Encryption key management: Critically important, frighteningly immature

Large organizations are deploying more and more encryption technologies these days on laptops, tape backup systems, mobile devices--everywhere.

Yes, they are concerned about regulatory compliance, data breaches, and embarrassing front-page headlines, but there is something else going on as well. Technology suppliers are now baking encryption into technology components and systems. As encryption becomes cheap and ubiquitous, risk-averse users will likely deploy it everywhere.

Ironically, multilayer encryption may actually compromise data security. Why? If data is encrypted multiple times, someone better know about the chain of encryption events that took place. Each encryption activity relies on an encryption key to return digital gobbledygook into readable text (i.e. Cleartext). One lost encryption key and the data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management--creating, organizing, storing, and auditing encryption keys.

Following this logic, key management plays an extremely important role in the world of data security/privacy. The problem here is that the development of enterprise-class key management systems lags well behind the adoption of encryption technologies. Large organizations already have lots of islands of encryption and the situation is getting worse, not better.

Why not integrate key management systems together to have centralized "command and control"? The problem here is the lack of solid key management standards. The Institute of Electrical and Electronics Engineers deserves a lot of credit for jumping into this messy situation with a key management standards effort dubbed P1619.3. There is a lot of brainpower behind P1619, but things are progressing slowly. In the meantime, users are crying for help.

In my view, something has to give and every vendor involved in key management standards has to eat a big slice of humble pie. Large vendors who are paying lip service to the IEEE effort must get more engaged quickly. The standards body itself needs to adopt a "start small and grow" mentality, get a 1.0 specification to the market soon, and proceed from there.

If these things don't happen, encryption key management will become a proprietary battle with multiple standards and one-off sales and marketing arrangements between vendors. Large organizations will be forced into extremely detailed and complex data security processes and the risk of unrecoverable data due to a lost encryption key grows exponentially.

In my mind, there is something immoral about prioritizing individual corporate business agendas over a global effort to improve security. Do we as an industry want to be responsible for this outcome?

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

[jonathan260]

This is the same problem as password management. With dozens of websites all demanding personalization, we either use the same one everywhere or write them down. Both are a huge security risk. Now they want us to manage unrememberable encryption keys....

[ak19562003]

This is further complicated by the fact that there are a number of standards initiatives in progress, not just IEEE. So it is not just about getting behind a standard, but agreeing which one.

[ManuNamboodiri]

Key management is a big problem no doubt - I think the problem is acerbated by a piecemeal approach to encryption as well. As Jon puts it "islands of encryption" - there is nothing holding these together or a coherent strategy around protection in most enterprises. I see two aspects of how this manifests itself - transparency and hand-offs.
If, within an island, the keys are not visible in the normal course of operations and the vendor ensures this - we don't/should not have a huge key management problem.
However, the problem rears its head when data from one island has to cross into the other - ensuring this hand off is secure is when the ugly side of key management, decryption and re-encryption is visible.

While I agree that IEEE standards (or similar ones) are important, if we don't structurally move away from the island approach to a, for lack of a better analogy, "stream" approach (the data itself is continuously encrypted thus enabling it to move freely and securely) we will further complicate the problem. So I guess I am advocating the solution be two fold - better architecture around how encryption is implemented will make it easier to solve the key management issue.

[skswave]

There are now over 250 Million PCs that have a common key managment device, the Trusted Platform Module. It has common API (interfaces), It is vendor Neutral, It is driven by a good and strong standards effort. There are enterprise tools that allow a company to manage the TPM for a collection of users and their are local tools that allow an individual to use the device. The result is that every service provider every encryption provider can create and use keys in the TPM and the enterprise can centrally manage the TPM and backup or oversee all of the keys. This works today for VPN and wireless for windows authentication and for Web page access. It is time that every user know what a TPM is and know what to do with it. If a service provider won't support it then switch to a provider who does. We need to start asking Yahoo and google and AOL and EBAY where their support for strong platform security is. We demanded it in portable phones in the 1970's we demanded it in cell Phones in the 80's We got it as part of all cable boxes in the 90's now it is time to have strong keys in the PC. The tools are there, The hardware is already in your hands, but if your enterprise has not turned it on yet ask them WHY.
My PC logs onto wireless with no passwords and keys held in hardware
My PC logs onto the VPN with keys only know by my IT department and held in my TPM

But I needed a password (and had to remembe it ) to log into this site and that made my computer vunerable. It is time to leverage the investment that has already been made and utilze hardware security in our PCs to make it easier and simpler to be on the services based network.

Steven Sprague
CEO
Wave Systems Corp.

[gsidman]

Waiting for standards groups to solve the key exchange problem will be a very long wait. We have waited through DNSSec, promises around IPv6, etc. and the problems are growing. Educating the 99 percentile of unsophisticated business users about sophisticated protocol layer fixes, like TPM, will not happen because the vast majority have no access to IT help, but need privacy and compliance.

This is not an advertisement, but WebLOQ has solved this problem and is deploying today in many industries, including healthcare, law enforcement, defense, legal, finance, etc. WebLOQ goes way beyond transparent key management to deliver a complete communications ecosystem based on the simplicity of email. Within WebLOQ all elements of email are managed within an applications layer that delivers total keyboard-to-keyboard security and privacy, audit and compliance reports of all email activity, dual layer encryption, and a privacy space right within any email client that is completely free of malware. Key management is invisible, being managed entirely within the application. It is a combination of session based symmetric and PKI key and crypto technology that the user never sees. As a result the keys are machine generated, immune to user error and passwords are not required.

George Sidman
Chairman, WebLOQ