Many organizations use encryption to secure sensitive data that belong to their customers or to the business itself. The benefits of encryption are well-known. Even so, encoding data can create certain challenges for enterprises. That's because infosec teams can't just generate a pair of encryption keys, secure the data that needs securing and forget about those cryptographic assets afterward. They need to manage the storage, exchange and use of those keys if they hope to defend against digital attackers.
Unfortunately, key management isn't always easy.
In its 2018 Global Encryption Trends Study, Thales along with Venafi and Geobridge sponsored Ponemon Institute to survey 5,252 IT and security professionals in 12 different countries about their organizations' encryption use. Their responses revealed that many enterprises continue to struggle when it comes to balancing encryption with their security posture.
Significantly, Ponemon found that 57 percent of respondents in all countries considered key management to be "painful." Russian participants expressed the lowest pain level at just a third. By contrast, just shy of two-thirds (65 percent) of Indian IT and security professionals labeled key management as a painful process.
When asked to explain why key management tends to be so challenging, respondents gave various answers. The largest group (59 percent) said unclear ownership made key management difficult. That was the same proportion of respondents who labeled assets for external cloud or hosted services as the most difficult keys to manage.
Survey participants gave other reasons for their pain, too. More than half attributed the difficulty to skilled personnel and isolated and/or fragmented systems at 57 percent and 56 percent, respectively. At the same time, 46 percent said inadequate tools were to blame.
These findings in part reflected enterprises' poor choices for implementing an effective key management solution. When asked what types of key management solutions their organization uses, nearly half (49 percent) of respondents said manual processes. Just a third admitted to using a central key management solution.
Such preferences leave much to be desired in terms of security. Organizations oftentimes have multiple departments where employees might be authorized to generate encryption keys or request a digital certificate. In those roles, they can decide to purchase them from a specific Certificate Authority (CA) or obtain them from a free provider. The key management program must account for all of these resources either way, as forgetting to renew a certificate or properly protect their keys leaves gaps through which bad actors can abuse the organization.
However, security teams can't gain that level of visibility over all their encryption assets with just a spreadsheet or a SharePoint site. These choices are bound to take too long and miss something in the inventory process. If that happens, bad actors can abuse an exposed set of encryption keys or an expired digital certificate to steal sensitive information.
Manual processes aren't the way to go when it comes to key management. Instead organizations need to embrace a centralized solution that gives them complete visibility over their encryption environment. That utility should also constantly monitor their keys and certificates for abuse.