In an independent survey carried out for accelerated encryption company nCipher plc, another 39% of organizations were found to be planning the use of cryptography over the coming 18 months, to secure five or more application functions. Confidentiality was rated as the highest priority by the 200-plus survey respondents when asked about the drivers of encryption in the context of enterprise data.
One downside to the increasing use of encryption is that the overhead of cryptographic key management is likely to become increasingly complex. This is particularly so, if as the nCipher audit suggests, nearly one-third (31%) of managers whose enterprises handle more than 500 keys or certificates reportedly knew little or nothing about enterprise key management solutions.
The maintenance of cryptographic keys and related security information, also known as key management, is crucial to effective security. When symmetric cryptographic mechanisms are used in a security protocol, the presumption is that automated key management is generally but not always needed.
Examples of automated key management systems include IPsec IKE and Kerberos, although S/MIME and TLS also include automated key management functions.
According to nCipher’s Paul Galwas, The evidence suggests that while the majority appreciates the value of keys, they do not fully appreciate the relevance of key management practices. Evidence of their widespread use is preceding the maturity with which they ought to be managed.
Businesses are using keys in lots of different classes of applications. They are using them to protect a channel, to authenticate users or to secure data, but they will often be using different approaches to key management for each of these, he said. S/MIME might be used to encrypt email, but a different key management format would be used to encrypt that same file if it is archived into a secure storage vault.
The Cambridge, UK-based vendor said enterprises need to be able to manage cryptographic keys securely and efficiently to prevent security being compromised as systems are scaled to reach more enterprise users.
The challenge is to satisfy those goals through development of an automated and centralized key management system. We see that there is a need for systems that can automate the management of keys across this wide range of applications class. Expect a product announcement in this area from us very soon, Galwas said.
The nCipher survey queried a cross-section of 237 security decision-makers at organizations worldwide.
The survey also revealed that Secure Sockets Layer, the protocol which underpins secure https web sites and is widely used to encrypt confidential user information, such as credit card numbers and e-commerce transactions, is now used by 81% of respondents for internet-facing servers. But 45% of respondents also use SSL to protect traffic between internal servers.
Another 25% of respondents claimed to have already deployed or plan to deploy within the next two years some type of Trusted Platform Module to encrypt data and protect cryptographic keys in desktops and laptops.
The TPM can be thought of as a smart card that is embedded on the system board and acts as a security key for the PC. The problem with existing PC security is that there has to date been no standardized way to securely store keys that are used for machine identity so that the keys cannot be discovered if the system is stolen or otherwise compromised. The TPM is designed to address this weakness. Dell has already released products that offer built-in support for the TPM, releasing three new notebooks with built-in TPM security technology in early 2005.