Encryption key management: Critically important, frighteningly immature
The development of enterprise-class key management systems lags well behind the adoption of encryption technologies, says analyst Jon Oltsik.
Large organizations are deploying more and more encryption technologies these days on laptops, tape backup systems, mobile devices--everywhere.
Yes, they are concerned about regulatory compliance, data breaches, and embarrassing front-page headlines, but there is something else going on as well. Technology suppliers are now baking encryption into technology components and systems. As encryption becomes cheap and ubiquitous, risk-averse users will likely deploy it everywhere.
Ironically, multilayer encryption may actually compromise data security. Why? If data is encrypted multiple times, someone better know about the chain of encryption events that took place. Each encryption activity relies on an encryption key to return digital gobbledygook into readable text (i.e. Cleartext). One lost encryption key and the data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management--creating, organizing, storing, and auditing encryption keys.
Following this logic, key management plays an extremely important role in the world of data security/privacy. The problem here is that the development of enterprise-class key management systems lags well behind the adoption of encryption technologies. Large organizations already have lots of islands of encryption and the situation is getting worse, not better.
Why not integrate key management systems together to have centralized "command and control"? The problem here is the lack of solid key management standards. The Institute of Electrical and Electronics Engineers deserves a lot of credit for jumping into this messy situation with a key management standards effort dubbed P1619.3. There is a lot of brainpower behind P1619, but things are progressing slowly. In the meantime, users are crying for help.
In my view, something has to give and every vendor involved in key management standards has to eat a big slice of humble pie. Large vendors who are paying lip service to the IEEE effort must get more engaged quickly. The standards body itself needs to adopt a "start small and grow" mentality, get a 1.0 specification to the market soon, and proceed from there.
If these things don't happen, encryption key management will become a proprietary battle with multiple standards and one-off sales and marketing arrangements between vendors. Large organizations will be forced into extremely detailed and complex data security processes and the risk of unrecoverable data due to a lost encryption key grows exponentially.
In my mind, there is something immoral about prioritizing individual corporate business agendas over a global effort to improve security. Do we as an industry want to be responsible for this outcome?