This article estimates the cost of the TJX breach to be about $1.6 Billion. That's a big number. It also points to this article which suggests the core of the compromise may be related to poor encryption key management. Read that last sentence again. $1.6 Billion because of poor encryption key management. That's amazing to me.
I've spent nearly a decade building identity and access management solutions some of which seem very complex. In addition to identity and access management, security infrastructures have perimeter security (firewalls), intrusion detection, anti-virus, anti-spam, anti-malware, etc.. How often have you heard people focused on building strong encryption key management? Probably not enough. I have to admit that I didn't think much about key management before a key management solution became part of my portfolio. It's a very interesting organizational challenge. It's frightening how insecure systems can be -- even if they have strong data encryption. How the encryption keys are managed is probably more important than the strength of the encryption itself. Yet again, prior to joining RSA I never heard IT managers talking about their encryption key management projects. And it seems like such a simple thing.
Think about it. If all of the data for 45.7 million users is protected with a single encryption key and the key is stored in plain text somewhere on the network. Then, the strong 2048-bit AES algorithm used to encrypt the data really can't be that effective. And each place where encryption is happening throughout an organization probably has another key sitting somewhere -- on a dev server? on a cd in a drawer? in a spreadsheet? Not good. If your organization has this problem, get your arms around it. Solutions are available that allow you to use strong keys, rotate keys regularly, distribute keys securely and ensure that you'll have the right key when you need it for decryption (even years down the road).