Enterprises are having trouble recovering business information because they are not properly managing the data encryption keys, which effectively lock them out of the critical data they sought to protect, Symantec found in a survey.

Enterprises are using encryption in more places than ever, but they are not properly securing the keys or using consistent products, a recent report found.

Despite using encryption, poor key management and lack of control over the technologies being used can cost the organization an average of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey report released by Symantec on Nov. 30.

Business groups and employees are often independently encrypting the data without involving the IT department, according to Matthews. While the move to encrypt is a good thing, these unauthorized deployments are a challenge for IT because the data is lost and irretrievable if the employee loses the key, forgets the passphrase or leaves the company without passing on custody of the encryption keys. If IT doesn’t have the key, it also becomes harder to properly backup the data or to access the information as part of an e-discovery request, he said.

Rogue projects pose a “recovery issue” for organizations since that’s data the IT department has no control over and if told by the courts to hand over data, the “enterprise can’t really say ‘I can’t,’” Matthews said.

Read full article here

IT departments have access to the most sensitive data, even ahead of management and the board.

In a survey of 500 IT security specialists, 65 per cent of respondents acknowledged that IT departments have the easiest access to sensitive data, while data access is restricted for other key staff, including CEOs.

When asked who had the easiest access to their company’s most sensitive data, 30 per cent believed it was the CEO, eight per cent said management, seven per cent the HR department and five per cent the legal team.

Meanwhile, 40 per cent of IT staff admitted that they could ‘hold their employers hostage’, even after leaving for another job, by withholding or hiding encryption keys, making it difficult or impossible for management to access vital data.

However, 24 per cent said that the fear of losing encryption keys was deterring them from investing in encryption technologies. Jeff Hudson, CEO of Venafi, said encryption management has become a big issue for companies worldwide, particularly with encryption being the last line of defence in protecting data against loss or compromise.

“Companies are finding out how important encryption is when they have experienced a huge data breach because they weren’t using encryption, then they find out that when they deploy encryption they have another big problem, and that is managing the encryption keys,” he said.

Read full SC Magazine article here

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
ENTERPRISE KEY AND CERTIFICATE MANAGEMENT [EKCM]SOLUTIONS
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Designed especially for enterprise environments, Venafi solutions provide automated management for the widest range of digital certificate and encryption key technologies in use today – including digital certificates, SSH keys, and asymmetric and symmetric keys.

It’s flagship product Venafi Encryption Director™  automates the discovery, monitoring, validation, management, and security of organisations’ extensive (and expanding) encryption resources – ensuring encryption systems provide the security they are designed to deliver while simultaneously reducing operational risk and administrative workload.

To find out more about Venafi contact Cohort Technology today on 0845 084 8828 or email venafi@cohorttechnology.com

The amount of data that enterprises must secure with encryption is growing rapidly, and with it, the number of digital certificates and keys that encrypt the data. This digital-certificate explosion, while necessary, can create management nightmares: Companies must track each and every certificate, and in keeping with best practices, renew each of them as they are set to expire (typically annually). The ability to do this hinges on a critical asset: a comprehensive inventory.

An accurate certificate inventory is also necessary to meet security-compliance requirements: Healthcare companies must comply with HIPAA, publicly traded companies must comply with Sarbanes-Oxley, and every company that deals with credit cards must comply with the credit card industry’s PCI (News – Alert) regulation. There are also internal policies and security regulations for the European Union and other countries abroad—and these are but a few of the regulations with which organizations must comply.

Correctly done, an SSL certificate inventory should include the whereabouts of each certificate, the identity of the certificate authority that signed it, and the identity of the person who is responsible for its care (including this person’s contact information). Such an inventory or certificate population is critical because companies can’t ensure the security of their protected information and system authentication without ensuring the safety and validity of the certificates that secure it, and they can’t ensure the certificates’ safety unless they know where to find them.

While many enterprises contract with external certificate authorities (CAs)—often multiple CAs—the inventory task is not as simple as asking each CA (News – Alert) for a list of the certificates it manages. A given CA’s list does not include certificates it didn’t issue—or certificates that administrators purchased from the CA before the company contracted with it. Nor would they include an inventory of self-signed certificates that systems and applications often issue without the IT staff’s knowledge. In addition, their lists wouldn’t include important information such as certificates’ locations and statuses (active or inactive).

Data centers are typically heterogeneous environments in which several different brands of hardware and software run side-by-side. Likewise, organizations often deploy certificates from heterogeneous sources side by side and may not have a complete list of CAs from which to start the inventory-requesting process. Given all these caveats, it is obvious that companies must supplement the inventories their CAs provide with their own, network-wide certificate-discovery searches.

This said, certificate inventory projects can be daunting. A Fortune 500 technology company that operates in more than 75 countries presented a certificate-inventory case study at the RSA (News – Alert) Conference 2011 in San Francisco. This company’s network consists of 10,000 routers and 20,000 switches; about 10 percent of its workforce telecommutes. In addition, over the course of its history, the company has made more than 100 acquisitions. All of these factors made inventorying certificates a complex and complicated process. The company eventually created an internal portal to discover, provision, manage and govern its certificate process.

A network discovery process can find certificates that are on listening ports—such as 443, the well-known HTTPS port. (The term HTTPS identifies secure Web sites [the S stands for secure].) Secure Web sites are protected by private keys that match corresponding digital certificates. The discovery process involves gathering network address ranges and then collecting a list of ports to check. Port 443 is a good place to start, but there are many other ports on which companies can find certificates.

Some X.509 certificates are not discoverable through network ports, including client-side certificates used for mutual authentication on Secure Sockets Layer (SSL)-encrypted connections. Finding these certificates typically requires using a locally installed agent to perform file-system scans on servers and clients.

But technology alone can’t guarantee an accurate inventory. It is important that administrators proactively report all certificates of which they are aware and add these certificates to the inventory. Establishing this human-based process may require education.

Upon completion, companies must analyze their digital certificate populations to determine whether each certificate and associated private key was properly issued, its status, and its expiration date (this is particularly important). Companies must initiate the renewal process for any certificate set to expire in less than 30 days. If a certificate is allowed to expire on a production system, the event will block access to the site, file, or database the certificate protects, causing network downtime, inconvenience to employees, partners and customers, and even costly, brand damage. Expiration dates can also help identify certificates that have been active too long. Companies should flag and inspect certificates that have been active longer than a year to make sure they deserve to stay active.

Finally, it is important to determine each certificate’s CA, thereby identifying self-signed and improperly authorized certificates.

As challenging as the inventory process may be, it’s vital for enterprises to learn as much as possible about the encryption assets running on their networks — to affirm the knowns and discover the unknowns. Without this information, it is impossible to keep valuable and sensitive information secure, meet compliance regulations, and keep networks running efficiently.

To learn more about Venafi, the leader in enterprise and certificate management, contact Cohort Technology today on 0845 094 8828 or email venafi@cohorttechnology.com

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced its strategic partnership with Cohort Technology to distribute EKCM solutions in the United Kingdom.

Together, the companies will extend Venafi’s market leadership to meet the needs of Cohort Technology’s resellers and customers. Designed specifically for enterprise environments, Venafi solutions provide automated management for the widest range of digital–certificate and encryption-key technologies in use today—including digital certificates, Secure Shell (SSH) keys, and asymmetric and symmetric keys.

Cohort managing director Grahame Smee said: “We are delighted to partner with Venafi, the recognised industry leader in the growing EKCM arena. Our customers are heavily dependent on encryption for information security and system authentication. As a result of their growing inventories, these same organisations have certificates and keys strewn throughout their infrastructures, most of which are managed departmentally and in silos.”

Jeff Hudson, chief executive of Venafi, pointed to the frequency of enterprise security breaches “including data breaches, man-in-the-middle attacks and CA compromises”.

Read full press release here

According to the Information Commissioner’s Office (ICO), Eastern and Coastal Kent Primary Care Trust sent to landfill a filing cabinet that contained the CD. The disc had on it the address, date of birth, NHS number and GP practice code of approximately 1.6 million patients.

The ICO said that when planning an office move, the trust deemed it appropriate to store the CD in the filing cabinet concerned. However, the project manager co-ordinating the move was not told about the existence of the CD.

It was also found that the team concerned was not up to date with its information governance training and had not accessed relevant guidance on how to dispose of the CD.

Despite efforts to retrieve the filing cabinet once the CD was discovered missing, the trust was unable to do so.

Read full article here