Private Key Management: Is Your Data Really Safe?

Paul Turner

A few weeks ago, I was on a call with a security analyst when the subject of private keys came up. I've always taken for granted that everyone in the IT sector understands that as part of certificate management it is also critical to manage the private keys associated with those certificates. The analyst stopped the conversation on the spot and made it clear we can't make this assumption for two reasons: 1) very few administrators realize that managing certificates also requires the management of private keys, and 2) not many people - even in IT - understand how critical the security of private keys is in protecting sensitive data.

If you've ever heard me present, you've heard me use this phrase, 'the key is the data' -- which is a phrase and concept I take directly from my friend Marc Massar, who knows more than a little bit about encryption. The point is that if you protect data by encrypting it with a certificate, the private key becomes the most essential data you then have to protect. The encrypted data is effectively useless without the key, but if the wrong person gets that key--the data's at risk.

But surprisingly, even as a company who works with some of the largest financial institutions on the planet, there are certain vulnerabilities that crop up again and again when the proper care and management of these keys is not taken seriously. Despite mission-critical data and some of the industry's most advanced encryption schemes, we continually see these common mistakes:

Administrators don't have a reliable and comprehensive inventory of their keys and certificates, making proper management of the keys impossible. Failure to manage certificates and private keys properly can result in unexpected system failures and costly downtime.

Administrators often use a single keystore password for multiple systems (sometimes even hundreds) because the passwords are embedded in numerous applications. This makes it cost-prohibitive to follow password rotation best practices and negates separation of duty requirements.

Administrators have direct access to keystores and the passwords that protect them, which creates a risk they could make copies of private keys. These are the keys that can decrypt the organization's data. The organization must keep them secure.

Many (if not most) organizations do not replace private keys when administrators move to a new department or leave the organization, extending the risk of a breach.

Many organizations are unaware of the existence of encryption management platform software to helps them comply with best practices and industry regulations efficiently, and to ensure that certificates never unexpectedly expire. This one step is essential-and when it's been neglected has cost organizations millions of dollars in downtime, loss of customer confidence, or fraud.


In a recent real world situation the failure of a single password caused the entire network to shut down at a major national bank. By the time the outage was corrected, the outage had cost millions of dollars, even though it had occurred near the end of a day. Private key management may seem like a peripheral issue-but failure to recognize and protect these 'keys to the kingdom' could cost millions-let alone that it could easily cost an IT person's job.



Add Comment      Leave a comment on this blog post
Mar 22, 2010 3:03 PM Anonymous Anonymous  says:
Interesting. Key management is all the rage but you don't hear much about private keys in that context. What are the real world compliance issues, if any? Any application in government or industry regs? Reply
Mar 24, 2010 5:03 PM Gregory  Gregory  says:
There's a new white paper to download (with business and technical sections) on the data security and compliance issues associated with poorly managed private keys @ http://www.venafi.com/Collateral_Library/Venafi_PCI%20Compliance_Whitepaper.pdf Reply
Oct 4, 2011 8:10 AM RAJEEV RAJEEV  says:
Thanks Reply
Dec 6, 2011 2:12 AM Vormetric Vormetric  says:
Enterprises strive to comply with various regulatory mandates for data protection by deploying a variety of encryption solutions, but encryption solutions frequently have inadequate key management that can compromise security, create administrative overhead, and hinder widespread deployment. Vormetric Enterprise Key Management overcomes these issues with a centralized enterprise key management platform to unify the management and security of encryption keys. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.