Today I read a short though interesting article on the Government Computer News site titled "Five encryption tips from NIST". For me this article was quite timely as I had spent last week in Beijing teaching IBMers and business partners about a number of Tivoli security solutions, including Tivoli Key Lifecycle Manager (TKLM). I've added a few annotations below on each of the points raised by NIST.
- Consider solutions that use existing features and infrastructure of your information technology systems.
Using existing features is clearly a great idea for reducing complexity, but also has performance benefits. For example, the overhead of hardware encryption capabilities in IBM's latest tape and disk storage solutions is negligible.
- Use centralized management for all deployments of storage encryption except for stand-alone and very small-scale deployments.
This is exactly the area that TKLM addresses.
- Ensure that cryptographic keys are secured and managed properly.
Again, this is a consideration that TKLM addresses. Emerging standards efforts such as the Key Management Interoperability Protocol (KMIP) will make things even better.
- Select appropriate user authenticators.
I found this one out of context compared to the rest of the article, but the point is valid. User authentication is at the forefront of the trade-off between security and conveniece. Authentication technologies change and consumers of user authentication should be flexible so that they can incorporate different authentication technologies over time.
- Take steps that support and complement encryption implementations.
Great points from NIST here. Technology alone is not the answer. People, partners and process should not be forgotten.