The challenge of encryption key management is one of the greatest for businesses looking to commit to enterprise-wide protection.
Talking to SC Magazine this week, Jamie Cowper, principal product marketing manager for encryption and data loss prevention at Symantec, said that managing encryption is one of the challenges faced by businesses and often, people underestimate the operational difficulties of using encryption.
He said: “If you do encrypt everything, how do you recover it when you need it? If an auditor says ‘show me that email from the 3rd January 2003' or a lawyer wants access to a Word document from five years ago, whatever it is, is there a good process in place to decrypt? As much as it is about encryption, it is about the decryption.
“PGP support will get a call on a weekly basis from someone who is using a single unmanaged instance of encryption on a hard drive and cannot remember the pass phrase. The reality is unless you have good key management and backup and structure around it, then the answer is not, as we do not make encryption solutions with compromises in them.
“You need that infrastructure to enable things like helpdesk to help people recover for when users forget their credentials and to help users manage in an automated way so that you have to build a team of people to manage your encryption, which no one can afford to do.”
Talking recently with encryption company Thales, director of technical strategy Jon Geater said that database encryption was getting more popular as companies are looking to change and it is useful to know all of the options.
He told SC Magazine: “A trap that people fall into is one of locking up everything so no one will get at it, but you want to get back at it as do the regulators and there is a growing trend of spoliation. It is not allowed if you give encrypted data without a key.
What happens if the chief financial officer says get rid of the system admin who has encrypted all of the stuff? They have control over the key management system.”
Talking on user deployment of encryption technologies, Cowper said that is a reason why cloud-based services are attractive to a lot of companies, because the level of need for expertise in-house is removed.
He said: “However you have to manage more in-house with service level agreements and what expectation you have of your cloud provider when it comes to security issues. When you look at the larger organisations and the issue of encryption, a lot of people want to keep it in house and want to at least own the keys, if not the encryption processes.”
Asked if it was attractive for smaller companies, he said: “You can get a disk encryption solution managed by a third party, whether it is your ISP or someone else. We would expect the market to go down the same route as it has with other security applications. If you look at hosted services and hosted endpoints, it is all about the choices and the idea that if people want on-premise then that is great, or if they want off-premise then that is great or it can be a combination, then it should be available.”
Research this week by Symantec and the Ponemon Institute revealed that the most important feature for encryption solutions is the automation of key encryption management activities and management of encryption keys. In total 69 per cent agreed with this, while 46 per cent said it was the management of encryption over the widest possible range of applications.