Is Key Management The New Compliance?

It is an inescapable fact these days that information security and compliance swim together in the collective minds of many enterprises, and it follows that adoption of information security technologies is related to how well they solve compliance issues.

After all, an organisation could spend a lot of money buying all the security products they can find and still not be bullet-proof for one reason or another (and even if they are highly secure the economics of such actions simply do not make sense) so they need guidance on what is needed and what is appropriate. For that guidance, organisations often turn to their industry compliance standards.

Compliance may lag security?

On one hand this is very reasonable but it does often mean that things are driven the wrong way round: compliance projects drive security initiatives, implementing little more than the minimum security required by the letter of the compliance standard.

Typically, therefore, mainstream security adoption only catches up with best practice as the compliance mandates are updated.

And so we have seen with information security over the past decade or so. At one time the firewall was everything: the impregnable ring of steel that kept all the good stuff in and the bad guys out. But then rich content and Web applications started appearing and no amount of user education could stop those tempting email attachments from being opened so additional defences such as corporate antivirus and password management gained popularity.

At the same time businesses and individuals started to share more and more information across virtual boundaries and compliance mandates around data confidentiality started to emerge, so encryption entered the mainstream. And now finally, a few years on, the experience with encryption and some high-profile embarrassments have led to the realisation that key management is all-important.

Encryption alone is not a silver bullet. Signing high-value assets with software keys does not protect the global community. You have to treat keys and crypto with respect.

The keys are the security

For those of us in the industry this is obvious: the keys are the security. Sadly though the evidence suggests that many mainstream deployments of encryption and signing don’t adopt best-practice key management. Software key storage or lax access control, poor selection of keys and protocols and thefts of key material are frequently making the news at the moment alongside data breach notifications.

This shouldn’t be surprising: by definition the mainstream cannot be experts in cryptography. But that’s no excuse: the security industry and individual industry regulators have a responsibility to fix this.

Happily things are starting to look up. Compliance mandates which had once focussed on encryption are now being updated to look much more closely at key management practice.

From PCI-DSS (updated late 2010 and continuing into 2011 with explicit focus on key management) to the more traditional world of US Federal government, for instance FIPS 140-2 (big PDF)n – which already did fairly well on key managemen – we see increased sophistication in the specification of key management requirements.

Data breach notification rules (such as those in Nevada) have been explicitly and carefully updated to move from simple and naïve password encryption requirements to explicit requirements on key management, with the realisation that encryption is flawed without proper management of keys.

Key management becomes the norm

In many cases these changes are made to improve the security of systems, and actually reduce risks of breaches etc (such as the recommendation to use hardware devices) but in other cases this new understanding enables business agility as standards and technologies such as OASIS KMIP (Key Management Interoperability Protocol) make their way into the documents.

So now the secret’s out: everyone knows about key management and simply encrypting data won’t be enough anymore. Over the coming months and years I expect the quality of key storage, access control and management to come under increasing scrutiny in all areas of the information society, and for lax key management to become viewed as a fault, not an innocent mistake.

If you want to comply, you’d better start managing those keys.

Jon Geater is director of technical strategy at electronics and security group Thales, which will be exhibiting at Infosecurity Europe 2011, on 19-21 April, at Earl’s Court, London.

adminuk

Recent Posts

Reddit Introduces AI Search Tool

AI-powered Reddit Answers allows users to access information based on Reddit posts, in move to…

11 hours ago

Former OpenAI Researcher Raises $40m For AI Voice Start-Up

Former co-developer of voice mode for OpenAI's ChatGPT launches WaveForms AI to make AI voice…

11 hours ago

OpenAI Releases Sora Video-Generation Tool

OpenAI releases Sora AI video-generation tool to ChatGPT Plus and Pro subscription users amidst concern…

12 hours ago

Tesla To Use Human Back-Up Drivers For Cybercab Fleet

Tesla to initially use human back-up controllers for company-owned robotaxi fleet at launch next year,…

12 hours ago

China Opens Nvidia Antitrust Probe After US Sanctions

Chinese government opens antitrust probe into Nvidia's $7bn acquisition of Mellanox, in move seen as…

13 hours ago

Google Announces Quantum Chip Error ‘Breakthrough’

Google Willow quantum chip makes significant improvements in error correction, moving quantum computing closer to…

13 hours ago