Today I'm working on the Integration of IBM's Cryptography solutions for long term archiving in Content Management Solutions like FileNet Image Services.
The idea is to encrypt confidential documents on the desktop using SFED (Secure File Encryption for Desktops) and than post them to the Document Archive.
This design poses many organizational questions :
What if the person who encrypted the file forgot the password ?
In that case, there are two main possibilities:
1. Use a Password Store
or
2. Allow for password recovery. An Administration Interface allows to recover the password. This requires, in addition to the technology, a strong real life procedure such that the password recovery tool isn't misused.
In SFED, the Security Domain of the documents determines if password recovery is possible or not.
What garantees that one can decrypt the document within 10 years from now ?
The combination of the use of encryption standard like Encryption AES, HMAC-SHA-512 or PKCS#12 and IBM's promises to stay in Business...
How to avoid that people use the same password for unrelated files ?
(If this password would be revealed for a file, all the other files would be at risk)
This is an organizational and security governance issue... You need to learn your end users not to put their passwords on a post-it on the workstation's desk. Security is not only technology...
No comments:
Post a Comment