Enterprises Challenged By Encryption Key Management

In an age of compliance regulations and a growing awareness of the costs of a data breach, encrypting data has become a key part of many enterprise security plans. But encrypting data has little value if an organisation loses track of encryption keys.

And it is that last part that a recent survey by key management vendor Venafi suggested is a problem for many organisations out there. In a survey of 471 enterprise managers and executive, the firm found 54 percent either had unaccounted for or stolen encryption keys or were uncertain if they did. When it came to digital certificates, the figure was 51 percent.

Bad Management Leads To Lost Keys

According to the survey, 46 percent of respondents said they are managing at least 1,000 digital encryption certificates, and 20 percent are managing more than 10,000. Additionally, 83 percent are managing technologies from at least two different certificate authorities (CAs). Eighteen percent deal with more than five CAs.

“The encryption eco-system that has developed over time has gotten too complex. Departments, even individuals, contract separately with Microsoft, Verisign, RSA, Entrust, or use open source encryption tools and certificate generation tools,” Stiennon said. “They never had a central policy and each new project managed their own use of certs. In an environment like that it is hard to gain control and not lose track of certificates.”

Venafi’s answer to all this is its Encryption Director 6, which the company released this week. It combines management for a wide range of digital certificates and encryption keys.

“While digital certificates and their associated encryption keys are leveraged heavily for mission-critical applications, they do not come without overhead,” said Jeff Hudson, CEO of Venafi. “Once a certificate is installed and in use, it is easy to forget about, lose track of, or have the responsible administrator move on to another project or position. All certificates have expiration dates. Applications and processes that are relying on the certificate for security or trust stop functioning when a certificate expires.”

“Because most corporations have hundreds or thousands of certificates in use that are being managed manually, unplanned system outages are increasingly common and can have disastrous effect,” he added.

The Venafi statistics seemed on the low side to Richard Stiennon, chief research analyst at IT-Harvest.

“Without a good management tool I cannot see how a large organisation could keep track of all of their certificates,” he said. “Those that answered that they had not experienced a loss of either certs or keys just don’t know, is my guess. Just laptop theft alone could lead to loss of keys.”

To Hudson, the proliferation of sensitive data and the increasing sophistication of attackers mean organisations need to be more diligent in their security, and that has to include managing encryption keys and digital certificates.

“Today, nearly every enterprise application and IT system has been encryption key and certificate enabled,” he said. “While this has delivered greater security capabilities than ever before, the complexity of utilising this encryption capability has created a significant increase in security and operational risk.”