It's Time For An Enterprise Encryption Strategy

Long overdue and increasingly needed

A few years ago, I began writing and talking about data encryption management problems on the horizon.  I was right about the issues but a bit aggressive on the timing.  Based on what I'm seeing lately however, the encryption management sky may finally be falling (or at least starting to fall).

Let me be a bit more specific about the issue at hand.  Large organization really started encrypting data in earnest over the last 5-7 years.  Regulatory compliance was a big driver while publicly-disclosed breaches only fueled the fire.  As this was happening, CPU performance increased and cryptographic processor pricing decreased.  These technical and economic trends helped remove traditional stigmas about encryption -- its too costly and its a performance hog.  Faster/cheaper encryption technology led to encryption integration (i.e. cryptographic processors in tape drives, network appliances, disk drives, etc.).  Voila, more encryption in all technologies. 

Fast forward to 2012 and encryption technology is deployed throughout the enterprise in various shapes and forms.  Therein lies the problem my friends.  Risk/compliance officers, security professionals and functional IT staff acted independently and implemented encryption technologies on an ad-hoc basis -- no standards, no centralized command-and-control, no consistent monitoring and auditing -- nada. 

This tactical approach creates obvious operational problems around redundant tasks and processes but there is a much bigger here that stems from disorganized, informal, and haphazard key management.  Thik CIA (i.e. confidentiality, integrity, and availability).  Encrypted data is confidential but could be easily decrypted if there is one encryption key that everyone knows.  In this case, the integrity of the data could easily be compromised.  Finally, if the key management server is attacked and corrupted, say goodbye to your data -- forever. 

So what's needed:

1.  Central policy management/command-and-control/key management

2.  Distributed non-disruptive encryption enforcement

3.  Formal and documented key management best practices

Vendors like PGP (Symantec), Thales, and Vormetric come to mind here on the technology side but even the most sophisticated shops often overlook key management best practices. NIST and PCI guidelines may be helpful here. 

I have no doubt that most enterprise data will be encrypted across the entire technology stack in the future.  That being the case, CIOs and CISOs need to put together an enterprise encryption strategy ASAP.  In lieu of this, the data is not nearly as secure as they think it is.   

SUBSCRIBE! Get the best of CSO delivered to your email inbox.