English   Deutsch   Русский   中文    

Encryption is only as good as the protection of its keys

Mar 21, 2012 by Martin Kuppinger

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions.

The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private signature key. This key has been stolen from a Swiss company.

This new Trojan proves three points:

  • Every company is a target for attackers. No single company should feel safe just because it is either small or in an industry which appears not to be that attractive for attackers.
  • Attacks are getting increasingly sophisticated. Mediyes is just one example of this – they needed to obtain that key in a first attack to start the Mediyes attack.
  • Encryption relies on the security of keys.
The first two points are covered here, amongst other posts, articles, and podcasts of mine.

The third point is another important one. If the keys aren’t secure, everything relying on them is insecure as well. That is true for compromised CAs (Certificate Authorities), and it is true for every single private key you are using and every key used in symmetric encryption.

Thus it is mandatory to focus more on Enterprise Key Management and overall Information Security. Keys have to be well managed and secured. Not having an appropriate management and security for these keys – for every type of encryption, from digital certificates to symmetric encryption of your communication lines – leaves the doors wide open for attackers. It is necessary when starting with Enterprise Key Management to first of all know which keys are out there and how they have been protected (or not) until now. Then you can start improving the management of these keys.

Notably the term is Enterprise Key Management and not Storage Key Management or anything like that. It is not about looking at some keys, it is about looking at all of them.

To learn more about APTs (Advanced Persistent Threat), the changing threat landscape, about Enterprise Key Management and overall IT Security, you should attend EIC 2012  in Munich, April 17th to 20th.


Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Adaptive Authentication & Authorization
It’s called “adaptive” because it adapts to the circumstances at the time of the authentication ceremony and dynamically adjusts both the authentication factors as well as the facet(s) of the factors chosen. This is all done as part of the risk analysis of what we call the Adaptive Policy-based Access Management (APAM) system.
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2016 KuppingerCole