Information security and compliance often swim together in the collective minds of CIOs, and so in the mainstream the adoption of information security technologies tends to be related to how well they solve compliance issues.
From many perspectives this is not unreasonable: corporate IT departments can’t be experts in all areas and they need guidance. However, this can lead to the undesirable situation where compliance projects drive security initiatives and organisations are left under-protected. Consequently mainstream security adoption typically catches up with best practice only as and when the compliance mandates are updated.
Such has happened in the past with network security, firewalls, anti-virus and password management, and over recent months the scenario has been played out with encryption and key management. As businesses need to share more information across different company departments and expanding geographical borders, the prominence of encryption has risen, and we have seen it increasingly arriving in regulations and legislation. But the crux of effective encryption is strong key management and without clearly defined compliance standards in this area, enterprises are often unaware of the critical nature of key management and therefore remain vulnerable to attack. The number of stories on software key storage or lax access control, poor selection of keys and protocols and thefts of key material alongside data breach notifications bear witness to this.
Fortunately, the regulators are beginning to catch up. Compliance mandates which had once simply called for encryption are now being updated to look much more closely at key management. From PCI-DSS (updated in late 2010 and continuing into 2011 with explicit focus on key management) to the more traditional world of US Federal government (which already did fairly well on key management), we are seeing increased sophistication in the specification of key management requirements. So now the secret is out: everyone knows about key management. Simply encrypting data isn't enough, default software installs will be deemed insufficient and lax key management will be viewed as an error, not an easy oversight. If you want to comply (and follow encryption best practice), you’d better start managing those keys.