By
Many organizations use encryption to secure sensitive data that belong to their customers or to the business itself. The benefits of encryption are well-known. Even so, encoding data can create certain challenges for enterprises. That's because infosec teams can't just generate a pair of encryption keys, secure the data that needs securing and forget about those cryptographic assets afterward. They need to manage the storage, exchange and use of those keys if they hope to defend against digital attackers.
Unfortunately, key management isn't always easy.
In its 2018 Global Encryption Trends Study, Thales along with Venafi and Geobridge sponsored Ponemon Institute to survey 5,252 IT and security professionals in 12 different countries about their organizations' encryption use. Their responses revealed that many enterprises continue to struggle when it comes to balancing encryption with their security posture.
Significantly, Ponemon found that 57 percent of respondents in all countries considered key management to be "painful." Russian participants expressed the lowest pain level at just a third. By contrast, just shy of two-thirds (65 percent) of Indian IT and security professionals labeled key management as a painful process.
When asked to explain why key management tends to be so challenging, respondents gave various answers. The largest group (59 percent) said unclear ownership made key management difficult. That was the same proportion of respondents who labeled assets for external cloud or hosted services as the most difficult keys to manage.
Survey participants gave other reasons for their pain, too. More than half attributed the difficulty to skilled personnel and isolated and/or fragmented systems at 57 percent and 56 percent, respectively. At the same time, 46 percent said inadequate tools were to blame.
These findings in part reflected enterprises' poor choices for implementing an effective key management solution. When asked what types of key management solutions their organization uses, nearly half (49 percent) of respondents said manual processes. Just a third admitted to using a central key management solution.
Such preferences leave much to be desired in terms of security. Organizations oftentimes have multiple departments where employees might be authorized to generate encryption keys or request a digital certificate. In those roles, they can decide to purchase them from a specific Certificate Authority (CA) or obtain them from a free provider. The key management program must account for all of these resources either way, as forgetting to renew a certificate or properly protect their keys leaves gaps through which bad actors can abuse the organization.
However, security teams can't gain that level of visibility over all their encryption assets with just a spreadsheet or a SharePoint site. These choices are bound to take too long and miss something in the inventory process. If that happens, bad actors can abuse an exposed set of encryption keys or an expired digital certificate to steal sensitive information.
Manual processes aren't the way to go when it comes to key management. Instead organizations need to embrace a centralized solution that gives them complete visibility over their encryption environment. That utility should also constantly monitor their keys and certificates for abuse.
Take your organization's key management processes to the next level.
Related posts
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.