This is an excerpt of Vormetric’s whitepaper: Simplifying IT Operations Securing and Controlling Access to Data Across the Enterprise . http://enterprise-encryption.vormetric.com/data-security-policy-and-encryption-key-management-white-paper.html The Whitepaper outlines the challenges of enterprise key management and details ways to minimize the risk. This whitepaper from Vormetric on Key management strategy strives to provide the reader with an understanding, not only of the importance of key management, but of its evolution. Additionally, understanding that companies today require actionable information, the paper provides the reader with a set of criteria for key management as well as an understanding of the challenges that may be faced. This is followed by a review of the recent industry initiatives and compliance regulations that are shaping the future of key management strategy. Lastly, the paper describes Vormetric’s Key Management, a component of the Vormetric Data Security product family. According to the whitepaper, encryption key management should meet four primary criteria: 1. Security – In implementing a comprehensive data security strategy, organizations are well- advised to consider the security of the encryption keys. Improper key management means weak encryption, and that can translate into vulnerable data. 2. Availability – In addition to being secure, the keys must ensure that the data is available when it is needed by the system or user. Key management practices that add complexity can decrease availability or add overhead to the network. That results in damage to the over efficiency of the network. 3. Scalability and Flexibility – Growth and change are inevitable in an organization. The key management solution should be able to address heterogeneous, distributed environments so as not to hamper either growth or change. 4. Governance and Reporting – Reporting is essential to proper institutional governance. Often, third party entities (be they customers or regulatory authorities) will request, and in some cases mandate, proper governance and reporting of key management. That means implementing and enforcing things like separation of duties, authorization process and key lifecycle management.

1. Whitepaper Brief: Security Policy and Key Management from Vormetric
Security Policy and
Key Management
Centrally Manage Encryption Keys
Oracle TDE, SQL Server TDE and Vormetric
Download Whitepaper

2. Whitepaper Brief: Security Policy and Key Management from Vormetric
Click-to-Tweet
Download the Complete Whitepaper
The Importance of Encryption Key Management and Data Protection
Encryption key management can often prove to be challenging in environments that have ad hoc encryption solutions.
While ad hoc implementations often serve the objectives of the organization, they can make comprehensive key
management, and therefore effective data protection, more difficult. As the old adage goes, a chain is only as
strong as its weakest link. For encryption implementations, that link is more often than not, key management. Poor key
management can be deleterious in any number of ways. Not only is key management required to ensure the integrity
of the encryption system but various regulations and industry standards affect key management. These include: the
PCI DSS, GLBA, and HIPAA HITECH to name but a few. Addressing enterprise-level key management is a vital
component of a comprehensive data protection strategy.
Vormetric’s whitepaper: Simplifying IT Operations: Securing and Controlling Access to Data Across the Enterprise outlines
the challenges of enterprise key management and details ways to minimize the risk. Whether companies are using
integrated key management systems, third party systems, or a combination of both, IT personnel are challenged to
efficiently and securely manage the keys while still handling their day to day responsibilities. Adding to management’s
headaches are the results of a survey in which it was revealed that 40% of IT staff felt they could “hold their employer
hostage” by making it difficult or impossible to access vital data by withholding or hiding encryption keys. Without a
centralized system of encryption key management, security administrators are faced with costly, inefficient, and often
impossible task.
Encryption Key Management: Primary Criteria
According to the whitepaper, encryption key management should meet four primary criteria:
1. Security – In implementing a comprehensive data security strategy, organizations are well- advised to
consider the security of the encryption keys.
2. Availability – In addition to being secure, the keys must ensure that the data is available when it is
needed by the system or user.
3. Scalability and Flexibility – The key management solution should be able to address heterogeneous,
distributed environments so as not to hamper either growth or change.
4. Governance and Reporting – Reporting is essential to proper institutional governance. Often, third
party entities (be they customers or regulatory authorities) will request, and in some cases mandate,
proper governance and reporting of key management.
The Evolution of Key Management
The whitepaper strives to provide the reader with an understanding, not only of the importance of key management,
but of its evolution. Additionally, understanding that companies today require actionable information, the paper provides
the reader with a set of criteria for key management as well as an understanding of the challenges that may be faced.
Lastly, the paper describes Vormetric’s Key Management, a component of the Vormetric Data Security product family.
In an era of rampant litigation and regulation around the loss of personal data, and even the loss of corporate data
as that can impact shareholder value, proper implementation of security technologies and practices is of paramount
importance. As stated in the paper, “These attacks can have dire consequences for the enterprises under siege, resulting
in substantial loss of revenue, massive fines, and degraded customer trust.” As the threat landscape evolves into one
ripe with Advanced Persistent Threats and Hacktivists, companies must remain vigilant against both intentional and
accidental access and misuse of sensitive data. Encryption with strong key management remains the most effective way
to protect against the advancing threats.