On one hand this is very reasonable but it does often mean that things are driven the wrong way round: compliance projects drive security initiatives, implementing little more than the minimum security required by the letter of the compliance standard. Mainstream security adoption therefore typically catches up with best practice as the compliance mandates are updated.
And so we have seen with information security over the past decade or so.
At one time the firewall was everything: the impregnable ring of steel that kept all the good stuff in and the bad guys out. But then rich content and Web applications started appearing and no amount of user education could stop those tempting email attachments from being opened so additional defenses such as corporate antivirus and password management gained popularity. At the same time businesses and individuals started to share more and more information across virtual boundaries and compliance mandates around data confidentiality started to emerge, so encryption entered the mainstream.
And now finally, a few years on, the experience with encryption and some high-profile embarrassments have led to the realization that key management is all-important. Encryption alone is not a silver bullet. Signing high-value assets with software keys does not protect the global community. You have to treat keys and crypto with respect.
For those of us in the industry this is obvious: the keys are the security. Sadly though the evidence suggests that many mainstream deployments of encryption and signing don’t adopt best-practice key management. Software key storage or lax access control, poor selection of keys and protocols and thefts of key material are frequently making the news at the moment alongside data breach notifications. This shouldn’t be surprising: by definition the mainstream cannot be experts in cryptography. But that’s no excuse: the security industry and individual industry regulators have a responsibility to fix this.
Happily things are starting to look up.
Compliance mandates which had once focused on encryption are now being updated to look much more closely at key management practice. From PCI-DSS (updated late 2010 and continuing into 2011 with explicit focus on key management) to the more traditional world of US Federal government (which already did fairly well on key management) we see increased sophistication in the specification of key management requirements. Data breach notification rules (such as those in Nevada) have been explicitly and carefully updated to move from simple and naïve password encryption requirements to explicit requirements on key management, with the realization that encryption is flawed without proper management of keys.
In many cases these changes are made to improve the security of systems, and actually reduce risks of breaches etc (such as the recommendation to use hardware devices) but in other cases this new understanding enables business agility as standards and technologies such as OASIS KMIP (Key Management Interoperability Protocol) make their way into the documents.
So now the secret’s out: everyone knows about key management and simply encrypting data won’t be enough anymore. Over the coming months and years I expect the quality of key storage, access control and management to come under increasing scrutiny in all areas of the information society, and for lax key management to become viewed as a fault, not an innocent mistake.
If you want to comply, you’d better start managing those keys.
Jon Geater, Director of Technical Strategy for Thales, has more than 10 years technical experience as a software architect and chief architect in the information security industry where he has helped define many real-world security products and systems. At Thales, Jon is a technical evangelist for the information technology security activities. He also serves as the technical voice of the Thales strategy group and ensures that the product portfolio meets the needs of both the Company and the market.