Avoiding Compliance, Audit and Operational Risks. Are you Gambling a Successful Audit on Key Management Processes that Fail to Measure up?
You’ve probably met someone like Patrick—the password post-it scribbler. Whenever end-user Pat signs up for an online service, the registration process forces him to create a strong password with special characters. Frustrated with all of the complicated passwords that he has to track, Pat jots the password down on a post-it note, which he sticks to his computer screen—for anyone to find and use.
What would you think if Pat was managing your company’s data security—particularly, if your company must comply with data security regulations such as PCI DSS 2.0, SOX, HIPAA, GLBA, and the European Data Disclosure Act?
But, you might protest, my IT security professionals have responded diligently to the mandates of these regulations, deploying vast numbers of encryption keys and certificates to secure a wide array of platforms, applications and services. Unfortunately, in these piecemeal deployments, effective management has fallen by the wayside. Keys and certificates are deployed across disparate systems, applications, and business solutions in a stove-piped fashion, accessible to multiple administrators without audit or access control.
Overburdened security professionals, like frustrated Pat, turn to whatever costly and error-prone management processes that they can cobble together, often relying on nothing more than spreadsheets that list deployed keys and certificates with their expiration dates—and little better than a password on a post-it note.
Are you gambling a successful audit on key management processes that fail to measure up? Manual processes leave you vulnerable, either because managers fail to implement best security practices or because they choose to maliciously exploit their knowledge—as 40 percent of IT professionals admit that they could. Lack of management solutions or clear policies have driven administrators to expose private key security and compliance vulnerabilities in several ways:
• Storing multiple keys in a keystore to which many managers have shared access
• Using the same passwords to protect multiple keystores
• Distributing keys widely in even more insecure ways such as USB drives, email, and FTP servers
• Failing to rotate keys periodically
Regulatory bodies recognize this vulnerability and have mandated policies to protect against it. PCI, for instance, in the recently released PCI DSS 2.0 standards, has clarified that encrypted data remains within its auditing scope because encrypted data is only as secure as the key that decrypts it. Just as compliant organizations have implemented processes to secure sensitive data—complete with clearly-defined policies, regulated work flow, access controls, and audit trails—they must now implement processes to secure encryption keys.
You might be tempted to increase the IT staff to enhance manual management processes. However, manual management always leaves vulnerabilities either because managers fail to implement best security practices or because they can, if they choose, maliciously exploit their knowledge. Without automated access and workflow controls, a larger staff only exposes private keys to more people. A recent survey revealed that 40 percent of IT employees admit that they could hold their former employee hostage by withholding a key to which they still have access. With an IT staff turnover that is faster than certificate rotation in many companies, the risks increase.
Manual key management simply does not ensure that keys are securely generated, distributed, deployed, maintained, and rotated as regulations—and best security practices—require.
Hefty, potential fines for failing to comply with regulations are risk enough, but the risks of ignoring these vulnerabilities extend even further:
• Loss of service—If administrators fail to renew a certificate before it expires, the applications that rely on that service fail, often without any prior warning.
• Security breaches—After all, regulations are not designed to give you and your staff headaches; they’re designed to protect you and your customers from security breaches that expose your customers to identity theft and your company to a ruined reputation.
You need an enterprise-focused encryption management solution that cuts across your diverse systems, platforms and applications to manage the key and certificate lifecycle transparently but securely. The solution should leverage existing solutions and automate processes based on your security policies, including:
• Generation, distribution, and management of keys and certificates that comply with company security policies
• Configuration of the applications that use keys and certificates
• Monitoring and reporting on the status of each managed component with logging and audit trails
• Enforcement of workflow and access controls that segment management duties according to company policies and impose dual control for all sensitive keys
Too many IT and risk managers are surprised by security breaches, compromised keys or operational failures that occur from sheer neglect that result when you leave your valuable keys as exposed as a password on a post-it.—but they shouldn’t be and neither should you. You can take steps to protect your encryption assets, or you can let it be your CEO on the evening news.