Managing the private encryption keys to the kingdom

    Date18 May 2010
    CategoryCryptography
    3331
    Posted ByAnthony Pell
    At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected. Data loss a mystery for many businesses Encryption is a critical element of any security strategy and is widely leveraged to protect data and, when properly managed, satisfies a growing body of regulations such as PCI DSS. Yet managing the increasing key and certificate volumes has reached a tipping point as enterprises increase their encryption deployments. Poorly managed, lost or stolen encryption keys can lead to failed audits, data breaches and system downtime.

    PCI DSS and key management

    The PCI standard provides specific guidelines for achieving and maintaining compliance. The 12 primary sections are broken into a number of requirements. Requirements 3.5 and 3.6 of Section 2 offer specific language that define how encryption keys are to be managed in order to achieve compliance.

    Note that the standard does not distinguish or suggest priority treatment between symmetric and private key management. Both key types must be properly secured in order to be PCI DSS compliant. PCI requirement 3 mandates proper key management to protect against "both disclosure and misuse" and must be fully "documented and implemented" for all key types.

    When data is protected by encrypting it with a private key and a certificate, the key becomes the data that must be protected. If the private key is not well managed and protected, the risk of data loss or theft increases dramatically. This threat becomes particularly acute when data is protected by keys that reside in a container or "keystore" (or on multiple keystores) with shared, administrative access. The keys that protect the data are often accessible to multiple administrators with no audit or access controls, and are often distributed widely and insecurely within organizations.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.