Encryption key management worries loom

Encrypted storage will require storage admins to think through key management

As long as IT managers encrypt data using only one vendor's products, the keys used to decrypt that data can be relatively easy to manage. But it will likely become much more complicated as more vendors build encryption into more and different types of storage devices, each with their own key management system, and as users need to move encrypted data among devices for disaster recovery, legal discovery or simply everyday business communications.

"If you share the key, you share the data; if you lost the key, you've lost the data," says Dennis Hoffman, general manager of the data security unit of RSA Security, now owned by EMC. The fear of losing decryption keys (and thus their data) has kept many organizations from encrypting stored data. But faced with regulations requiring that customer data be kept safe, and the prospect of hefty fines and bad publicity when backup tapes are lost, more and more companies are encrypting stored data. Another factor, security experts say, is that if the data on a lost or stolen tape or disk drive has been encrypted, the company that owns the data often isn't required to report the loss.

While in the past encryption usually required a standalone appliance, vendors including IBM, Sun Microsystems and Spectra Logic offer tape libraries with built-in encryption capabilities. In October, Seagate Technology announced it will include Full Disk Encryption (FDE) technology in all its enterprise-class drives, and vendors such as Oracle offer encryption in their databases.

That blizzard of encryption, and of keys, calls for a single, unified approach that puts "all the keys to the kingdom all in one place and managed, ideally, by one group in the organization," says Richard Moulds, vice president of nCipher Corp. Ltd., a security hardware and software vendor. Whether or not the storage group is in charge of key management, experts say, they need to understand how key management works and where storage keys fit into the big picture.

Encryption basics

Encryption converts plain text into unreadable form, and keys are numbers which are used by an algorithm to either encrypt or decrypt data.

In symmetric encryption, the same key is used for both encryption and decryption. Asymmetric encryption, also called public key encryption, employs two keys, one public and one private, and is often used to encrypt communication over unsecure channels such as the Internet. In public key encryption, the sender uses the recipient's public key (to which they have access) to encrypt the data, and the recipient uses their private key (to which only they have access) to decrypt it.

To assure the authenticity of the public keys, many organizations deploy a public-key infrastructure, or PKI, which consists of a certificate authority that issues and verifies digital certificates. The certificates identify an individual or organization and include the public key or information about it. PKIs also include a registration authority that verifies the certificate before it is issued, a directory to store the certificates and a system for managing the certificates.

Management needs

The key management systems found in most tape encryption systems "are fairly automated and (the customer doesn't) have to worry about it too much," says Walt Hubis, a software architect at LSI Logic and chair of the key management services subgroup at the Trusted Computing Group, a non-profit security standards organization.

But key management will become more complex, experts say, as encryption finds its way into more and more storage devices, in addition to the existing encryption used in networks and in applications such as databases.

Depending on the complexity of a company's environment, a management system may need to control which users, applications can create and destroy keys, send and receive keys and determine how long keys will remain in effect. Some keys (such as those used to encrypt data in transit) only have a lifecycle of a second or so, says Hubis, while others that protect medical data must be maintained for 20 years or more. In addition to managing keys for encrypting and decrypting data, a management system might also need to handle the keys used to encrypt and decrypt the keys themselves.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert L. Scheier

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?