The reason Ylönen was so frustrated is because getting senior executives to pay attention to the need for key management seems like Hercules’ task of cleaning the Augean Stables. Even partial success requires a high tolerance to bovine byproducts.
The reason is that while a variety of laws require organizations to protect their data with encryption, those laws don’t specifically require good key management.
This means that the compliance audit won’t report a key management problem unless there’s a breach and as we all know many corporate senior managers believe such a thing can’t possibly happen to them.
The idea behind the UKM is to make protecting encryption keys easy and effective, so that it doesn’t require a huge staff to operate.
As we talked, Ylönen explained that a good key management system needed to be able define policies for the use and maintenance of the keys track where to find them in the IT environment.
In addition, he said that a UKM should provide compliance reporting detailed enough to show how and where encryption keys were being used in the enterprise. Finally, he explained that proper key management also includes good risk assessment and reporting.
Because the SSH Universal Key Manager is a single point of management, it effectively helps make the communications environment more secure with a reduced demand on staff time.
The idea that since it’s relatively easy and cheap to provide the level of protection that companies normally demand means that it’s easy to adopt. Providing senior managers a single and relatively easy solution to potential security woes seems like a no-brainer.
But it’s only a no-brainer if chief information security officers can get the other C-level executives to buy in to the idea that security needs improvement. Ylönen worries that they can’t be convinced. My suggestion to Ylönen is that you have to make a sacrifice of one person for everyone else to believe you.
That sacrifice will be a manager at a company that is hit with a major data breach after neglecting to adopt sensible security practices including key management. Then it becomes possible to hold that manager up as a bad example.
This worked well a few years ago when Target was breached and the company lost a third of its valuation, causing heads to roll. For a year or so, companies believed that maybe security was important. But it seems they are forgetting that lesson already.
Perhaps now that key management has become both easy and cheap, it’s the next level of accountability. Perhaps by then more executives will believe in the need for strong security.
Originally published on eWeek
Page: 1 2
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…
Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…
US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…