Skip to main content
banner image
venafi logo

The Pains of Encryption Key Management: Why Manual Processes Are So Hard

The Pains of Encryption Key Management: Why Manual Processes Are So Hard

encryption key management
August 16, 2018 | David Bisson

Many organizations use encryption to secure sensitive data that belong to their customers or to the business itself. The benefits of encryption are well-known. Even so, encoding data can create certain challenges for enterprises. That's because infosec teams can't just generate a pair of encryption keys, secure the data that needs securing and forget about those cryptographic assets afterward. They need to manage the storage, exchange and use of those keys if they hope to defend against digital attackers.

Unfortunately, key management isn't always easy.

In its 2018 Global Encryption Trends Study, Thales along with Venafi and Geobridge sponsored Ponemon Institute to survey 5,252 IT and security professionals in 12 different countries about their organizations' encryption use. Their responses revealed that many enterprises continue to struggle when it comes to balancing encryption with their security posture.

Significantly, Ponemon found that 57 percent of respondents in all countries considered key management to be "painful." Russian participants expressed the lowest pain level at just a third. By contrast, just shy of two-thirds (65 percent) of Indian IT and security professionals labeled key management as a painful process.

When asked to explain why key management tends to be so challenging, respondents gave various answers. The largest group (59 percent) said unclear ownership made key management difficult. That was the same proportion of respondents who labeled assets for external cloud or hosted services as the most difficult keys to manage.

Survey participants gave other reasons for their pain, too. More than half attributed the difficulty to skilled personnel and isolated and/or fragmented systems at 57 percent and 56 percent, respectively. At the same time, 46 percent said inadequate tools were to blame.

These findings in part reflected enterprises' poor choices for implementing an effective key management solution. When asked what types of key management solutions their organization uses, nearly half (49 percent) of respondents said manual processes. Just a third admitted to using a central key management solution.

Such preferences leave much to be desired in terms of security. Organizations oftentimes have multiple departments where employees might be authorized to generate encryption keys or request a digital certificate. In those roles, they can decide to purchase them from a specific Certificate Authority (CA) or obtain them from a free provider. The key management program must account for all of these resources either way, as forgetting to renew a certificate or properly protect their keys leaves gaps through which bad actors can abuse the organization.

However, security teams can't gain that level of visibility over all their encryption assets with just a spreadsheet or a SharePoint site. These choices are bound to take too long and miss something in the inventory process. If that happens, bad actors can abuse an exposed set of encryption keys or an expired digital certificate to steal sensitive information.

Manual processes aren't the way to go when it comes to key management. Instead organizations need to embrace a centralized solution that gives them complete visibility over their encryption environment. That utility should also constantly monitor their keys and certificates for abuse.

Take your organization's key management processes to the next level.

Related posts

Like this blog? We think you will love this.
certificate revocation
Featured Blog

How to Check for Revoked Certificates

Many methods exist for publishing and querying these lists but few of them are widely used.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat