The good news, according a survey co-sponsored by nCipher and conducted by the Aberdeen Group, is that encryption reduces the vulnerability of data. Simply, companies that use it are less likely to be victimized than those that don't. The methodology was simple: Those who ran the survey identified companies that suffered less data loss and found that they encrypt more than others. Said Richard Moulds, nCipher's vice president of marketing:
The best-in-class people did the best job in terms of minimizing risk. Of those, 81 percent increased the number of applications and systems in the company using encryption. Fifty percent used it in more locations, such as branch offices, and more systems. Forty-six percent have taken specific steps to confront the issue of key management and consistency of management of encryption. There is a strong correlation between the amount of encryption used by best in class companies and a lack of encryption among laggards. There is very strong evidence that the folks doing a good job are taking a more aggressive stance on encryption.
The bad news is that this success raises two problems. The first, Moulds says, is that encryption is a complex technology and it is no small feat to clamp it onto existing applications. This, Moulds says, is a temporary issue simply because encryption is being embedded into a greater number of existing applications:
The good news is a lot of platforms these days include embedded encryption. In some ways the problem is starting to go away. We see encryption as a standard feature in Vista, a standard in Oracle and coming Microsoft databases and inside tape drives. Years ago you had to buy encryption and retrofit it. These days you often get it for free in systems. That's the first challenge, which has become a lot easier lately.
The second problem Moulds described is a bit trickier. In a classic case of the unintended consequences of success, the fact that encryption is finding wider deployment means that there is a growth of complexity. The big issue is the creation of too many encryption keys. The growth of silos of separately secured applications served by multiple encrypted systems will give security personnel daily headaches. The forward-thinking companies are confronting this problem by centralizing key management.
The secondary point in the survey is that best-in-class companies made a switch, thinking of encryption from a series of individual systems and taking instead more of a top-down, centralized approach where they can manage all key management through a single system. They centralize key management. They want the keys stored and controlled centrally and want policies to be consistent and managed by separate entity.
In addition to making things flow more smoothly, this is important because it creates a structure in which the entity doing the encrypting -- the database administrator, e-mail systems, etc. -- aren't also managing keys. Having folks in charge of applications and keys, Moulds says, is not a best-in-class security practice.
You want the keys managed by someone else, not the DBA or other person running the actual application. They want it managed by the privacy officer, the compliance officer. A lot of the privacy standards make a big deal out of separation of duties. You can't have one person responsible for the application and for security. It is the same thing with nuclear bombs. There is not one general, one button. You need more than that. You don't want the DBA to do the encryption as well as control the key.
At the end of the day, the issues surrounding data encryption and key management will be solved by a standardization. While standards efforts are getting rolling, it doesn't seem likely to happen in the near future.
Encryption is not an easy technology to understand. This WindowsSecurity.com piece starts with a cogent description that is suitable for laypeople. The next section looks at the surprisingly high number -- 15 -- type of keys that are available. The writer, in a somewhat ironic and understated manner, suggests that it is a good idea to employ proper key management:
If the encryption key protects your laptop and the prime is lost, it can result in you losing access to all the data on your laptop. Then it may be a good idea to have proper key management.
The piece concludes with dos and don'ts and a lists of practices for good key management. It is followed with five "related links" and 10 "featured" links. The articles all appear useful to anyone who wants a better understanding of key management.
One of the standards initiatives that Moulds likely is talking about is being created by the Organization for the Advancement of Structured Information Standards (OASIS), an international consortium. In July, the group formed the OASIS Enterprise Key Management Infrastructure (EKMI) Technical Committee, which has taken on the job of creating a system under which a client application can request symmetric key-management services from a network-based server. The committee, which is part of the OASIS IDtrust Member Section, also will create implementation, operations and audit guidelines and a test suite for the system.
Unlike many problems, the challenges of key management are welcome. The fact that the first issue -- retrofitting encryption onto existing applications -- is fading due to newer versions of so many application enfranchise encryption as an integral element suggest that businesses are getting wise to the value of this technique. The key management issue, clearly, is the next item on the agenda. It clearly will be more difficult because it requires industry cooperation and standardization.