Just because data is encrypted, doesn’t necessarily mean it is safe...
(Based on the latest Security Insider” Podcast Edition with Paul Taylor)
The good news is that encryption key management and data security have come a long way within the past few years. Organizations no longer have to continue to maintain current patchwork methods, because now there are affordable, available, and interoperable solutions that can easily solve their problems. Encryption and encryption key management are now industry standard and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers and third party business partners.
Now your risk management approach can go beyond compliance considerations and really focus on protection of your customers personal data and also your business information (and reputation). Encryption and key management can now be a main security control for your organization, rather than a compensating control that is performed only in cases where other controls fail. We have to always remember data gets out, and instead of using encryption as a last resort in a defense and depth strategy, it needs to be the fundamental consideration towards protecting your most important resources. Along with that approach is what we believe is the most important consideration and a basic tenant in a strong encryption key management program: securely separate the data being encrypted from the keys performing that data encryption. Even if someone gets unauthorized access to your data, they can’t read it when it is encrypted. An encryption key manager enables a secure channel between the encryption keys and wherever that data may reside. Technology has evolved to enable stronger management so that companies will no longer be leaving their encryption keys under the front door mat, so to speak.
Principles of effective key management include being able to streamline and securely manage encryption keys across different systems and multiple locations, including virtual machines or applications in the cloud. There has to be the ability, first and foremost, to readily manage the encryption keys through the entire key lifecycle. It is essential for an encryption key manager to enable dual control and separation of duties to effectively create, activate, delete, expire, retire and perform additional key controls including key escrow. Separating encryption keys from encrypted data, whether to an internal or external business partner or cloud based services is so important and often overlooked as a high risk to the organization. Despite really good controls and really talented security personnel, there are still people with hostile intent who will design malicious code to go out there and capture and replay credentials. That’s why managing encryption keys separate from the systems where the data resides is so critical, and why managing your encryption keys to third parties and cloud environments is now a recognized industry standard practice with very real benefits.
“Must-haves” when evaluating an effective key management solution:
- Alignment with evolving NIST and FIPS guidance
- A solution that’s affordable and easily deployed
- A key manager that distributes encryption keys across all platforms
- An implementation with known costs - meaning no endpoint licensing fees or additional professional service fees.
- Trusted transparency with a security partner
Townsend Security’s Encryption Key Manager
We proud to be leading the industry in encryption key best practices and we want to make data security affordable and straightforward for every-size company to encrypt their most important data. No one knows the challenges of connecting and protecting business applications and architecture better than Townsend Security. Our mission is to make industry leading key management affordable and deployable to everybody. Our goal is to enable strong, affordable, easy to deploy encryption key management, no matter your industry or company size. We are tried, tested, and trusted technology based on proven, reliable standards that’s also highly affordable, FIPS 140-2 compliant, top-rated in customer support and deployable in physical, hosted, and virtual environments with no hidden costs, no end point licensing fees with flexible pricing options available that can be either a perpetual or monthly subscription.