Overcoming Encryption Sprawl by Asking the Right Questions

Featured article by Richard Moulds, VP Strategy, Thales e-Security

In the U.S., encryption was first used by the federal government to secure the data of U.S. agencies and companies from foreign spies. As the Internet connected and therefore endangered many corporations’ and consumers’ computers, encryption really took off and now enjoys widespread use. In an ironic twist, one of the main driver’s of encryption’s recent uptick in interest and use is worry over government surveillance. Yahoo has now encrypted its e-mail service, and Google encrypts every search term entered by users. Microsoft said that it plans to encrypt all the data traveling to and from its networks by the end of this year. The Electronic Frontier Foundation predicts that within a few years, every file crossing the Internet could be protected with encryption.

The onslaught of cyber attacks is another key driver in the renewed popularity of encryption. Whereas the technology used to be narrowly applied, it is now much more widely deployed, including within organizations’ IT systems. More data protection is a good thing, but problems have begun to occur as encryption solutions are deployed: they are creating a fragmented and inconsistent encryption landscape. This is known as encryption sprawl. As cloud services continue gathering speed, sprawl is only going to get worse unless organizations deal with the matter now.

Quality, Consistency, Safety

There are three key questions that emerge with regard to these multiple encryption silos. How can organizations:

– Determine the quality of encryption within each silo?

– Apply consistent policies across the silos?

– Safeguard data as it moves between or outside these silos?

The recent Heartbleed vulnerability has served as a powerful reminder that building sound encryption technologies is not easy. However, when it comes to measuring the quality of individual encryption technologies, there are certifications specifically focused on encryption and other cryptographic systems, most notably the suite of Federal Information Processing Standards (FIPS) where products undergo evaluation by independent labs.

As for consistency of encryption policies across silos, key management is the main sore spot. A recent Ponemon Institute survey revealed that, even though more than half of the participating companies had suffered SSH key-related compromises, 53 percent still did not have centralized control over the keys and 60 percent had no way to detect new keys introduced in the organizations. Furthermore, about 46 percent reported that they never change or rotate SSH keys – even though these keys do not expire.

Managing secrets, keeping them secret and only providing them to legitimate users for approved functions is not easy. But the mismanagement of SSH keys has the potential to stop business processes or even destroy data. As more encryption is deployed, this situation is only going to deepen in complexity and potential disaster. As the number of keys to be managed increases, organizations are starting to look for a centralized key management strategy that uses standardized policies and procedures. This is a paradigm shift – key management is effectively changing from being an encryption product-specific feature to being a product and market in its own right. An important catalyst to centralized key management is the arrival of the Key Management Interoperability Protocol (KMIP) which is a standard that enables all kinds of keys to be stored, distributed and backed up in a standard method, with the eventual aim that it will be possible to administer keys from disparate encryption systems using a centralized, shared system – essentially key management as a service.

The third question involves how data can be secured as it moves between or outside silos. Protecting data in storage or on laptops mitigates some of the risks of losing “data at rest,” but sooner or later that data moves: it is accessed by an application, shared between users or even sent to a different organization. This typically means that data is decrypted before it moves, and even if it flows over secure channels, it still creates points of vulnerabilities, “air gaps” where clear-text data can be picked off. The reason is simple: encryption deployed in silos means that applications in one silo can’t make sense of data that was encrypted in another. “End to end” encryption that spans multiple silos is a worthy goal but once again this comes down to key management and a centralized approach whereby disparate silos can access keys and therefore access data shared from elsewhere. There are examples of where this works–for example, in the area of mobile payments–but general-purpose examples are hard to find.

Encryption sprawl is the nature of the beast right now when managing enterprise data protection. Considering the three key questions above will help in the management process. A centralized key management strategy that uses standardized policies and procedures and use of certified solutions will stand companies in good stead when it comes to keeping the sprawl in check.

About the Author:

As Vice President of Product Management and Strategy, Richard Moulds contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales. He has worked alongside the Ponemon Institute for 10 years developing the annual Global Encryption Trends Study. https://www.thales-esecurity.com/