Postbank, the banking division of South Africa’s Pat Office, recently reported that a rogue employee had stolen the 36-digit master keys used to protect the banks systems. The result: 25,000 fraudulent charges valued at 56 million Rand (3.2 million US dollars) and a whopping 1 billion Rand (58 million US dollars) to replace all credit and ATM cards issued by the bank.
This event serves as a great reminder of the catastrophic consequences even a single compromised key can cause for an organization.
Every Key Matters
In a recent Ponemon report, respondents identified that organizations have an average 88,750 keys and certificates while 74% of respondents admitted they did not know exact numbers of keys being used in their organizations.
The shocking fact: most organizations lack the tools, focus, skill-sets and budget to effectively manage cryptographic keys. However, every organization needs to be looking for every key so that it can be managed and audited.
The point to stress here is that every key needs to be managed. Rarely do breaches and compromises happen to assets that are constantly monitored and watched; it’s those assets not being managed that most commonly lead to breach.
Find every key, manage every key, monitor every key, audit every key.
Lifecycle Management Matters
Once you can identify all your keys, you can then begin to look at how the lifecycle of each key can be improved to further mitigate risk.
In most cases, keys expire and need to be rotated. If the key does not expire, it should still be rotated. Doing so serves several purposes, the most significant two being:
- It minimizes risk of use of a compromised key
- It maintains current cryptographic standards and best practices
In many cases, though, key rotation is avoided, as it can be a cumbersome task.
Lifecycle of keys should be automated to ensure that they are rotated on a regular basis, to avoid human interaction with the keys and to avoid misconfiguration of the devices using the keys.
Ownership of keys and certificates is all too often spread across an organization with management making assumptions about the policies applied to cryptographic keys. The new reality is that a fragmented approach to key management is just no longer acceptable.
Some organizations are taking control of this issue by establishing a “cryptographic center of excellence.” This core group, typically reporting to an executive, is responsible for the creation and application of policy and procedures within the organization. A cryptographic center of excellence also works to quickly establish:
- What keys are in the organization and where they live
- How keys are being used by systems and applications
- Which keys fail to meet current standards
- How to apply best practices across all keys in the organization
As legislation continues to drive the use of encryption, the number of keys required to keep products and application secure continues to rapidly grow. And with that growth, comes the need to understand the whereabouts and ownership of every single key, to best ensure the critical information and data attached to those applications and products remains secure.
Proper key management has risen past the level of simply serving as a checkbox on a security questionnaire. It is, and will continue to be, a business-critical, strategic initiative. Put simply: the investment in key management is a drop in the bucket compared to the business, brand and financial cost of a breach or compromise.