Is Key Management The New Compliance?

Compliance standards now know that encryption is no good unless the keys are managed, says Jon Geater. Better start doing that!

It is an inescapable fact these days that information security and compliance swim together in the collective minds of many enterprises, and it follows that adoption of information security technologies is related to how well they solve compliance issues.

After all, an organisation could spend a lot of money buying all the security products they can find and still not be bullet-proof for one reason or another (and even if they are highly secure the economics of such actions simply do not make sense) so they need guidance on what is needed and what is appropriate. For that guidance, organisations often turn to their industry compliance standards.

Compliance may lag security?

On one hand this is very reasonable but it does often mean that things are driven the wrong way round: compliance projects drive security initiatives, implementing little more than the minimum security required by the letter of the compliance standard.

Typically, therefore, mainstream security adoption only catches up with best practice as the compliance mandates are updated.

And so we have seen with information security over the past decade or so. At one time the firewall was everything: the impregnable ring of steel that kept all the good stuff in and the bad guys out. But then rich content and Web applications started appearing and no amount of user education could stop those tempting email attachments from being opened so additional defences such as corporate antivirus and password management gained popularity.

At the same time businesses and individuals started to share more and more information across virtual boundaries and compliance mandates around data confidentiality started to emerge, so encryption entered the mainstream. And now finally, a few years on, the experience with encryption and some high-profile embarrassments have led to the realisation that key management is all-important.

Encryption alone is not a silver bullet. Signing high-value assets with software keys does not protect the global community. You have to treat keys and crypto with respect.

The keys are the security

For those of us in the industry this is obvious: the keys are the security. Sadly though the evidence suggests that many mainstream deployments of encryption and signing don’t adopt best-practice key management. Software key storage or lax access control, poor selection of keys and protocols and thefts of key material are frequently making the news at the moment alongside data breach notifications.

This shouldn’t be surprising: by definition the mainstream cannot be experts in cryptography. But that’s no excuse: the security industry and individual industry regulators have a responsibility to fix this.

Happily things are starting to look up. Compliance mandates which had once focussed on encryption are now being updated to look much more closely at key management practice.

From PCI-DSS (updated late 2010 and continuing into 2011 with explicit focus on key management) to the more traditional world of US Federal government, for instance FIPS 140-2 (big PDF)n – which already did fairly well on key managemen – we see increased sophistication in the specification of key management requirements.

Data breach notification rules (such as those in Nevada) have been explicitly and carefully updated to move from simple and naïve password encryption requirements to explicit requirements on key management, with the realisation that encryption is flawed without proper management of keys.

Key management becomes the norm

In many cases these changes are made to improve the security of systems, and actually reduce risks of breaches etc (such as the recommendation to use hardware devices) but in other cases this new understanding enables business agility as standards and technologies such as OASIS KMIP (Key Management Interoperability Protocol) make their way into the documents.

So now the secret’s out: everyone knows about key management and simply encrypting data won’t be enough anymore. Over the coming months and years I expect the quality of key storage, access control and management to come under increasing scrutiny in all areas of the information society, and for lax key management to become viewed as a fault, not an innocent mistake.

If you want to comply, you’d better start managing those keys.

Jon Geater is director of technical strategy at electronics and security group Thales, which will be exhibiting at Infosecurity Europe 2011, on 19-21 April, at Earl’s Court, London.