many corporate senior managers believe such a thing can’t possibly happen to them.
Talking encryption
But of course it can. To help combat the resistance to adopting sensible key management, SSH Communications Security developed what Ylönen was calling a Universal Key Manager.
The idea behind the UKM is to make protecting encryption keys easy and effective, so that it doesn’t require a huge staff to operate.
As we talked, Ylönen explained that a good key management system needed to be able define policies for the use and maintenance of the keys track where to find them in the IT environment.
In addition, he said that a UKM should provide compliance reporting detailed enough to show how and where encryption keys were being used in the enterprise. Finally, he explained that proper key management also includes good risk assessment and reporting.
Because the SSH Universal Key Manager is a single point of management, it effectively helps make the communications environment more secure with a reduced demand on staff time.
The idea that since it’s relatively easy and cheap to provide the level of protection that companies normally demand means that it’s easy to adopt. Providing senior managers a single and relatively easy solution to potential security woes seems like a no-brainer.
But it’s only a no-brainer if chief information security officers can get the other C-level executives to buy in to the idea that security needs improvement. Ylönen worries that they can’t be convinced. My suggestion to Ylönen is that you have to make a sacrifice of one person for everyone else to believe you.
That sacrifice will be a manager at a company that is hit with a major data breach after neglecting to adopt sensible security practices including key management. Then it becomes possible to hold that manager up as a bad example.
This worked well a few years ago when Target was breached and the company lost a third of its valuation, causing heads to roll. For a year or so, companies believed that maybe security was important. But it seems they are forgetting that lesson already.
Perhaps now that key management has become both easy and cheap, it’s the next level of accountability. Perhaps by then more executives will believe in the need for strong security.
Originally published on eWeek