Encryption is only as good as the protection of its keys

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions.

The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private signature key. This key has been stolen from a Swiss company.

This new Trojan proves three points:

  • Every company is a target for attackers. No single company should feel safe just because it is either small or in an industry which appears not to be that attractive for attackers.
  • Attacks are getting increasingly sophisticated. Mediyes is just one example of this – they needed to obtain that key in a first attack to start the Mediyes attack.
  • Encryption relies on the security of keys.
The first two points are covered here, amongst other posts, articles, and podcasts of mine.

The third point is another important one. If the keys aren’t secure, everything relying on them is insecure as well. That is true for compromised CAs (Certificate Authorities), and it is true for every single private key you are using and every key used in symmetric encryption.

Thus it is mandatory to focus more on Enterprise Key Management and overall Information Security. Keys have to be well managed and secured. Not having an appropriate management and security for these keys – for every type of encryption, from digital certificates to symmetric encryption of your communication lines – leaves the doors wide open for attackers. It is necessary when starting with Enterprise Key Management to first of all know which keys are out there and how they have been protected (or not) until now. Then you can start improving the management of these keys.

Notably the term is Enterprise Key Management and not Storage Key Management or anything like that. It is not about looking at some keys, it is about looking at all of them.

To learn more about APTs (Advanced Persistent Threat), the changing threat landscape, about Enterprise Key Management and overall IT Security, you should attend EIC 2012  in Munich, April 17th to 20th.


Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00