Reports have been coming in for a few days that something very dodgy is happening at a certain major bank in a neighbouring country of ours.
The suggestion is that the institution is in something of a pickle because staff have taken passwords and keys which has resulted in the bank being unable to gain access to encrypted data. That’s right. It can’t open its own electronic safe.
Industry insiders are telling us that the motivation behind this apparent unwillingness to return the keys for the encrypted data has to do with either attempting to hide some rather dubious practices they carried out on the firm’s time while employed or to hold the keys as negotiating chips for a better redundancy package.
Well, in a way you can’t blame them. What you can do is flag up the technology problem here, which is so-say ‘key management’. If the concept is obscure to the generalist, it shouldn’t be – and isn’t – for the IT security guy.
After all, there’s enough about this in the standards: the Payment Card Industry (PCI) has documentation that advises, "the manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution.
A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements". PCI has also said that "the encryption solution should also allow for and facilitate a process to replace keys that are known to be, or suspected of being, compromised".
It’s also not like we haven’t been here before. In 2007, after another key management snafu, the PCI Council was quoted as saying "some companies are dragged into compliance kicking and screaming".
But maybe what’s more serious in the 2011 version is that key management is more of a potential ticking time bomb due to whose now increasingly in control of such keys, especially at financial institutions.
This at least is the thought-provoking view of Calum MacLeod, EMEA director of an outfit called Venafi, a specialist in encryption management, who told CBR, "With all the arguments about bonus payments to bankers, what seems to be getting lost in the whole discussion is that most banks are reducing their head count in IT services and most trading in the financial sector today is based on electronic trading system."
"So it’s no longer the guy with the Ferrari who is the superstar on the trading floor, it’s the IT guy who keeps the system running who is now responsible for making sure 80% of the trades get made. Trust me, this is not a guy you want to upset, or if you plan to, make sure that critical systems such as key management are fully automated," he said.
Or maybe you agree with the traditional view, as articulated by encryption guru Bruce Schneier, who’s opined in the past that "regulation — SOX, HIPAA, GLBA, the credit-card industry’s PCI, the various disclosure laws, the European Data Protection Act, whatever — has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously."
Yes indeed. That’s why we didn’t have a global financial meltdown in 2008 as SOX stopped all the nonsense and Basel II meant we were all of us able to go on making money off an endlessly climbing mortgage market.
Ah…
Your job for today: find out what key management is and sort it for your organisation.
