Key Management
Below is a guest post from Gretchen Hellman at Voltage Security. This was written for Security-Protocols.com
——–
There’s been a lot of talk about the need for data-centric protection recently. Interestingly enough though, whenever I hear about data-centric protection I also hear data being divided into three categories—data in motion, in use, and at rest. The two notions of data centric protection and securing data at points are completely at odds. If you follow the definition of data-centric protection, it indicates the protection of data at its source rather than in containers and pipes. It would no longer matter if the data is in motion, in use or at rest. It’s simply protected! So then, why are we still talking about the same three categories we’ve been talking about since 1999?
First, it requires a change in thinking. When I look at data-centric protection, I see only two categories: (1) data that is user-controlled, and (2) data that is machine-controlled. User-controlled is important because the way it is accessed is very free-form, and user systems have access to the internet and are difficult to monitor and control. Machine-controlled information requires different protections to ensure that the information can flow seamlessly through them despite the encrypted format.
Getting to the heart of why the industry is still focusing on motion, use and storage as key areas of protection, while simultaneously talking about data-centric protection, is the question. I believe this is because the primary barriers for key management and encryption haven’t yet been solved—at least by the majority of vendors in the industry.
Implementing data-centric protection for the end-user world requires asymmetric key management to be efficient. You all may be thinking, “How can asymmetric key management be efficient?” … especially if you’ve been burned by PKI before. Identity-Based Encryption (IBE) can solve this problem by providing all the benefits of PKI without the headaches. To implement data-centric protection in the end-user world, encryption needs to be enforced based on policies (roles, groups etc.). IBE is designed to do just that in dynamic organizations.
Moving to the next problem. With machine-controlled information, the major barrier to data-centric protection means that you need to redesign all systems to accept encrypted formats. This is a major and often impossible effort. To truly encrypt data at its source and keep it encrypted as it’s collected, transmitted, stored, etc. (regardless of where it resides), I.T. needs to look towards new solutions to the problem, such as Format Preserving Encryption (FPE).
Data-centric protection is a true nirvana and it’s going to take a while to get there. Changing our thinking about the way we look at encryption—user and machine controlled verses containers and pipes—as well as looking towards the key management and encryption techniques that solve the problem, is the first step to actively getting there.
