With agencies adding a protective wrapper of encryption to the data they create — specifically, sensitive and personally identifiable information — the technology dilemma looming on the horizon is how to handle the thousands (in some agencies, millions) of digital keys created in the process.
Although key management isn’t a mandate, it can make day-to-day life a lot easier for an agency’s IT managers. Key management isn’t “going to go away, and it is something that we will need to pay more attention to,” says William Burr, manager of the Security Technology Group at the National Institute of Standards and Technology’s IT Lab. Burr’s group crafts Federal Information Processing Standards guidelines and policies to help agencies with encryption practices.
The use of hardware-based key appliances can minimize security risks when tapes or other encrypted media become lost or stolen, points out Jon Oltsik, a senior analyst with Enterprise Strategy Group of Milford, Mass.
As encrypted data volumes grow and digital keys become more ubiquitous — spanning multiple sites, applications and technologies — the ability to effectively manage these environments will become paramount, Burr acknowledges.
Digital keys, consisting of long strings of numbers and characters, enable or deny access to encrypted data. In other words, they lock or unlock data written to media (tape, optical or disk, for instance). Misplace a digital key and the encrypted data to which that particular key is associated would be as good as lost unless a duplicate copy of the key exists and its whereabouts are known.
Standalone key-management appliances — from Hewlett-Packard, nCipher (NeoScale), Spectra Logic and Sun StorageTek — can help agencies minimize the potential for lost keys or unauthorized access to data by managing key-making and -storing processes centrally. These types of appliances help organizations manage keys generated across their IT environments and by different types of encryption devices, which can have significant end-user benefits.
“The appeal of an appliance is its simplicity and ease of use,” says Greg Schulz, senior analyst for StorageIO.
Cost, performance and scalability are also important in deciding whether to choose an appliance over software. In fact, for one agency, these were deciding factors.
“We looked at encrypting data on the disk via our database, which is where all our sensitive data is, and found the performance hit too expensive,” says an IT project leader at a research agency. Instead, the agency, which did not want to be identified because of security concerns, has begun evaluating key management appliances.
Driving the research agency and countless other agencies is the need to encrypt a growing amount of PII and other data to remain in compliance with mandates of the Office of Management and Budget.
If it has a Social Security number, name or address in it, then it needs to be encrypted — whether it’s embedded in a Microsoft Word document or sent in an e-mail. “We eventually need to move to a hardware solution,” the IT project manager says. “We are often exceeding our backup window.” The agency currently is leveraging its backup application to do encryption.
Mix and Match
Another concern is interoperability, for managing keys generated by other encryption tools. “It’s all going to boil down to interoperability with other key managers,” says Schulz. He suggests reviewing interoperability matrices for any product under consideration.
fact: No. 3: Where key management ranks (behind performance and cost factors) among the
storage-related concerns that IT managers have with regard to increased encryption of sensitive data
Other important factors that Oltsik and Schulz says agencies should consider are:
• Security: How deep is the product’s feature set? What kind of access trails does the device have? What are the authorization and authentication processes? Does it have fingerprint or biometric scanning capabilities? How is the device itself secured?
• Management: How does the device manage a key over its lifecycle? Can a key be assigned to a particular type or source of data? If yes, how granular is this capability?
• Regulatory certification: Is the appliance FIPS-certified? Which standards organizations is the manufacturer involved with?
• Data protection and availability: What is the disaster recovery and continuity of operations approach? How is the device backed up or replicated? What is the process? What is the cost of adding a second device for redundancy?
Although the standards bodies are at work on key management specifications, Schulz recommends that agencies target the most key-intensive efforts now for centralizing management to mitigate risks and address specific pain points.
As Burr points out: Not addressing key management is not an option.