You’ve probably met someone like Patrick—the password post-it
scribbler. Whenever end-user Pat signs up for an online service, the
registration process forces him to create a strong password with special
characters. Frustrated with all of the complicated passwords that he
has to track, Pat jots the password down on a post-it note, which he
sticks to his computer screen—for anyone to find and use.
What would you think if Pat was managing your company’s data
security—particularly, if your company must comply with data security
regulations such as PCI DSS 2.0, SOX, HIPAA, GLBA, and the European Data
Disclosure Act ?
But,
you might protest, my IT security professionals have responded
diligently to the mandates of these regulations, deploying vast numbers
of encryption keys and certificates to secure a wide array of platforms,
applications and services. Unfortunately, in these piecemeal
deployments, effective management has fallen by the wayside. Keys and
certificates are deployed across disparate systems, applications, and
business solutions in a stove-piped fashion, accessible to multiple
administrators without audit or access control.
Overburdened security professionals, like frustrated Pat, turn to
whatever costly and error-prone management processes that they can
cobble together, often relying on nothing more than spreadsheets that
list deployed keys and certificates with their expiration dates—and
little better than a password on a post-it note.
Are you gambling a successful audit on key management processes that
fail to measure up? Manual processes leave you vulnerable, either
because managers fail to implement best security practices or because
they choose to maliciously exploit their knowledge—as 40 percent of IT
professionals admit that they could. Lack of management solutions or
clear policies have driven administrators to expose private key security
and compliance vulnerabilities in several ways:
• Storing multiple keys in a keystore to which many managers have shared access
• Using the same passwords to protect multiple keystores
• Distributing keys widely in even more insecure ways such as USB drives, email, and FTP servers
• Failing to rotate keys periodically
Regulatory bodies recognize this vulnerability and have mandated
policies to protect against it. PCI, for instance, in the recently
released PCI DSS 2.0
standards, has clarified that encrypted data remains within its
auditing scope because encrypted data is only as secure as the key that
decrypts it. Just as compliant organizations have implemented processes
to secure sensitive data—complete with clearly-defined policies,
regulated work flow, access controls, and audit trails—they must now
implement processes to secure encryption keys.
You might be tempted to increase the IT staff to enhance manual
management processes. However, manual management always leaves
vulnerabilities either because managers fail to implement best security
practices or because they can, if they choose, maliciously exploit their
knowledge. Without automated access and workflow controls, a larger
staff only exposes private keys to more people. A recent survey revealed
that 40 percent of IT employees admit that they could hold their former
employee hostage by withholding a key to which they still have access.
With an IT staff turnover that is faster than certificate rotation in
many companies, the risks increase.
Manual key management simply does not ensure that keys are securely
generated, distributed, deployed, maintained, and rotated as
regulations—and best security practices—require.
Hefty, potential fines for failing to comply with regulations are
risk enough, but the risks of ignoring these vulnerabilities extend even
further:
• Loss of service—If
administrators fail to renew a certificate before it expires, the
applications that rely on that service fail, often without any prior
warning.
• Security breaches—After
all, regulations are not designed to give you and your staff headaches;
they’re designed to protect you and your customers from security
breaches that expose your customers to identity theft and your company
to a ruined reputation.
You need an enterprise-focused encryption management solution that
cuts across your diverse systems, platforms and applications to manage
the key and certificate lifecycle transparently but securely. The
solution should leverage existing solutions and automate processes based
on your security policies, including:
• Generation, distribution, and management of keys and certificates that comply with company security policies
• Configuration of the applications that use keys and certificates
• Monitoring and reporting on the status of each managed component with logging and audit trails
• Enforcement of workflow and access
controls that segment management duties according to company policies
and impose dual control for all sensitive keys
Too many IT and risk managers are surprised by security breaches,
compromised keys or operational failures that occur from sheer neglect
that result when you leave your valuable keys as exposed as a password
on a post-it.—but they shouldn’t be and neither should you. You can take
steps to protect your encryption assets, or you can let it be your CEO
on the evening news.
0 komentar:
Posting Komentar