Private Key Management: Is Your Data Really Safe?

A few weeks ago, I was on a call with a security analyst when the subject of private keys came up. I’ve always taken for granted that everyone in the IT sector understands that as part of certificate management it is also critical to manage the private keys associated with those certificates. The analyst stopped the conversation on the spot and made it clear we can’t make this assumption for two reasons: 1) very few administrators realize that managing certificates also requires the management of private keys, and 2) not many people — even in IT — understand how critical the security of private keys is in protecting sensitive data.

If you’ve ever heard me present, you’ve heard me use this phrase, “the key is the data” -- which is a phrase and concept I take directly from my friend Marc Massar, who knows more than a little bit about encryption. The point is that if you protect data by encrypting it with a certificate, the private key becomes the most essential data you then have to protect. The encrypted data is effectively useless without the key, but if the wrong person gets that key--the data’s at risk.

But surprisingly, even as a company who works with some of the largest financial institutions on the planet, there are certain vulnerabilities that crop up again and again when the proper care and management of these keys is not taken seriously. Despite mission-critical data and some of the industry’s most advanced encryption schemes, we continually see these common mistakes:

Administrators don’t have a reliable and comprehensive inventory of their keys and certificates, making proper management of the keys impossible. Failure to manage certificates and private keys properly can result in unexpected system failures and costly downtime.

Administrators often use a single keystore password for multiple systems (sometimes even hundreds) because the passwords are embedded in numerous applications. This makes it cost-prohibitive to follow password rotation best practices and negates separation of duty requirements.

Administrators have direct access to keystores and the passwords that protect them, which creates a risk they could make copies of private keys. These are the keys that can decrypt the organization’s data. The organization must keep them secure.

Many (if not most) organizations do not replace private keys when administrators move to a new department or leave the organization, extending the risk of a breach.

Many organizations are unaware of the existence of encryption management platform software to helps them comply with best practices and industry regulations efficiently, and to ensure that certificates never unexpectedly expire. This one step is essential – and when it’s been neglected has cost organizations millions of dollars in downtime, loss of customer confidence, or fraud.

In a recent real world situation the failure of a single password caused the entire network to shut down at a major national bank. By the time the outage was corrected, the outage had cost millions of dollars, even though it had occurred near the end of a day. Private key management may seem like a peripheral issue-but failure to recognize and protect these “keys to the kingdom” could cost millions—let alone that it could easily cost an IT person’s job.