Security Assets: Is it safe with your processes in key management?

Have you ever met a person who writes down his or her password and posts it everywhere? People like your friend usually find it very hard to memorize different passwords considering passwords nowadays need to be strong and must include special characters. So instead of memorizing it, jotting down the password on paper and puts it in different places where everyone can see it. Most people even post it on their computer screen in order to have easy access.

What would happen if your friend is the one who manages the data of a famous company or even your company? The effect would be disastrous considering anyone can access the company’s data by just reading the post-its.

Different IT professionals who, master in information security, made many ways in order to prevent breach of any information. They made solutions like certificates and encryption keys in order to provide security for different and varying applications, services and platforms. But due to gradually deployments, efficient administration broke down and fallen. Certificates and Keys in applications, business solutions and disparate systems are deployed to be accessible to many administrators without access control.

Overworked professionals in security usually switch to expensive management process in order to cobble together. They usually rely on things like spreadsheets and has lists of certificates and deployed keys. They also contain the dates of expiration of certificates and keys. This is better compared to the writing the password on a pathetic post-it notes. Other people who have masters degree in information security can also do this simple task.

Manual processing usually make you defenseless due to the managers does not apply good practices in security or either that or they nastily make use of their knowledge since at least 50% professionals in IT admitted that they could exploit their knowledge but with a ms information security, you can avoid that. Due to lack of clear policies or management solutions, administrators are forced to expose confidential key security and vulnerabilities. They can expose information by storing keys in keystores which managers have access to it. Reusing once password in order to defend many keystores is another one. Giving out keys in not secure ways like email, FTP servers and USB drives is another way. Another one is to fail rotating keys time to time.

Thinking that the more IT staff you have, your manual management process increases but it isn’t like that. Actually, manual management usually leave vulnerabilities because the managers are unsuccessful to apply good security practices or simply since they choose to exploit the knowledge they have. If there is no workflow controls and automated access, a large staff can really expose different private keys. A survey showed that at least 50% IT employees confessed that if possible, they can hold their previous employees hostages. They could do that by withholding the keys in which they have access.

Management in manual key doesn’t guarantee the keys are distributed, deployed, maintained, securely generated and are rotating since regulations require it.

The punishment of failing to achieve or comply the regulations are to pay a hefty fines or even other things. Service Loss is one of the punishments. Administrators who fail to replenish certificates right before the certificate expires, applications which relies on the certificate will fail without warning at all. Another one is breaches in security. The regulations given to staffs and managers aren’t made to give you headaches but they are made to protect different customers from exposing customer’s identity which leads to identity theft. This may lead on ruining the company’s reputation.

An encryption management, which focuses on enterprise, solution is really required in order to cut across different systems, applications and platforms in order to manage certificates and keys securely. Different solutions could influence the automated processes and solutions depending on your policies on security you have. This includes Distributing, generating and managing the certificates and keys that will fulfill the policies of security of the company. Configuring applications that uses the certificates and keys are another. Enforcing the workflow and controls of access that duties of segment management according to policies of the company and apply dual control over the sensitive keys.

Security breaches surprises IT managers since operational failures and compromised keys happen from neglect which comes from leaving the keys exposed similar to putting passwords on a simple post-it. You shouldn’t really do this and they shouldn’t too. Take many steps in order to protect the encryption assets but you if you don’t, you might see the CEO of the company in the news.

EC-Council University is a licensed university that offers degrees and master’s degrees on Security Science online. The degrees are recognized worldwide and may be used in any employment worldwide as well as the graduate certificates that they offer. With excellence and dedication as the core values, many professionals and degree holders have benefitted from undergoing the programs in this university.

More information about master’s degrees in information security available at www.eccuni.us.