Encryption has become a crucial aspect of data security for companies, but the management of encryption keys is often overlooked. Without proper key management, the encrypted data is at risk of being accessed by attackers who gain control of the keys. To address this issue, Karen Reinhardt, principal engineer for cryptographic services at Home Depot, emphasized the need for organizations to create a comprehensive key-management policy tailored to their specific needs.
During the RSA Conference in San Francisco, Reinhardt highlighted the importance of individualized key-management strategies for different types of businesses. While cloud-native startups can benefit from managing encryption keys in the cloud, larger enterprises with legacy technology may require a locally hosted system with hybrid infrastructure. Additionally, it is essential to consider the implications of the post-quantum future on key management.
One of the key lessons Reinhardt shared was the critical nature of decryption keys in ensuring data availability. She pointed out that data encrypted without proper decryption keys becomes useless, highlighting the importance of maintaining a controlled archive of decryption keys within organizations. Reinhardt emphasized the irreplaceable nature of encrypted data, stressing the significance of safeguarding decryption keys.
Moreover, Reinhardt cautioned against the blanket approach of “encrypting everything,” noting that it can be a costly endeavor for companies. While encryption is a vital security measure, organizations need to weigh the expenses associated with encryption infrastructure against the potential costs of a security breach. By focusing on what truly needs to be kept secret, companies can achieve optimal security without overspending on unnecessary encryption measures.
With the increasing shift towards cloud services, companies are faced with the challenge of managing data sprawl and key sprawl. It is crucial for organizations to assess their critical data, encryption needs, and how each cloud service handles encryption keys to centralize management and enhance control. Whether keys are stored locally, in the cloud, or with a third-party vendor, companies must have a clear understanding of their key management processes.
Legacy integration poses a significant challenge for large companies with existing key management technologies. While smaller organizations can create greenfield key management systems using modern technologies, established companies must navigate the complexities of supporting legacy applications and databases. Cloud-based encryption infrastructure, such as hardware security modules, can streamline implementation and integration with legacy systems.
Looking ahead, Reinhardt stressed the importance of preparing for the post-quantum future by ensuring that key infrastructure can generate quantum-safe keys. As quantum-computing technology advances, public-key encryption will need to evolve to withstand new threats. Companies must be proactive in replacing asymmetric keys to align with the changing landscape of cybersecurity. Implementing a robust key management system will facilitate the identification and rotation of keys as needed, ensuring data security in the face of evolving threats.