infoTECH Feature

October 06, 2014

Managing Silos to Reduce Encryption Sprawl

Encrypting information has played a vital role in security throughout human history. In 700 B.C., the Scytale cipher tool enabled secure communications so that the Greek States could defend their lands from the Persians. The Enigma machine helped Allies crack enemy codes during World War II. Today’s Advanced Encryption Standards (AES) help businesses keep their data safe. Several experts have in fact referred to 2014 as “The Year of Encryption.”

With the explosion of the Internet of Things, network attack surfaces have expanded significantly, creating greater risk for organizations.  As a result, encryption has now come home, protecting internal IT systems. The current crop of encryption solutions tends to protect data at the cost of clarity. Encryption silos are created, and as more silos pop up, so do inconsistency and fragmentation—also known as encryption sprawl. IT teams need to get a handle on this issue quickly if they hope to maintain data safety with minimal complexity and cost.

Dealing With Silos to Reduce the Sprawl                                     

While encryption has been a definite boon to business, its current methods of deployment pose three key questions to IT security staff. The first is: how do you measure the quality of the encryption in the individual silos?  The recent Heartbleed vulnerability has served as a powerful reminder that building sound encryption technologies is not easy. Thankfully, there are certifications specifically focused on encryption and other cryptographic systems, most notably the suite of Federal Information Processing Standards (FIPS) where products undergo evaluation by independent labs.

The second question is: how do you apply consistent policies across the silos? The critical issue here is key management. Part of the difficulty regarding key management arises from the scrutiny that key management tasks understandably come under. After all, managing secrets, keeping them secret and only providing them to legitimate users for approved functions is not simple or easy. However, some of the difficulty is operational. Poor key management policy has the potential to stop business processes or, worse still, destroy data forever. As more encryption is deployed, the difficulties surrounding key management will only deepen. As the number of keys to be managed increases, organizations are starting to seek a much more centralized key management method with standardized policies and procedures. This is a big shift – key management is effectively changing from being a feature of whatever encryption product was being used into being a product and market in its own right. An important catalyst to centralized key management is the arrival of the Key Management Interoperability Protocol (KMIP), a standard that enables all kinds of keys to be stored, distributed and backed up in a standard process. The eventual aim is the ability to administer keys from disparate encryption systems using a centralized, shared system – essentially key management as a service.

The third question: how do you protect the data as it moves between or outside the silos? Protecting data in storage or on laptops mitigates some of the risks of losing “data at rest,” but sooner or later that data moves; it is accessed by an application, shared between users or even sent to a different organization. This typically means that data is decrypted before it moves, and even if it flows over secure channels, it still creates points of vulnerabilities, “air gaps” where clear-text data can be picked off. The reason is simple: encryption deployed in silos means that applications in one silo can’t make sense of data that was encrypted in another. “End to end” encryption that spans multiple silos is a worthy goal, but once again, this comes down to key management and a centralized approach whereby disparate silos can access keys and therefore access data shared from elsewhere. There are examples of where this works—for example, in the area of mobile payments—but general-purpose examples are hard to find.

Taming the Beast

Encryption is a fantastic way to help secure data – if used properly. Used improperly, encryption creates a false sense of safety and lulls IT security teams into a dangerous complacency. A well thought-out encryption strategy recognizes that some amount of encryption sprawl is inevitable and yet manageable. Effective, consistent key management coupled with the use of certified solutions and centralized policy and controls will help organizations reduce the risk of data loss as they move through the threat-riddled digital landscape.

As Vice President of Product Management and Strategy, Richard Moulds contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales (News - Alert). He has worked alongside the Ponemon Institute for 10 years developing the annual Global Encryption Trends Study. https://www.thales-esecurity.com/




Edited by Stefania Viscusi
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers