IT staff hold firms hostage with encryption keys

23 May 2011

Some 40pc of IT workers have admitted they could hold their employers hostage – even after they’ve left for other jobs – by withholding or hiding encryption keys.

To prove this, 4pc of management claim to have been denied access to information because they can’t find their encryption keys.

A third of respondents to a survey by Venafi said their knowledge of and access to encryption keys and certificates, used for both system authentication and data protection, means they could bring their companies to a grinding halt with minimal effort and little to stop them. This is due to lack of oversight and poor management of their organisations’ encryption keys.

They claim that even after they have left they still could cause havoc with their knowledge of the encryption keys, shared passwords and weak controls. Some 40pc of respondents admitted they would still have access to vital information and could manipulate it to their own ends – both to their company’s financial and reputational detriment. 

Some 31pc said they could still access organisational data because they could easily retain the encryption keys when they left and access the information remotely.

Finally, 24pc of respondents to the survey admitted their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets and secure sensitive system communications.

The survey shows that 82pc of companies now use digital certificates and encryption keys, however, 43pc admit to being locked out from their own information – because people have left the organisation or keys are lost – and 76pc would use automation if they knew it existed.

These same companies are unaware of how to manage their keys and certificates, leaving them exposed to unplanned system outages, security risks and reduced access to critical data.

Encryption is no longer rocket science

“It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it,” said Jeff Hudson, Venafi CEO.

“They have found out the hard way – after being locked out from their own information – that they need an automated solution to manage the thousands of keys and certificates they have. Once the data’s protected with encryption, the key becomes the data and the thing that must be managed and protected.

“Key encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise, as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices.

“It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com