Is your encryption getting out of control?
by Richard Moulds - VP Strategy at Thales e-Security - Thursday, 14 August 2014.
2014 marks the 25th anniversary of the creation of the World Wide Web. From its earliest beginnings, users have demanded security for their sensitive information and web sites have universally responded by supporting encryption protocols such as SSL/TLS to encrypt data as it moved across the wires.

Since those early days, encryption has come a long way. Its use is no longer limited to the company’s web site. With data privacy legislation, data breach disclosure laws, organized crime and more recently, concerns over state sponsored cyber-attacks and government surveillance, the use of encryption has become pervasive, a last line of defence – if the data is encrypted, who cares if it gets stolen.

Respected media outlets have refereed to 2014 as the ‘year of encryption’. That sort of prediction raises concerns even for people that have been working with encryption technologies for years; those in the banking sector and governments know what the implications are, but for the rest of us this is a step into the unknown.

The rise of encryption technology is now proliferating within many organizations at a prodigious rate. Encryption is deployed in the cloud and on premise; for protecting data at rest, data in motion and data in use; in databases, on memory sticks, in email, in storage networks; the list goes on.

The trouble is that in almost all cases these encryption deployments will rely on point solutions which, although they might use familiar sounding encryption algorithms (AES, RSA etc.), are far from compatible, creating security pockets that are tied to individual applications or elements of IT infrastructure. Inevitably, at an enterprise-wide level, organizations will suffer from fragmentation and inconsistency, or encryption sprawl.

Encryption sprawl can be a major headache for any organization. Sprawl drives up the costs of managing the myriad of encryption devices, it increases the risk of error, makes compliance and forensics more painful and limits flexibility – all at a time that resources are under pressure to do more with less.

So just how can an organization prevent encryption sprawl? Here are three top tips:

Understand your environment - discovery, consistency, certification

Even if encryption sprawl in your organization is unavoidable, at least focus on consistency and quality. Keep a record of where encryption is being used and define an internal set of approved algorithms (NIST 800-131 is a good start) and avoid proprietary algorithms completely. Where possible, select products that have a formal security certification where the implementation of product has been independently validated (the FIPS 140 validation program is the most widely recognized).

And finally, make sure that these disparate encryption systems are kept up to date and patched correctly. The recent Heartbleed vulnerability illustrates this need very well. Taking these measures won’t do much to address the inefficiency of sprawl but they will at least help you know where you stand, avoid basic vulnerabilities and prepare you for the next step.

Take control of your keys

At some point you’ll need to take a more active approach to sprawl and take control. As this year’s Global Encryption Trends Study highlighted, key management is the number one pain point when it comes to encryption. Keys are secrets and managing secrets is hard but key management goes way beyond this. From an operational perspective, not having the right keys in the right place at the right time can bring systems to a standstill, lock out users and worse still, losing a key might well mean destroying the data it encrypted forever.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th