The perennial challenge within the IT security world is achieving the right balance between security and operational efficiency. Security professionals are charged with ensuring that critical data and systems are protected at all times, but operations staff are often focused on keeping the wheels on the bus, managing costs and delivering a great user experience – no glitches, no downtime.
Take encryption for example, on the one hand encrypting information is viewed by many security professionals as the single most effective means for end-to-end data protection. Successfully deploying this technology is getting much easier as it becomes more widely available and ‘home-grown’ solutions are no longer the norm. On the other hand, encryption can slow down an entire network, make valuable information worthless and take an application offline if the security stars fail to align.
In January 2010, NIST issued a draft Special Publication 800-131, “Recommendation for the Transitioning of Cryptography Algorithms and Key Sizes,” which recommends a number of upgrades and changes to the types of cryptographic algorithms that are used and how they are deployed. Nobody in the industry argues that these changes aren’t the right thing to do – security measures must always evolve as technology advances – particularly the technology available to potential attackers. The challenge is to enable the transition, which for many will start later in 2010 and through the following few years, in as painless a way as possible.
Within the recommendation there are a number of proposed changes but one common theme is that organizations should adopt longer, more complex encryption key lengths to bolster data protection. Security professionals want to follow NIST recommendations to keep information and systems as safe as possible, however, from an operations perspective, this is a concern since longer key lengths slow cryptography, consume more processing power and can be more difficult to manage and store.
While this trade-off between security and operational efficiency will always exist, there are ways to mitigate the effects of stronger encryption, for example, security professionals can deploy advanced automated key management policies and technologies.