Encryption key management: Critically important, frighteningly immature

The development of enterprise-class key management systems lags well behind the adoption of encryption technologies, says analyst Jon Oltsik.

Large organizations are deploying more and more encryption technologies these days on laptops, tape backup systems, mobile devices--everywhere.

Yes, they are concerned about regulatory compliance, data breaches, and embarrassing front-page headlines, but there is something else going on as well. Technology suppliers are now baking encryption into technology components and systems. As encryption becomes cheap and ubiquitous, risk-averse users will likely deploy it everywhere.

Ironically, multilayer encryption may actually compromise data security. Why? If data is encrypted multiple times, someone better know about the chain of encryption events that took place. Each encryption activity relies on an encryption key to return digital gobbledygook into readable text (i.e. Cleartext). One lost encryption key and the data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management--creating, organizing, storing, and auditing encryption keys.

Following this logic, key management plays an extremely important role in the world of data security/privacy. The problem here is that the development of enterprise-class key management systems lags well behind the adoption of encryption technologies. Large organizations already have lots of islands of encryption and the situation is getting worse, not better.

Why not integrate key management systems together to have centralized "command and control"? The problem here is the lack of solid key management standards. The Institute of Electrical and Electronics Engineers deserves a lot of credit for jumping into this messy situation with a key management standards effort dubbed P1619.3. There is a lot of brainpower behind P1619, but things are progressing slowly. In the meantime, users are crying for help.

In my view, something has to give and every vendor involved in key management standards has to eat a big slice of humble pie. Large vendors who are paying lip service to the IEEE effort must get more engaged quickly. The standards body itself needs to adopt a "start small and grow" mentality, get a 1.0 specification to the market soon, and proceed from there.

If these things don't happen, encryption key management will become a proprietary battle with multiple standards and one-off sales and marketing arrangements between vendors. Large organizations will be forced into extremely detailed and complex data security processes and the risk of unrecoverable data due to a lost encryption key grows exponentially.

In my mind, there is something immoral about prioritizing individual corporate business agendas over a global effort to improve security. Do we as an industry want to be responsible for this outcome?

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The one thing every refrigerator owner should know

One key factor determines how long your food stays fresh (and how much you end up wasting). Sharon Profis shares a few refrigerator organization tips everyone should know on "You're Doing it All Wrong."

by Sharon Profis