Management and encryption - two peas in a pod

Since the Snowden revelations, previously unknown terms such as PRISM have become deeply embedded in the public - and business - consciousness. The longer the story goes on, the more we learn and the more concerned businesses have become.

CEOs have discovered that what they assumed to be private communications are, in actual fact, nothing of the sort. Government officials can demand access to their data with no obligation to inform the company. These developments, along with the increasingly sophisticated and persistent nature of cyber attacks, has led to more and more companies evaluating the merits of data encryption.

Encryption is not a new concept, but until recently it hasn't perhaps received the C-level interest that it's now getting. Not only have the Snowden revelations brought to light how easy it is to intercept unencrypted data under national security programs, but they've also demonstrated just how much easier companies are unwittingly making it for the cyber underworld to get its hands on its favoured currency - data - if they don't encrypt it.

What makes encryption all the more appealing is that there are no technology barriers to adoption - and compared to the cost of a data breach, the investment required is relatively insignificant.

There are a multitude of other business opportunities, outside of the Snowden soap opera, that are also acting as drivers for encryption, such as the continued bring your own device trend and the need to expand into new territories which, while potentially prosperous, are also considered more risky, such as China and Russia.

With executives admitting that their confidence in data security diminishes as soon as the data leaves the office, the need to protect business-sensitive information has never been more acute.

That said, it would be a mistake to think that encryption is a silver bullet that solves the world's data security woes. Clearly it goes a long way to reinforcing the security parameter, but it is only one piece of the jigsaw puzzle.

To be truly effective, encryption needs management. Without management, as one customer recently put it to me, all you're doing is creating a whole host of ticking time bombs. Encryption does not equate to control and visibility over data, which is why you need management capabilities.

For example, it is part and parcel of corporate IT life that at some stage an employee will forget their password, rendering them unable to access the corporate network. With the right management capabilities, IT is not only able to reset the password but when the user logs on, cross reference the IP address of their machine against a map in order to ascertain if the person is indeed who they say they are. If IT has any suspicions, they can remotely wipe the hardware device that the employee is working from and kill all encrypted data.

This level of insight is key to ensuring that users remain productive but that corporate assets are protected. And it's a capability that encryption can't deliver on its own.

In the past, encryption management capabilities have had something of a bad rap. This is largely because the conversation has tended to focus on software encryption systems, which are typically hard to configure due to complex key management. This complexity is largely to do with understanding who controls the key, where it has been and who has access to it.

In large, worldwide organisations answering such questions is like looking for a needle in a haystack. The result is a number of potentially serious vulnerabilities, such as storing the keys with the data, which leave the enterprise open to not just outsider attacks but also insider threats.

It is widely accepted within security circles that to protect against this, encryption keys must be stored separately from the data they protect. As encryption gathers real momentum, companies want assurances about how the integrity of their data will be protected. At the moment there are simply too many unknowns.

But what if we could streamline encryption and management by adopting a distributed approach with hardware-based keys? If the encryption keys are embedded in the hardware of a device, part of its security DNA, then they can't be hacked.

If those keys are supported by management functionalities then if there are any concerns that the integrity of the data has been compromised, or that an unapproved individual might be able to use the keys to access the network, IT can simply flick a switch and the data will self-destruct. Problem solved.

When it comes to management and encryption, all too often the security industry is applying old-world thinking to a new-world problem. A different approach is needed. Managing encrypted data doesn't have to be complicated, but it does need to be secure.

Sven Radavics is General Manager, Asia Pacific, for Imation Mobile Security.

Image courtesy of Yuri Samoilov under CC