More and more enterprises have listened to the opinions of regulatory agencies and increased the intensity of database encryption to ensure the security of data information in the event of large-scale violations. However, without a strong and effective key management practice specification, these enterprises may find that their data encryption measures are just useless.
"Encryption key management is the most important part," said Pravin kotali, CEO of CipherCloud. If you cannot handle keys, it is best to keep unencrypted information in plain text format ."
The encryption key is one of the most difficult inventions to share confidential information between the encryption system and authorized users and accounts. It obfuscated and complicated the process of securely decrypting data. This makes the key very valuable. If the enterprise does not carefully process the methods and locations for storing keys, it is likely to cause the theft of confidential data. If the key is misplaced, it is likely to lose it forever.
"Encryption is really simple. The mathematical process of encryption only converts a set of data into another set of different data ." Richard Moss, vice president of product management and strategy at Reitz electronic security, said. "Key management is the core of application and vulnerability exposure. At the end of each day, the key must be kept confidential. Otherwise, the encryption measures taken before that are only a waste of time ."
However, it is estimated that only about 20% of the most mature financial institutions have achieved real encryption management in all his business cooperation with the company. When processing a large number of databases and local encryption across multiple platforms, the database encryption deployment is suffering from the insecure key management crisis caused by scalability problems.
"When the number of encrypted databases is surging, people are in trouble ." Said Todd ximan, Senior Product marketing director at volmi. "If you have met the above database, you have also obtained a very troublesome management job ."
He said he had learned many examples of incorrect Enterprise Management encryption keys.
"In a project, we saw an SSH key to access Amazon stored on an internal Wiki page ." He said. "This is not a safe and proper practice ." "You need to keep these things safe and have control. In this way, we can get a good security status and show your auditors that everything is compliant ."
The basic principle of database encryption key management is never to store the key and the encrypted database on the same server.
"It's no big difference than taking the car key while you're parking," kotali said. For key management, it is essential to completely remove the key from the database ."
Regardless of where the enterprise chooses to store the key, the storage location should be secure and traceable, and have the same backup and recovery mechanisms as its data itself. If the key is lost or destroyed due to a disaster, the data will remain intact.
"We have indeed heard of some serious events surrounding security or key theft, either because the key is misplaced or lost ." Moss said, "If you lose these keys, you will basically have to get data in the form of passwords forever. This is a common phenomenon ."
In addition to the storage of keys, enterprises also need to carefully consider the governance of key administrators. Auditors will find different persons in the company for separation of duties to ensure that not the same person is responsible for all data management. Generally, the Database Administrator does not have control over the key.
"In most cases, data administrators are willing to take that type of security responsibility, because they are more focused on database maintenance, and they are also very happy to help the security team ." Himan is happy to say.
Kotali suggests that you not only need to separate duties, but also add a secondary security layer to ensure that multiple custodians monitor keys. In this way, even if an administrator has any problems or encounters moles, there will be a set of checks and balances to ensure that others can restore the use of keys.
Kotali also said: "You need multiple custodians to distribute control. A single key custodian cannot completely control data access ."
In today's cloud era, the key control problem has also been raised to a new height, kotali said. In many cases, enterprises allow their cloud service providers to have key control, but kotali believes that when encrypted data is built on the infrastructure provided by cloud service providers, key management of enterprises should adopt "level-based decentralization" measures to control keys only in their hands.