Staying Ahead of the Curve - Getting Key Management Right
Brian Tokuyoshi - Product Marketing Manager
In the pursuit of providing protection for enterprise data, many organizations make the mistake of thinking that their responsibilities to protect data start and end with the deployment of an encryption application. What often happens, in the rush to secure data, is that the need for strategic key management can be overlooked. This often occurs when there’s been an imperative driving the need, such as a new compliance mandate or the revelation of a data breach. These types of incidents can often create a singular focus to deploying encryption products that can unfortunately prove to be short sighted.
For compliance initiatives, sometimes even the best intentioned efforts to protect data can lead to unforeseen consequences. In one example, the directives for the U.S. Federal government drove many agencies to protect mobile devices with encryption products. Various products were evaluated on the functionality of the encryption application, and little was done on building a proper strategy and infrastructure to manage encryption products. In a recent report, the Government Accountability Office discovered shortfalls in the ability for government agencies to secure mobile computers because of the ongoing issues with management and enforcement of policy.
For companies who have unfortunately experienced a data loss incident, a similar line of thinking also occurs. In many cases, the event that triggered the incident is attributable to a known source. For instance, when an employee loses a laptop with an unencrypted hard drive, it must be treated as a data loss incident and reported as a possible breach, even when it is unknown whether a person of malicious intent has possession of the device. In response, IT organizations seeking to ameliorate their malady without the benefit of time hastily purchase a whole disk encryption product without first assessing the possible avenues for building a proper encryption strategy.
In both scenarios, the penalties for the lack of encryption strategy and proper management tools do not manifest right away. Rather, the symptoms appear over time, as the cumulative distraction of operational expenses and greater administration resource utilization become problematic to the point that year on year run costs become impossible to ignore. Perhaps the most aggravating discovery is that the work undertaken to deploy and keep the first application provides no head start towards the implementation of a second.
Fortunately, for companies looking to develop an encryption strategy, there is a clear demarcation between products that lead to a painful, expensive dead end and the solutions that provide a system for true data protection. The criterion that truly makes the difference is actually not the application’s functions at all, but rather the key management capabilities of the management platform.
Key management, at its most fundamental level, provides a system for handling the lifecycle of the key, from the time it is created and all of the stages that a key undergoes, such as rotation, archival and retirement. This is truly a critical issue because it establishes the underpinnings for managing encryption. Getting it done right, staying in control, keeping the keys secure and monitoring the state of the environment are all easy to do when the foundation of key management supports the applications that rely on the keys. Properly deployed, many of the key management operations can be managed through the enforcement of policy, which enables automation to replace manual efforts, and provides the metric for monitoring and maintaining compliance.
Key management that serves as a proper foundation also addresses future expansion of encryption requirements. Deploying a second or third encryption application that shares the same key management infrastructure greatly reduces the time to deploy and frees up staff that would otherwise become entangled in the day to day operations of yet another application.
For companies who are looking to start their next encryption project, the first step is to get the keys in order. Getting the keys organized, managed and protected in a central location is fundamental to establishing the foundation for protecting the data throughout the enterprise. Getting key management before deploying the next encryption application makes the difference between expensive run costs and building an environment that you can live with.