Key Management Refresher: Beyond the Bare Minimum
For any organization managing encryption keys, the process of creating, maintaining, and improving a key management system can seem like a frustrating or even impossible task. These feelings of frustration often stem from a few prominent mistakes that frequently occur. Beyond simple annoyance with an inefficient system, key management mistakes can have a far more damaging effect: data breaches. Fortunately, these mistakes are easily preventable with some instruction. In our whitepaper, Ten Key Management Mistakes…And How to Avoid Them, we discuss ten actions that can make or break a key management system.
Data security practices are seldom black and white. Rather, they’re more like a scale of bad to best. It’s easy to identify bad practices, but the problem organizations often face is settling for “good” practices instead of striving for “the best.” This problem usually originates from the belief that achieving the goals outlined by auditors in order to meet compliance means that their organization has done all it needs to do to enforce proper data security measures. The truth of the matter is that “checkbox compliance” is not the end goal. It’s the bare minimum.
This is not a problem that can be solved simply by adding more boxes to the checklist. System administrators must learn to think critically about their IT infrastructures. Compliance mandates are by necessity very broad and overreaching, as there is no way to address every minute detail for every organization. It is up to your administrators to apply basic concepts to their specific infrastructure, analyzing the system and determining what additional actions need to be taken to fully protect their environment, instead of simply meeting the requirements and calling it quits.
How can administrators apply these concepts to their key management policies? Let’s think of actions in terms of the bad (things prohibited by auditors), the good (things recommended by auditors), and the best (things that go beyond the recommended approach).
It’s obvious that using “Password” as a password is a bad practice. Using a password such as “Ilikesoccer” significantly improves its strength, but don’t stop there. Consider a truly secure password like “iL2plAs0cEr”. Yes, that password will be hard to remember, but that’s where pass phrases can make things easier. Use a passphrase like “I like to play soccer” to help you remember the password.
Most likely, your key management system requires dual control, but this security measure can be enhanced further with the use of dual factor authentication. Usually there are three types of authentication:
- Something you know, such as a password
- Something you own, such as a smart card
- Something you are, such as genetic factors like fingerprints or iris scans
Organizations recognize the importance of employee training, but how much value is placed on it? Instead of simply having a best practices training session once a year, hold engaging meetings on a regular basis, with varied content that isn’t simply repeating the same information over and over again.