Data leaks can ruin an organization's reputation, expose it todraconian fines and even result in expensive legal tussles. In aneffort to deflect the explosion of threats enterprises face, manyare deploying encryption on a vast scale, installing tens orhundreds of thousands of SSL certificates and encryption keys tosecure valuable data.

However, with everyone exposed to encryption today – especiallyin business, it's increasingly untenable for organizations to haveone central team managing the escalating encryption assets acrossthe whole infrastructure.

This means that, rather than enterprise key and certificatemanagement remaining the domain of a technical expert, it isinstead being delegated to business owners. And it's this trendthat's causing organizations to lose sleep – and data!

Simple Complexity

From a logical point of view it would make sense for thebusiness owner to determine its value to the organization and howto protect it. However, EKCM is complex – even for those workingwithin IT. For the average user, it might as well be a foreignlanguage.

For a start there are hundreds of different companies providingPKI services (public key infrastructure – a set of hardware,software, people, policies, and procedures needed to create,manage, distribute, use, store, and revoke digital certificates).Even internally within an organization there can be dozens ofdifferent technologies that have to be managed.

Next is the language used, as it is historically the domain of atechnical expert. It's a minefield of CAs, VAs and RAs, offeringSSLs, DNs, CNs and hashing algorithms – and that's just the tip ofthe acronym iceberg. For someone who lives, eats and breathes ITit's complex, but when you're talking about average users having todeal with this once, or perhaps twice a year, as certificates needto be renewed, it is mind blowing. Of course, if that's not enough,to add to the melting pot is the fact that every different systemhas its own unique way of requesting the relevant information.

In summary – the problem is all too often the user is faced witha very complex interface, littered with acronyms, requesting amyriad of information that changes from supplier to supplier,leaving these non-technical users confused and frustrated.

Complexity Made Simple

There are companies that offer a subscription service thatfacilitates the purchase of certificates from each of the variouscertificate authorities.

However, even this is complex as the user is eventually justgiven access to the portals of the various vendors, albeit from acentral point. They then still have to decipher the site, translatewhat's relevant information and what's marketing hype, anddetermine what information goes where in the various fields.

When dealing with all of the different acronyms, andidiosyncrasies, this is easier said than done.

It's time that the PKI industry takes a leaf out of the bankingsector. Once it became possible to withdraw money from a “hole inthe wall,” banks couldn't present users with the whole bankingsystem – instead it had to be a simple to use interface that anyoneon the street could use.

An ATM on the face of it is just that. It asks in plain Englishwhat the user wants and gives it to them.

Imagine how different it would be if the average person on thestreet had to navigate their way through the entire complex bankingsystem powering these interfaces to withdraw cash. And, that itchanged from machine to machine?

Banks couldn't afford to have someone standing next to eachdevice explaining how to withdraw money. Instead it had to besimple, intuitive, serve the purpose and be reliable. Keeping it Neat and Tidy

Organizations want average users to take ownership of theirencryption assets, but that means giving them the means to manageencryption. It's impractical to train non-technical users to workwith complex systems, especially when they vary from multiplevendors, for occasional use. It all has to be logical and it allhas to be simple.

• Make it easy to manage – just like an ATM, EKCM needs a singlegeneric interface where users can request and receive certificates,regardless of provider.

• Secure access – as long as people are involved there is alwaysrisk. Private keys used with certificates must be kept secure orunauthorized individuals can access confidential information.Direct administrative access to private keys should be eliminatedwherever possible.

• Keep it tidy – Keep your certificate validity periods to amaximum of one year. Organizations should be also managingrevocations to ensure that they are protected, rather than relyingon third parties to do this for them!

• Close security holes – Do you know where every hole is thatmalware can sneak in through? Probably not. The malware is lookingto hide itself among the tens of thousands of certificates in theinfrastructure and only needs a tiny hole to get in.

The time has come to decipher the black art of keeping datasecure, remove the secrecy, confusion and complexity associatedwith the practice and instead allow users to focus on theessentials – acquiring, renewing and cancelling certificates andprotecting their data.

Calum MacLeod is EMEA director for Venafi in Sandy,Utah.