Companies have a problem with encryption: While many businesses duly encrypt sensitive data, there is no standard strategy for deploying and managing an key-management infrastructure.
Every organization needs to make a large number of decisions in designing a key-management policy that works for their business, Karen Reinhardt, principal engineer for cryptographic services at Home Depot, told attendees at the RSA Conference in San Francisco last week.
Some cloud-native startups can manage much, if not all, of their encryption keys in the cloud, while large enterprises with legacy technology likely need a locally hosted system and hybrid infrastructure.
Such as developers, may be able to manage their own infrastructure, while general employees need their keys managed for them.
Finally, every company needs to take into account the post-quantum future, Reinhardt said.
Encryption is a necessary technology for securing data and systems, but there is more to data security than just encrypting the data.
Perhaps the most complex part of any encryption infrastructure is managing the keys needed to decrypt data.
If the attackers has access to the keys, they have access to the encrypted data; defenders who lose access to the keys lose access to data.
Data Availability Requires Decryption The first lesson for companies is that encryption keys are critical - perhaps more critical than proper encryption.
Data is unusable if you can't decrypt it, so knowing where the decryption keys are is often much more important than knowing the location of the encryption keys, said Reinhardt.
Organizations should always have a controlled archive of decryption keys, she said.
'Encrypt Everything' Might Not Be Worth It Security controls continue to be expensive to implement, and encryption is no exception.
Cloud Changes Everything, But Gives You Options Companies moving more of their infrastructure to cloud services and platform are already trying to control data sprawl - cloud-native key management adding key sprawl to the equation as well.
Companies need to take stock of not only their critical data - what needs to be encrypted - but also how each cloud service manages its keys and other secrets and whether the company can centralize management to increase control.
Legacy Integration Remains a Headache Smaller companies with just starting with key management can create greenfield key management and take advantage of the latest technologies to simplifying their infrastructure and strengthen control over their data.
Large companies who already have a variety of key management technologies in place will have to support legacy applications and databases.
Cloud-based encryption infrastructure, such as hardware security modules - secure storage for key data and operations - can help make implementation simpler and make integration with legacy technology easier.
Post Quantum Means Every Asymmetric Key Must Be Replaced Finally, every company needs to consider the post-quantum future and make sure that their key infrastructure can generate quantum-safe keys.
As quantum-computing technology advances, public-key encryption will need to evolve and use stronger keys generated by more modern algorithms.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 14 May 2024 20:15:09 +0000