Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Are You Gambling with Your Mission-Critical Security Assets?

Avoiding Compliance, Audit and Operational Risks. Are you Gambling a Successful Audit on Key Management Processes that Fail to Measure up?

Avoiding Compliance, Audit and Operational Risks. Are you Gambling a Successful Audit on Key Management Processes that Fail to Measure up?

You’ve probably met someone like Patrick—the password post-it scribbler. Whenever end-user Pat signs up for an online service, the registration process forces him to create a strong password with special characters. Frustrated with all of the complicated passwords that he has to track, Pat jots the password down on a post-it note, which he sticks to his computer screen—for anyone to find and use.

What would you think if Pat was managing your company’s data security—particularly, if your company must comply with data security regulations such as PCI DSS 2.0, SOX, HIPAA, GLBA, and the European Data Disclosure Act?

Reducing Operational RisksBut, you might protest, my IT security professionals have responded diligently to the mandates of these regulations, deploying vast numbers of encryption keys and certificates to secure a wide array of platforms, applications and services. Unfortunately, in these piecemeal deployments, effective management has fallen by the wayside. Keys and certificates are deployed across disparate systems, applications, and business solutions in a stove-piped fashion, accessible to multiple administrators without audit or access control.

Overburdened security professionals, like frustrated Pat, turn to whatever costly and error-prone management processes that they can cobble together, often relying on nothing more than spreadsheets that list deployed keys and certificates with their expiration dates—and little better than a password on a post-it note.

Are you gambling a successful audit on key management processes that fail to measure up? Manual processes leave you vulnerable, either because managers fail to implement best security practices or because they choose to maliciously exploit their knowledge—as 40 percent of IT professionals admit that they could. Lack of management solutions or clear policies have driven administrators to expose private key security and compliance vulnerabilities in several ways:

• Storing multiple keys in a keystore to which many managers have shared access

• Using the same passwords to protect multiple keystores

• Distributing keys widely in even more insecure ways such as USB drives, email, and FTP servers

Advertisement. Scroll to continue reading.

• Failing to rotate keys periodically

Regulatory bodies recognize this vulnerability and have mandated policies to protect against it. PCI, for instance, in the recently released PCI DSS 2.0 standards, has clarified that encrypted data remains within its auditing scope because encrypted data is only as secure as the key that decrypts it. Just as compliant organizations have implemented processes to secure sensitive data—complete with clearly-defined policies, regulated work flow, access controls, and audit trails—they must now implement processes to secure encryption keys.

You might be tempted to increase the IT staff to enhance manual management processes. However, manual management always leaves vulnerabilities either because managers fail to implement best security practices or because they can, if they choose, maliciously exploit their knowledge. Without automated access and workflow controls, a larger staff only exposes private keys to more people. A recent survey revealed that 40 percent of IT employees admit that they could hold their former employee hostage by withholding a key to which they still have access. With an IT staff turnover that is faster than certificate rotation in many companies, the risks increase.

Manual key management simply does not ensure that keys are securely generated, distributed, deployed, maintained, and rotated as regulations—and best security practices—require.

Hefty, potential fines for failing to comply with regulations are risk enough, but the risks of ignoring these vulnerabilities extend even further:

Loss of service—If administrators fail to renew a certificate before it expires, the applications that rely on that service fail, often without any prior warning.

Security breaches—After all, regulations are not designed to give you and your staff headaches; they’re designed to protect you and your customers from security breaches that expose your customers to identity theft and your company to a ruined reputation.

You need an enterprise-focused encryption management solution that cuts across your diverse systems, platforms and applications to manage the key and certificate lifecycle transparently but securely. The solution should leverage existing solutions and automate processes based on your security policies, including:

• Generation, distribution, and management of keys and certificates that comply with company security policies

• Configuration of the applications that use keys and certificates

• Monitoring and reporting on the status of each managed component with logging and audit trails

• Enforcement of workflow and access controls that segment management duties according to company policies and impose dual control for all sensitive keys

Too many IT and risk managers are surprised by security breaches, compromised keys or operational failures that occur from sheer neglect that result when you leave your valuable keys as exposed as a password on a post-it.—but they shouldn’t be and neither should you. You can take steps to protect your encryption assets, or you can let it be your CEO on the evening news.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.