What do you want to know about Cryptography in the Enterprise ?
January 3, 2008I am working on a presentation entitled “Lessons Learned Deploying and Managing Enterprise Cryptosystems“. I will be presenting this at Information Security World 2008. In the 45 minutes I have for the presentation, it is my goal to touch on several key lessons learned in my work with cryptographic controls over the past several years. Cryptosystems is a broad topic, and can include not only techniques (encryption, digital signatures, timestamps), but also key management and implementation issues. There is a lot of material that I have available to draw from, and I want to make sure that the presentation includes the most valuable and relevant points that it can. After giving a presentation, there is almost nothing more disappointing than reviewing the feedback forms only to find out what people really wanted to know. This is especially disappointing if it is material you could have easily included…
I would love to know what kinds of questions you have and would like to see addressed.
In addition to your question, please provide a little context, such as:
- What are the drivers for your use of cryptographic controls (data protection, compliance, etc.)?
- Will your deployment be externally audited?
Cheers,
Erik
Hello Erik,
I tried adding an answer on linkedin but it seemed closed out, so here is my comment instead:
Having worked on making my organization meet PCI-DSS requirements for data encryption, I faced some challenges, one of which is the topic of key rotation. Encryption keys are as good as they’re rotated. Allowing for key rotation, be that every 2 or 4 years even, would help keep cryptographic controls strong as well as auditors happy. How do achieve that, without disrupting normal operations, and at a reasonable cost is most certainly a challenge.
I look forward to your next podcast !
Cheers,
-Magid
Magid Latif, CISSP