Townsend Security Data Privacy Blog

Should Solution Providers Offer Encryption Key Management?

Posted by Luke Probasco on Apr 18, 2013 4:36:00 PM

Like any business, for a solution provider to succeed they must meet the evolving needs of their customers.  In the IT world, we all know that data management is one of the most important, complex, and fast growing needs of businesses. From disk backups to managed hosting and cloud services, solution providers are moving towards offering more of these services and at lower costs. Unfortunately, with the amount of data storage and management growing at an exponential rate every year, a major need of most businesses that goes overlooked is data security.

Encryption Key Management Simplified

Today almost every business must adhere to data security regulations set forth by industry standards groups. In retail, these standards are Payment Card Industry Data Security Standards (PCI-DSS). In the medical vertical, HIPAA/HITECH Act mandates the protection of sensitive patient data. Other regulations such as SOX, FISMA, and GLBA/FFIEC cover most other entities. All of these regulations mandate or recommend the use of AES encryption and encryption key management.

We would all like to think that IT directors and executives of every business adhere to these standards and recommendations and choose solution providers that provide them with encryption key management. However, as we witness easily preventable data breaches every week in the news, we know that this is simply not true.  

What IT executives and solution providers don't seem to realize yet is that in the event of a major data breach, at least two parties will take the fall: The IT executive and the solution provider(s).

Take for example the Utah Department of Health data breach that occurred in March of last year. This highly publicized breach was caused by a hacker who accessed 280,000 social security numbers as well as other private health information (PHI) and personally identifiable information (PII) such as birth dates, home addresses, and taxpayer ID numbers.

This attack was considered easily preventable.

How are these kinds of attacks easily preventable? When encryption and key management best practices are used, this kind of data is rendered totally unusable by hackers. That's why encryption and key management are considered the highest standard of data security and why they are mandated by industry regulations such as PCI-DSS and GLBA/FFIEC. If AES standard encryption and encryption key management best practices were used in Utah's Department of Health IT center, it is unlikely that the data breach would have occurred.

In the end, Utah's CTO was pushed to resign and the technology used to process data totally overhauled.

Unfortunately, companies in general are pretty confused about when, where, and how to encrypt sensitive data, even though both encryption and encryption key management are recommended, if not mandated, by most industry regulations. Worst of all, many companies who know they should be encrypting their data don't do it because of budget (a direct indicator of priorities)! This results in a LOT of unprotected sensitive data.

Ultimately, consumers assume that the businesses they patron are protecting their personal data, but the truth is, not all of them are!

The threat of data breaches and cyber attacks is not going away. In fact, these events are increasing every year. Solution providers offering data management tools to companies in retail, healthcare, finance/banking, and many other industries should absolutely be offering their customers encryption and encryption key management. Several solution providers currently offering encryption and encryption key management are already at a competitive advantage to providers that don't.

To learn more about how easy encryption key management can be, download the podcast, “Simplifying Encryption and Key Management: Removing Complexity and Cost” featuring data privacy expert Patrick Townsend.

Topics: Data Privacy, Solution Integrators/Providers