Who Holds the Keys?

Encryption isn't bulletproof if keys and digital rights are left out in the open. Here's how to lock down stored data.

Experts and IT leaders offer strategies for getting the most from the latest encryption and digital rights management technologies.

Encryption can make up for a litany of security snafus -- from a bad firewall to an unrelenting hacker to a lost laptop. Once data is encrypted, criminals can't use or sell it. Plus, if encrypted data goes missing, companies are protected from disclosure requirements in most states. No wonder 38% of companies surveyed by Forrester Research have already adopted full-disk encryption technology. But data protection doesn't stop there. Encryption keys and digital rights also must be well orchestrated and secured, or else encryption protection goes out the window.

For instance, encryption keys kept in a predictable place are like house keys left under a welcome mat: They're easy prey for intruders.

In December, hacking group Anonymous broke into SpecialForces.com, a provider of law enforcement equipment, and stole thousands of customers' data and credit card numbers. The data was encrypted, so the crisis appeared to have been averted. But the hackers didn't stop there. They broke into the company's servers and stole the encryption keys . The group then leaked roughly 14,000 passwords and 8,000 credit card numbers of customers on its website.

"Most of the standardized encryption methods or algorithms specified by [the National Institute of Standards and Technology] are good, it's just how you implement them and how you do key management," says John Kindervag, an analyst at Forrester Research.

While many companies have deployed full-disk encryption to comply with regulatory mandates or to avoid public disclosure requirements under state privacy laws if data is lost or stolen, an alarming number of companies still don't take precautions.

More than half of 500 IT professionals surveyed by Ponemon Institute and Experian Information Solutions in January said their lost or stolen data wasn't encrypted. Lost data most often included email (cited by 70% of the respondents), credit card or bank payment information (45%), and Social Security numbers (33%). If the organization was able to determine the cause of the breach, most often it was a negligent insider (34%). Some 19% said outsourcing data to a third party was to blame, and 16% said a malicious insider was the main cause.

"Any device that leaves your organization needs to be protected, and with more than just a password," says Gartner analyst Eric Ouellet. "We know you can jailbreak these things very easily." Data at rest must be protected, too, he adds. "Even mislabeling a tape [in storage] or not being able to find it is a disclosure event," unless the data is encrypted.

Semiconductor production equipment maker Applied Materials faces strict customer and legal requirements to protect information. The company, which operates in 25 countries, began rolling out full-disk and message encryption in late 2010 as part of a tech refresh of its 13,000 laptops. Today, 78% of laptops are encrypted, with only a few holdouts.

"The change has been positive all over the world," says Matthew Archibald, who serves as both chief information security officer and chief privacy officer at the Santa Clara, Calif.-based company. "On the engineering side, they believe anything slows [the system] down, so you have to show them that it doesn't impact them in any way."


Proceed with caution on EDRM

While assigning rights for viewing and editing documents seems like a good idea, it's not something that Gartner's Eric Ouellet recommends for organizations that need to keep documents for a long time.

"There are no standards for EDRM [Enterprise Digital Rights Management]," he explains. If a vendor changes the cryptography or the way it applies the technology, users must upgrade or retrofit all existing documents or run the risk of having orphaned documents that no one can open. One Gartner client had to upgrade twice over the past eight years, he adds.

"If documents are only going to live for 12 to 18 months, that's a risk window that you can manage," he says. "But if the documents need to live for four to five years or more, then you have to start building alternate systems," such as ones for keeping copies in plain text that are accessible to only one or two people in the organization.

AA Stacy Collett

At Intel, 85% of laptops have full-disk encryption, but CISO Malcolm Harkins is already assessing the next big thing -- self-encrypting hard drives, which will address encryption gaps when laptops are in standby, sleep or hibernate modes.

"As you're moving to products that are always on/instant on, if you've got a nine-hour battery life and it's always on standby, the data is not encrypted," Harkins says. "I also want to improve the user experience," he adds, referring to the fact that encryption typically requires users to enter passcodes and wait for systems to reboot. "If I can do that, as well as potentially lower my cost of control, self-encrypting drives might be the answer."

Key Management

While encrypting data is important, the keys that control the encryption and decryption processes are even more important because, well, data is useless without a key. And with so many programs and devices requiring encryption and individual key management, it's easy to see why keys can be mismanaged or why dangerous shortcuts are taken to manage them.

Today, most encryption systems have their own built-in key managers that also create backups, "so at least you have some consistency," Ouellet says. "The key manager that comes with those solutions is probably good enough." But centralized key management might be the answer for companies that find themselves using a growing number of encryption tools and keys.

A quarter of companies surveyed by Forrester have adopted centralized key management in some form, he adds, but that number will grow as interoperability standards take hold.

Open standards organization Oasis has developed a key management interoperability protocol (KMIP) as a standard within cryptographic systems. "This standard has been growing and is replacing older standards," Ouellet explains. "The only catch is that while most organizations that provide cryptography want to support KMIP, they'll do it as a means to manage others' keys. They're not allowing others to manage their keys. It's kind of a chicken and egg thing," which will hold back adoption "unless the vendors start opening themselves up," he says.

Do's and Don'ts

Analysts say to leave key management to the professionals. Kindervag advises IT shops to deploy an enterprise-quality key management program that understands key management in their companies. "Don't try to build your own," he cautions. "Don't email keys back and forth, and don't leverage things like Active Directory to store keys."

Do keep the key management function in a segment of your network that is completely separate from the encrypted data, and protect it with features such as Layer 7 firewalls, IPS devices and strong access control, he adds. Only a few people who are designated to manage keys should have access to that segment of the network, and they should constantly monitor what is happening on the key management servers, such as who is seeking access.

In the near future, key management will be available in the cloud with service providers who specialize in enterprise key management. "Traditional PKI vendors are moving in that direction," Kindervag says, and credit card payment processors are capable of expanding their key management technologies into intellectual property and custodial data areas.

Cloud key management is also "a big trend right now" for smaller organizations that don't feel comfortable owning and managing keys, Ouellet says. Cloud providers can create private virtualized environments for small businesses and manage the technology side.

The trick to successful deployments of encryption, key management and digital rights is to make things easy for users.

"Spend quality time with self-installing packages," says Applied Materials' Archibald. "We have automated distribution of the software, and it's just a matter of having it enabled for the user. There are only two or three things an individual needs to do -- set their pass phrase, sync that to their Windows login and reboot their machine."

Collett is a Computerworld contributing writer. You can contact her at stcollett@aol.com .

Read more about storage in Computerworld's Storage Topic Center.

This story, "Who Holds the Keys?" was originally published by Computerworld.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022