Blog | Townsend Security

Symantec Survey Shows Need for Focus on Encryption Key Management

Written by Chris Sylvester | Dec 1, 2011 5:51:00 PM

Yesterday, our partner, Symantec, released a survey on enterprise encryption practices.  The study contained both good news and bad shows when it comes to encryption and key management.  

First the good news, in a recent interview with eWeek Tim Matthews, senior director of product marketing at Symantec said, “About 48 percent of the survey participants reported their organization had increased their use of encryption over the past two years, with one third reporting "somewhat to extremely frequent" deployments of "rogue" projects without any centralized management oversight.”

Now the bad news, Tim Matthews goes on to say, “Business groups and employees are often independently encrypting the data without involving the IT department. While the move to encrypt is a good thing, these unauthorized deployments are a challenge for IT because the data is lost and irretrievable if the employee loses the key, forgets the passphrase or leaves the company without passing on custody of the encryption keys. If IT doesn't have the key, it also becomes harder to properly backup the data or to access the information as part of an e-discovery request”

We understand the difficulties in managing encryption keys and have been helping companies for years with this challenge, so when we saw this statistic about poor key management, it did not come as a big surprise to us, because we hear about the challenges first hand.  The study showed:   “About 52 percent of the respondents said they have had serious key management problems, with about a third claiming that keys were lost or misplaced keys and another third citing key failure. A little over a quarter, or 26 percent for the participants, said former employees refused to hand over keys when they left the company.”

We have posted several different checklists for companies to help them in their selection of key management vendor. One of our more popular lists is the 10 questions that you should ask your potential key management vendor. Given the news in the study, we thought it was worth showing this list again:

  1. Is your key manager FIPS 140 certified?  What is the certificate number?
  2. How would you describe the encryption key payload as retrieved from the key server?  Is it simple or complex?
  3. Is there a common key retrieval application interface on all platforms?  What are the differences?
  4. What platforms do you support for key retrieval?  (Note any gaps in platform coverage for your company)
  5. Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, IBM i, IBM z)
  6. Do you supply binary libraries for all Enterprise servers?
  7. Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
  8. Do you charge separate license fees for each client operating system?
  9. Do you require that we purchase consulting services from you?  Why?
  10. I am an independent software vendor (ISV), can you brand the solution and certify the solution for us?

We encourage you to download and read the study from Symantec. We are sure you will find it very informative.  Then once you have read the study and have decided you need to learn more about encryption key management, listen to this informative 15-minute podcast.